Cybersecurity threats are an ever-present challenge for businesses. What should organisations be doing to mitigate risk and to ensure that they comply with relevant legislation?
Cybersecurity is one of the most significant threats of our age, and a breach of an organisation’s network and information systems can have a very real impact on its economic activities, as well as those of the wider market, resulting in financial loss and loss of data. This can lead to reputational damage and harm to customer confidence. Cybersecurity breaches are a real threat to all organisations, irrespective of their size or the industry in which they operate, therefore taking measures to reduce this risk should be treated as high priority, to be addressed at board level.
The law in this area is constantly changing with the following being the main UK laws currently governing cybersecurity and privacy standards:
- The Data Protection Act 2018 which implements the UK GDPR
- The Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations)
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
- The Product Security and Telecommunications Infrastructure Act 2022.
Additional laws also apply if an organisation is regulated by a competent authority, for example, financial services providers, telecoms operators and public companies.
Most of the UK’s laws in this area have their origins in European legislation. However, the EU is bringing forward more rules in the form of its regulation of cybersecurity which will not apply to the UK (although they may well impact some UK organisations). The EU is implementing the second Network and Information Systems Directive (“NIS2”) and the Digital Operational Resilience Act (“DORA”) – respectively in force as of October 2024 and January 2025. These two Acts are significant in that they have widened their scope to cover multiple industries, the fines and incident reporting duties under them have been increased, and the personal liability on management bodies whose organisations have failed to comply has also been introduced.
It was announced in the King’s speech on 17 July 2024 that the UK Government plans to introduce a new Cybersecurity and Resilience Bill in the next Parliament. The proposed Bill looks as though it will follow the latest EU legislation in that it seeks to increase the scope of organisations and industries falling within its remit, introducing stricter reporting obligations and giving regulators stronger enforcement powers to ensure that cybersecurity measures are being implemented.
The wording of the Bill is yet to be published, but the initial indications given by Government are that the Bill will seek to mirror the EU’s NIS2’s core principles so that the UK is not left behind or seen as more vulnerable to cyber threats, especially once the NIS2 has been implemented fully.
Current UK Requirements for Data Security
For the time being organisations operating in the UK need to ensure that they continue to comply with the current UK regime (as well as the new EU rules if these rules also impact their operations).
The key provisions in the UK GDPR regarding data security include:
- Personal data must be processed securely (including protection against unauthorised/unlawful processing, accidental loss, destruction or damage) using appropriate technical or organisational measures – Article 5(1)(f).
- Controller and processor contracts must be entered into alongside the ‘main’ commercial agreement where appropriate to the transaction – Article 28.
- Both controllers and processors must ensure appropriate levels of security depending on the risk, taking into account the costs of implementation, the context of the processing, obligations to report personal data breaches – Articles 32-34. Article 32 includes encryption as an example of an appropriate technical measure that an organisation can implement, depending on the type of processing that it carries out, and therefore the risk associated with the processing activities.
Encryption is relatively easy to implement and is relatively low cost, with a variety of solutions being offered by service providers. Any organisation using encryption to protect data should have a suitable encryption policy in place that governs how and when encryption is used. Any staff dealing with data and encrypted data should also be provided with adequate training, and any personal data stored or transmitted should be encrypted with an encryption product that meets current encryption standards. It is also worth noting that certain organisations may be subject to sector-specific requirements which will dictate the type of encryption that they use. Organisations should also be aware of the residual risks of encryption and have steps in place to address these risks.
There are broadly two types of encryption currently in use:
- Symmetric encryption: the same key is used for encryption and decryption of the data.
- Asymmetric encryption: different keys are used.
It is important to note that if symmetric encryption is being used, users must ensure that the key is transferred securely. Organisations using encryption should ensure that they choose the right algorithm, the right key size and the right software, and that they keep the key secure.
Whatever security precautions are adopted by an organisation (which may include encryption), it is important that management ensures that these are properly implemented. Many security breaches have been shown to happen due to organisations failing to implement relatively basic security precautions, for example:
- Failing to appropriately encrypt data or storing encryption keys on vulnerable systems.
- Using outdated software, failing to install fixes.
- Retaining data for longer than necessary.
- Failing to carry out background checks and vetting on employees with access to data.
- Failing to securely destroy or dispose of data.
- Failing to train staff adequately.
- Using USBs improperly.
These are all avoidable pitfalls which organisations should seek to be proactive in preventing to reduce the risk of a data breach and the various issues arising from that.
Many of the data breach incidents reported to the ICO could have been reduced or avoided had the data been encrypted. When assessing breach reports for the purpose of deciding what action to take, the ICO will look at whether appropriate data security steps, such as encryption, have been taken and failure to do so increases the risk of a harsher sanction than might otherwise have been the case.
Organisations operating as essential services and certain digital service providers are subject to additional cybersecurity and incident notification requirements under the NIS Regulations such as the duty to manage risks posed to the security of the network on which their essential service relies, and following specific guidance issued by their competent authority.
Periodic reviews of security arrangements are imperative for most organisations. If you would like support with the legal aspects of this, including reviewing/updating policies and training, please contact our Commercial, IP & Technology team at [email protected]