Regulatory Outlook: Cyber Security
Current issues: February 2019
Unpredictable enforcement at the ICO
We continue to see an unpredictable approach being adopted by the Information Commissioner's Office (ICO) to data breaches reported to it post-GDPR. There is no doubt that the ICO has been over-burdened with data breach reports since 25 May 2018. We are aware of certain significant cases and investigations which have been dropped without sanction, and have also seen various ongoing investigations stemming from reported breaches enter a period of extended lull, in part perhaps attributable to capacity issues and the regulator's need to prioritise.
We suspect a more consistent approach will begin to take shape in the forthcoming six to 12 months as the ICO's recruitment drive starts to take effect and as it beds into the post-GDPR world, although no doubt Brexit-related planning will continue to take its toll on the ICO's internal resourcing for a while.
EU political agreement reached for EU Cybersecurity Act
On 10 December 2018, the European Parliament, Council and Commission reached political agreement on the proposed new EU Cybersecurity Act. The Act now needs to be formally approved and published in the EU Official Journal, following which it will enter into force.
Our previous summary of the key changes which will be introduced by the Act can be found here. In particular, the creation of a framework for European Cybersecurity Certificates will be of significant relevance and interest to many businesses operating in the EU.
GDPR group litigation risk
The GDPR provides that data subjects whose rights have been infringed are entitled to compensation for damage suffered. Further, data subjects may authorise third parties to exercise certain rights (including the right to compensation) on their behalf.
These rights, taken together, led to speculation that the UK would start to see a rise in group litigation following cyber security incidents. Whilst there has not been the sharp uplift predicted by some, we are aware of a growing number of law firms and other organisations attempting to put together claimant groups for the purpose of making claims in relation to well-publicised cyber incidents.
As the case law in this area develops, businesses that have been the victims of cyber security incidents will need to bear in mind the potential risk of follow-on claims (and, accordingly, ensure that, to the greatest extent possible, their incident response work mitigates those risks).
In Focus: No deal Brexit
What would be the impact of a no deal Brexit for UK businesses trading with the EU?
In the event of a cyber incident, UK businesses that trade with the EU will still need to comply with their regulatory obligations under the GDPR and, if applicable, the Network and Information Systems Regulations 2018.
At present, UK businesses (as well as international businesses with an establishment in the UK/EU) are able to take advantage of a 'one-stop-shop' regime. Under this regime, in the event of a cyber security incident which needs to be notified to regulatory authorities under the GDPR, they need to notify their 'lead' regulator only (for example, the ICO in the UK) and only that lead regulator should carry out investigations or issue fines.
In the event of a no deal Brexit, the UK will no longer be included in this one-stop-shop regime. Businesses domiciled only in the UK (without any EU establishments) will need (in the event of a cross-border breach) to notify the regulator in each relevant EU territory and the business may be subject to both an EU and UK fine. Businesses with establishments in both the UK and the EU will be able to rely on the one-stop-shop regime in the EU, but will still need to deal with the ICO in the UK, and may also, therefore, be subject to fines in both the EU and the UK.
What would be the impact of a no deal Brexit for non-UK businesses trading with the UK?
In the event of a cyber incident post-Brexit, non-UK businesses doing business in the UK will need to comply with UK data protection law (which will incorporate the GDPR).
Where the cyber incident is notifiable under the GDPR and impacts UK data subjects, non-UK businesses will (as discussed above) need to notify the ICO, and will no longer be able to rely on the 'one-stop-shop' mechanism under the GDPR, which may have allowed them to notify a different, and only one, EU regulator.
What should businesses be doing now to prepare for a no deal Brexit?
Most businesses, in order to comply with UK data protection law and GDPR requirements, will already have in place an incident response plan for dealing with data and cyber incidents. These incident plans should be updated to set out clearly which regulators would need to be contacted, post-Brexit, in the event of a notifiable cyber security incident.
Dates for the Diary
March 2019 | EU Cybersecurity Act – first reading vote in the EU Parliament scheduled. |