As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPC Cyber_ can be downloaded for free from the Apple Store or Google Play Store.

Information Commissioner Backs Cyber Security and Resilience Bill: Calls for Clear Secondary Legislation, Proactive Oversight and Adequate Resourcing

On 23 December 2025, the Information Commissioner issued his response to the Cyber Security and Resilience (Network and Information Systems) Bill, expressing broad support for the reforms to bolster the UK’s cyber defences. The Bill significantly broadens its remit beyond operators of essential services and relevant digital service providers to include relevant managed service providers and designated critical suppliers, reflecting the interconnected nature of modern digital supply chains.

For certain key areas of infrastructure, the Bill signals a shift from a reactive approach to a proactive, risk‑based oversight, backed by enhanced powers: wider information‑gathering, strengthened information‑sharing gateways with safeguards across regulators and government, new regulatory enforcement powers, and an expanded cost‑recovery framework to fund day‑to‑day supervision, inspections and enforcement.

At the same time, the Commissioner underscores that key operational details will be set through secondary legislation, including thresholds for what constitutes a “significant impact” for incident reporting, baseline security and resilience requirements, criteria and duties for “critical suppliers”, the application of penalties, and further enhancements to information‑gathering to support risk prioritisation.

Read more from the ICO here.

Data (Use and Access) Act 2025: key changes in force from 5 February 2026

Most of the privacy‑related provisions of the Data (Use and Access) Act 2025 (DUAA) are now in force, through the DUAA (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 (SI 2026/82). The bulk of the data protection and privacy reforms under Part 5 of the DUAA take effect from 5 February 2026, amending the UK GDPR and the Data Protection Act 2018.

The commencement regulations also contain important transitional provisions. Existing time limits for responding to data subject requests continue to apply where a controller received the request before section 76 DUAA came into force, and the pre‑existing penalty notice regime will continue to govern cases where the ICO issued a notice of intent before the new penalty provisions (section 101) commence. Organisations will need to factor these transitional rules into their handling of ongoing requests, complaints and investigations.

Section 103 DUAA 2025, together with Schedule 10, will introduce a new statutory requirement for controllers to establish and operate internal processes for handling privacy complaints from data subjects. Section 103 and Schedule 10 are scheduled to commence in June 2026.

With the main DUAA privacy provisions now in force, organisations subject to UK GDPR and the DPA 2018 should:

• review and update their data protection compliance frameworks (including lawful bases, transparency wording, data subject rights handling, automated decision‑making and international transfers);
• assess and, where necessary, enhance governance and record‑keeping to reflect the ICO’s strengthened information‑gathering and enforcement powers; and
• begin work on formalising privacy complaint‑handling processes ahead of the June 2026 commencement of section 103.

To access the statutory instrument bringing these provisions into force, click here and to read more about the commencement update by Practical Law click here.

ICO reprimands GP for sending 23 years of medical records to their insurer

The ICO has issued a reprimand to Staines Health Group, an NHS GP surgery, after it disclosed an excessive amount of a terminally ill patient’s medical history to their insurance company. The insurer had requested five years of records, via the patient, to support an insurance claim. However, the practice sent 23 years of medical records directly to the insurer. The patient believes the unnecessary disclosure of historic medical information contributed to a reduced pay‑out on their claim.

The ICO found that the incident stemmed from basic governance failures, including the absence of clear written procedures for handling insurance‑related information requests and a lack of regular refresher data protection training for staff. In response, the surgery completed a significant event report, introduced written guidance and sign‑off processes for insurance requests, updated staff training, and placed the responsible staff member under supervision following a warning.

The ICO is using the reprimand to remind organisations of the need for clear processes, quality assurance checks before sharing personal data externally, and up‑to‑date training when handling particularly sensitive health information.

Click here to read the ICO news.

Government Cyber Action Plan: central direction, accountability and skills to “Defend as One”

On 6 January 2026, the UK Government published its Government Cyber Action Plan, setting out a strong, centralised model to secure public services so they are “trustworthy and resilient”. Led by a newly formed Government Cyber Unit within DSIT and supported by the Government Cyber Coordination Centre (GC3) and NCSC, the plan prioritises four strategic objectives:

• better visibility of cyber and digital resilience risk;
• addressing severe and complex risks that cannot be managed by a single organisation;
• improving responsiveness to fast‑moving events;
• rapidly increasing government‑wide resilience.

A phased implementation runs to 2029, with near‑term deliverables including the Government Cyber Incident Response Plan, expanded detection and incident learning capabilities, a pipeline of shared services and support, and a new Government Cyber Profession to attract, upskill and retain talent.

For public bodies, the plan means clearer expectations, mandatory policies and standards, and greater central support, but also firmer assurance and reporting. Departments will be held to documented risk appetites, annual strategy reviews and regular exercising of incident response and restoration plans, with GC3 coordinating cross‑government response and operating a single incident repository to embed lessons learned.

For suppliers and managed service providers, security requirements will be embedded more consistently into contracts and regulators will pursue a “Defend as One” approach to threat detection, vulnerability management and information sharing. In practice, organisations should accelerate secure‑by‑design adoption, tackle legacy risks, prepare for post‑quantum cryptography, strengthen SOC/detection capabilities, and harden supplier oversight and contractual flow‑downs.

Access the Action Plan through gov.uk here.

Pro-Russia hacktivist activity continues to target UK organisations

The NCSC has issued fresh warnings that Russian-aligned hacktivist groups are continuing to target UK organisations, particularly local authorities and operators of critical national infrastructure, with disruptive denial of service (DoS) and distributed denial of service (DDoS) attacks. Groups such as NoName057(16), active since March 2022, are conducting ideologically motivated operations against entities in NATO states and other European countries perceived as hostile to Russian interests. Although these attacks are often technically simple, the NCSC notes that successful disruption can have significant operational impact by taking websites and online services offline, including those supporting operational technologies.

In response, the NCSC is urging all organisations to review and harden their DDoS defences. Recommended actions include:

• understanding where services are vulnerable to resource exhaustion (and which suppliers are responsible);
• ensuring upstream protections are in place with ISPs, DDoS mitigation providers and content delivery networks;
• building services so they can scale rapidly under load; and
• having clear, tested response plans that allow for graceful degradation while maintaining administrative access.

The NCSC also stresses the importance of regular testing and monitoring so organisations can detect and respond quickly when attacks begin. Access the NSCS's core DoS guidance and heightened cyber threat collection.

To read more from NCSC, click here.

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPC Cyber_ can be downloaded for free from the Apple Store or Google Play Store.

Cyber Security and Resilience Bill Introduced to UK Parliament: Strengthening the Digital Backbone

On 12 November 2025, the UK government introduced the Cyber Security and Resilience Bill to Parliament. The Bill aims to fortify national defences against cyberattacks by updating the Network and Information Systems Regulations 2018 so that they are more consistent with the European NIS2.

Key changes:

• Expanded scope to include medium and large IT service providers, data centres and their third-party suppliers;
• Increased security controls required when managing essential services and smart energy systems;
• Reporting obligations are stricter, in particular, notifiable incidents must be reported to the effected organisation's regulator and the National Cyber Security Centre within 24 hours, followed by a full report within 72 hours;
• Enhanced penalties introduced through higher and turnover-based maximums for serious breaches.

Regulated organisations will face stricter compliance obligations, increased reporting requirements, and greater scrutiny of supply chain security.  

The Cyber Security and Resilience Bill is expected to pass within the next year, but organisations should actively monitor its progress and prepare for compliance through early engagement.

Read more through the House of Commons Library here.

EU Digital Omnibus Package: A New Era for Data and AI Regulation

On 19 November, the European Commission published its Digital Omnibus Package ('the Package'), proposing updates to key legislation, including:

• GDPR
• ePrivacy Directive
• Data Governance Act, and
• AI Act.

The Package signals a shift in the EU’s approach to data and artificial intelligence regulation, by aiming to harmonise compliance standards, reduce administrative burdens, and support innovation in risk management and cyber resilience.

Notable proposed reforms include:

1. a narrowed definition of personal data, which clarifies that information is not personal data for an organisation if that organisation has no realistic way to identify the person to whom it relates;
2. streamlined data subject access request processes, with new powers to refuse or charge for excessive or non-genuine requests;
3. breach notification thresholds to data protection authorities (Article 33 GDPR) being raised to align with Article 34 GDPR, requiring notification only where incidents are likely to result in a 'high risk' to individuals; and
4. establishment of a single-entry notification system to centralise reporting obligations to regulators across multiple EU regulations, including the GDPR, NIS 2, DORA, CER and eIDAS.

For AI, the Package expands legitimate interest grounds as a legal basis under the GDPR where personal data processing is necessary for the controller's interest in the context of the development and operation of AI. It also proposes the introduction of regulatory sandboxes, aimed at enabling businesses to innovate under regulatory oversight.

Click here and here to read the proposals by the European Commission.

British Security Minister Proposes with National Security Exemptions to Ransomware Payment Ban

On 2 September, the UK Government proposed a ransomware payment ban for public sector and critical national infrastructure organisations, as well as obligations for other businesses to notify the Government of any intention to pay a ransom demand.  

However, British Security Minister Dan Jarvis has recently proposed a 'national security exemption' to the ban. The legislative proposal is still pending agreement across the Government, but Dan Jarvis has acknowledged that the ban may have series consequences for UK businesses, stating “that’s why we’re looking very carefully at national security exemptions, because we don’t want people to be facing an invidious choice between a hospital shutting down or going to jail.”

Click here to read more by Infosecurity Magazine.

The Post Office data breach

On 3 December, the ICO issued a reprimand to the Post Office following an “entirely preventable” data breach that disclosed personal information about 502 people involved in the Horizon IT scandal. The incident arose when an unredacted legal settlement document (containing names, home addresses and postmaster status) was mistakenly published on the Post Office’s corporate website for almost two months.

The ICO found the Post Office had failed to implement appropriate technical and organisational measures, highlighting the absence of documented policies and quality assurance for web publication and insufficient staff training, including no specific guidance on information sensitivity or publishing practices.

You can read the news on the ICO website here.

ICO right of access guidance: what it is, key principles and what it means for businesses

The ICO has recently published guidance on how organisations must handle data subject access requests (DSARs) under the UK GDPR and Data Protection Act 2018.

Key principles include: accountability in being able to justify decisions; reasonable and proportionate searches; and careful application of exemptions. The guidance explains when and how exemptions may apply. These include to protect the rights of others, legal professional privilege, management forecasting, negotiations with the requester or where disclosure would prejudice crime/taxation functions. The guidance also explains when a “neither confirm nor deny” response may be used. It sets out specific approaches for third‑party data, children’s requests and special categories of information in health, education and social work. It also covers handling information in emails and archives, deleted data, unstructured manual records held by public authorities, and enforcement risks.

The practical implications for businesses are an increased need to prepare and to standardise DSAR response capability. This includes: the establishment of policies on applying exemptions, third‑party redaction, and format/secure delivery; maintenance of logs and evidence of decisions; and ensuring information management (naming, retention and deletion) supports timely, accurate responses.

Read the detailed ICO guidance here.

The European Commission clarifies ‘important’ and ‘critical’ product categories under the Cyber Resilience Act

The European Commission has published an Implementing Regulation relating to the Cyber Resilience Act (CRA). The regulation provides a non-exhaustive list of products with digital elements whose core functionality matches the technical description of specific important or critical products.

Manufacturers of in-scope products must implement the CRA’s cybersecurity requirements proportionately, undertake a comprehensive cybersecurity risk assessment and evidence how requirements are implemented, tested and assured. Where a product’s core functionality meets an 'important' or 'critical' category, stricter conformity routes apply, including mandatory third‑party assessment or certification in some cases.

Click here to access the implementing regulation.

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPC Cyber_ can be downloaded for free from the Apple Store or Google Play Store.

UK government urges business leaders to prioritise cyber security amid rising threat

In a ministerial letter dated 13 October 2025, addressed to CEOs and Chairs across the country, senior ministers and security officials highlight that cyber incidents are "growing more intense, frequent, sophisticated".  The letter warns of the risks this poses to economic and national security and encourages organisations to strengthen their resilience by:

• embedding cyber security into board-level decision-making and adopting recognised frameworks such as the Cyber Governance Code of Practice;
• registering for the National Cyber Security Centre’s Early Warning service; and
• requiring Cyber Essentials certification within their supply chains.

The letter cites that over 90% of company boards now recognise cyber security as a critical priority. However, it is important to convert this awareness into practical action and these measures are intended to help companies address vulnerabilities and improve their ability to prevent, detect, and respond to cyber risks.

You can read more by clicking here for the Ministerial letter on the government website.

ENISA Threat Landscape 2025: Ransomware, Phishing, and AI Shape Europe’s Cyber Risk

The European Union Agency for Cybersecurity (ENISA) has released its annual Threat Landscape report which provides an overview of the evolving cyber risks facing organisations across Europe.

The report sets out that ransomware continues to be at the core of cyber intrusion activity. The report found that 96.3% of cybercrime activities targeting EU organisations included ransomware, with key target sectors being the manufacturing sector and digital infrastructure and services.  Attackers are increasingly professionalising their operations, employing double extortion tactics and targeting critical infrastructure sectors. Ransomware groups are not only seeking financial gain but also widespread operational disruption.

Phishing is identified as the primary method for initial compromise, accounting for 60% of observed cases.  The report also notes that attackers are increasingly leveraging phishing-as-a-service platforms. This allows less technically skilled actors to launch large-scale campaigns, which significantly raises the threat level. Furthermore, AI is being used to enhance the credibility and scale of campaigns. Phishing remains a persistent challenge due to its adaptability and effectiveness in bypassing organisational defences.

Overall, cyber risks are becoming more complex and interconnected, with ransomware, phishing, and AI-driven attacks at the forefront. Organisations are encouraged to remain vigilant and protect themselves from these persisting threats, for example, by taking a pro-active approach to assessing their operational and technical architecture, engaging in breach-readiness planning prior to a breach occurring and having cyber insurance in place to ensure they have access to a panel of specialist advisors, as well as support in meeting incident response costs, should they suffer a cyber incident.

Click here to read the report by ENISA.

ICO issues practical cyber security tips for small businesses

The ICO has published new guidance to help small businesses strengthen their cyber security and better protect personal data. With government figures estimating 7.7 million cyber crimes against UK businesses over the past year, the ICO has urged organisations to review their security measures to ensure they are fit for purpose. The guidance highlights a range of practical steps, such as regularly backing up data, using strong and unique passwords, enabling multi-factor authentication, and limiting access to sensitive information. Businesses are also advised to dispose of old data and IT equipment securely, install and update anti-virus software, and ensure Wi-Fi connections are secure, especially when working remotely or using public networks.

Staff training is recommended to help employees spot suspicious emails and phishing attempts and to encourage caution when sharing screens or sending bulk emails. Organisations are reminded to lock devices when unattended and to suspend system access for staff who leave or are absent for extended periods. Safely removing personal data that is no longer necessary also reduces the risk in the event of a cyber-attack or breach.

These measures can make a meaningful impact in protecting both organisations and their customers from the potential effects of cyber incidents.

You can read the ICO guidance here. 

Jaguar Land Rover: Government steps in with £1.5bn loan guarantee as supply chain reels

The fallout from the recent ransomware incident involving Jaguar Land Rover (JLR) continues to reverberate across the UK’s automotive sector. This has prompted intervention from the UK Government, who have announced a £1.5bn loan guarantee for JLR, aiming to safeguard thousands of jobs and support the supply chain.

The emergency measure will provide JLR with liquidity over the next five years. JLR, which employs 34,000 directly in the UK and supports around 120,000 jobs through its extensive supply chain, was forced to halt production after the ransomware incident took place in early September. The government is reportedly considering further measures, including the potential purchase of car components from struggling suppliers, to be sold back to JLR once production resumes.

It has been well reported that JLR did not have cyber insurance in place at the time of the attack.  JLR’s experience is likely to prompt renewed scrutiny of cyber risk management throughout the sector. Industry experts have noted that while cyber insurance uptake has increased across the FTSE 100, coverage remains patchy, with many firms weighing the cost against perceived risk. It is important for organisations to understand that cyber insurance can play an important part in providing financial and practical support in the event of a cyber incident.

As the automotive industry grapples with the ongoing consequences of the incident, the importance of robust cyber defences and effective risk transfer mechanisms has never been clearer. The UK Government’s intervention may offer a lifeline, but the episode serves as a stark warning of the cyber risks facing UK manufacturing.

Click here to read more on this article by the Financial Times.

Harrods shows incident response capability when it suffers second cyber incident in six months

Harrods has found itself in the midst of a serious cyber incident once again, with personal data belonging to approximately 430,000 shoppers being stolen as part of a breach suffered by an undisclosed third-party supplier. The attack, discovered late September, is not linked to the earlier Scattered Spider incident that targeted Harrods in May, nor to the recent Salesloft Drift, Salesforce breach affecting other retailers.

Harrods has emphasised that the breach impacted only a small proportion of its customer base, as most clients favour in-store shopping over online transactions. No account passwords or payment details were accessed. The retailer has informed all affected customers and notified the relevant authorities, including the National Cyber Security Centre and the Metropolitan Police Cyber Crime unit.

Whilst Harrods' appears to have responded well to the incident – through clear incident steps, prompt notification and defined follow-up actions, the fact that its customers are being placed at risk for a second time demonstrates the importance of not just maintaining good practice in respect of internal processes but also being alert to any suppliers' processes. Even if an organisation has adequate security standards in place to protect its systems from a direct cyber attack, they can still be affected by security issues elsewhere in the supply chain.

You can read more here through this article on computerweekly.

Surging demand for Generative AI insurance: Businesses seek protection as risks and adoption accelerate

A new report from Geneva Association, an international association which serves as a think tank for the global insurance industry, indicates that more than 90% of businesses worldwide are actively seeking insurance cover for risks associated with Generative AI (Gen AI).

As adoption of Gen AI accelerates, organisations recognise that traditional insurance policies may not sufficiently address the unique exposures created by AI, particularly as incidents involving defective outputs, biased recommendations or data breaches can have far-reaching consequences.

GenAI solutions are often sourced from third-party vendors. This reliance on third parties means that if an external AI product fails (whether through malfunction, inaccurate outputs, or operational disruption), the resulting losses are outside the control of an organisation, but may not be recoverable from the vendor, leaving the organisation potentially exposed. Traditional insurance policies may not fully cover all losses arising from Gen AI failure. With 71% of respondents to the Geneva Association report confirming they have already implemented Gen AI and two-thirds of businesses being willing to pay at least 10% higher premiums for such protections, this is an area of insurance that could potentially develop quickly.

By way of example, Hiscox have already updated their Tech PI wording to provide "explicit cover for those who use, build and advise on artificial intelligence", whilst AXA XL has created a Generative AI endorsement that can be added on to its cyber policies, which "extends cover for specific risks that businesses may encounter when building out their own Gen AI model". By proactively assessing exposures, securing appropriate insurance, and embedding strong governance, businesses can innovate more confidently.

You can read more in the Geneva Association’s report here through their press release.

Capita fined £14 Million over 2023 cyber-attack that exposed data of 6.6 Million people

Capita, a leading UK outsourcing provider, has been fined £14 million by the ICO after a cyber incident in March 2023, which resulted in the exposure of personal data belonging to 6.6 million individuals.  Although Capita’s systems raised a high-priority security alert within ten minutes, the company failed to quarantine the infected device for 58 hours—well beyond its target response time of one hour. The stolen data included financial records, criminal background checks, and special category data such as details of race, religion, sexual orientation and health status.

The ICO found that the company’s security operations centre was understaffed, its systems contained known vulnerabilities, and its cyber defences were not adequately tested. The fine was reduced from an initial £45 million after the company demonstrated improvements to its cyber security and cooperated with authorities, including the National Cyber Security Centre, and offered support to affected individuals.

Cyber security experts have emphasised the dangers of delayed responses to such incidents, with a call for greater investment in detection, containment, and recovery capabilities. The regulator’s message is clear: every organisation, regardless of size, should take decisive action to safeguard personal data and respond swiftly to cyber threats.

You can read more here through this ICO statement.

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPCCyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPCCyber_ can be downloaded for free from the Apple Store or Google Play Store.

Judgment Alert: Farley & Ors v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 (22 August 2025)

On 22 August 2025, the Court of Appeal handed down judgment in the case of Michael Farley v Paymaster (1836) Limited trading as Equiniti [2025] EWCA Civ 1117.

This is a potentially significant case for data subject litigation claims. It challenges existing case law regarding the need for claimants to demonstrate that a minimum threshold of seriousness has been met to claim compensation for breaches of the UK GDPR, and provides guidance on what constitutes “non-material damage” under Art 82, UK GDPR.

The administrator of the Sussex Police pension scheme sent annual benefit statements containing personal data to over 750 out-of-date residential addresses. As a result, claimants reported experiencing "anxiety, alarm, distress, and embarrassment", fearing their personal information may have been accessed by unknown third parties. The affected individuals sought compensation.

The Court of Appeal concluded that there is no minimum threshold of seriousness for a successful data subject claim under the UK GDPR. Allegations of “were not essential for such claims either. Loss recoverable in data subject claims “includes” but is not limited to distress and a successful claim can be made in respect of “annoyance or irritation caused by fear of third-party misuse”.

The Court of Appeal did clarify that losses based on distress or irritation would need to be “well-founded” and based on more than a “purely hypothetical risk”. However, overall, the judgment is beneficial for data subject claimants and provides some potential ammunition for claimants in data subject litigation.

Click here to read the judgment.

Jaguar Land Rover's cyber-attack: Automative supply chain to a halt 

As widely reported, Jaguar Land Rover (JLR), one of the UK’s largest automotive manufacturers, has recently been affected by a significant cyber incident. This has forced the company to suspend operations across multiple British factories for nearly three weeks. The incident, first discovered on 1 September, prompted JLR to deliberately shut down its IT systems to contain the breach.

The prolonged incident has caused severe economic repercussions across the supply chain. JLR is reportedly losing up to £50 million per week due to suspended production. Hundreds of suppliers, many operating under “just-in-time” manufacturing principles, have faced immediate disruption. Some companies have reconfigured production with reports of reduced or zero pay for workers while others have begun redundancies. The interconnected nature of the automotive sector means that a severe incident can destabilise the entire supply network, with smaller businesses and their workforces facing immediate threats. The scale of disruption has prompted calls for the UK Government's intervention, including furlough support for affected workers.

This incident has highlighted the financial toll on businesses targeted by a cyber-attack and their partners. The fragility and vulnerability of the automotive supply chains during this incident calls will inevitably be the subject of further consideration as the fallout from the incident continues. In addition, experts warn that such attacks could become more frequent and severe, especially amid global tensions. Government and industry collaboration is therefore important to tackle escalating threats of cyber-attacks.

You can read more here from Wired.

Innovation at speed: Are businesses still addressing Cyber Risks?

According to Unisys' report published last month, organisations are accelerating their adoption of Cloud-based and AI tools, with 78% planning to increase AI investment in the coming years. However, the report found that business leaders did not appear to be investing in cyber security measures at the same rate.

Despite the surge in new technologies, 85% of organisations admit their cyber strategies are “too reactive”, leaving them exposed to well-known threats. Many organisations are prioritising investment in new technologies such as AI over strengthening defences against established cyber threats, as well as emerging risks.

Unisys reports a disconnect in the assessment of risks and investment priorities within companies. 63% of the executives who responded to the study believe security protocols hinder data analysis, compared to 35% of IT leaders. Similar conclusions were drawn in respect of Cloud services as 68% of business executives see cloud security as an impediment to innovation versus 37% of IT leaders.

This divergence has a potential impact on the adoption of security measures.  For example, Unisys observed identity-based attacks being a major concern for IT professionals. However, fewer than half of organisations had prioritised identity-verification technologies as a security mechanism.

You can read more about Unisys' report here and here.

ICO launches consultation on UK GDPR recognised legitimate interest guidance

On 21 August 2025, the Information Commissioner's Office (ICO) launched a consultation on its draft guidance regarding "recognised legitimate interests" as a new lawful basis for processing personal data under The Data (Use and Access) Act 2025 (DUA).

A "recognised legitimate interests" is a specified purpose for handling personal data that is in the public interest, separate from the existing "legitimate interests" lawful basis set out in the UK GDPR. Under this new lawful basis, the processing must meet one of five pre-approved purposes that are the public interest:

• Disclosure to a controller that requires the personal data to carry out a public interest task or to exercise its official authority where the controller has requested that data
• Safeguarding national security, protecting public security and defence purposes
• Responding to an emergency defined in the Civil Contingencies Act 2004
• Detecting, investigating or preventing crime, or apprehending or prosecuting offenders
• Safeguarding vulnerable individuals

The ICO's guidance on "recognised legitimate interest" aims to inform and support large organisations and data protection officers in the application of amendments made by DUA by providing details on this new legal basis for processing, including the benefits of using it and how it differs from the existing "legitimate interests" lawful basis.  Its introduction will require organisations to review and update their data governance frameworks to the extent that they intend to rely on the new basis.

The ICO invites feedback to help finalise guidance and address queries through the consultation open until 30 October 2025.

You can access the survey here and the draft guidance here.

Cyber insurance tipped as commercial brokers’ biggest opportunity

Cyber insurance has emerged as the commercial insurance product with the greatest growth potential, according to a recent UK broker survey, securing 53.6% of the votes. Market reports indicate that cyber insurance premiums rose by approximately 68% in 2023, reflecting increased demand and evolving risks.

The frequency and severity of cyber incidents are driving demand, with the UK Government’s Cyber Security Breaches Survey 2023 reporting that 32% of businesses experienced a cyber breach or attack in the past year, with average costs exceeding £15,000 for medium and large firms. Brokers are expanding their cyber insurance offerings, and 75% identified cyber insurance as their biggest portfolio growth opportunity in 2024. 

These trends highlight the importance of proactive cyber risk management and specialist insurance advice. As the market matures, brokers are increasingly called upon to interpret complex policy wordings and exclusions. Meanwhile legal advisers play a crucial role in supporting regulatory compliance and incident response. Collaboration between brokers, insurers, and legal professionals will be essential to ensure clients are equipped to manage cyber risks and benefit from comprehensive insurance protection.

Click here to read more about cyber insurance market trends.

Ransomware Group Exploits Hybrid Cloud Gaps, Gains Full Azure Control in Enterprise Attacks 

Recent reporting by SecurityWeek details how sophisticated ransomware groups are targeting hybrid cloud environments, exploiting gaps between on-premises infrastructure and cloud platforms, such as Microsoft Azure. Attackers are leveraging compromised credentials, misconfigured identity management systems, and insufficient network segmentation to escalate privileges and gain full administrative control over Azure tenants. Once inside, threat actors can deploy ransomware, exfiltrate sensitive data, and disrupt critical business operations across both cloud and on-premises resources.

The risks associated with these attacks are significant for organisations relying on hybrid cloud models. Beyond immediate operational disruption and financial loss, compromised Azure environments can expose confidential client information, intellectual property, and regulated data to unauthorised access. The complexity of hybrid architectures can make it challenging to detect lateral movement and respond swiftly, increasing the likelihood of prolonged exposure and greater impact.

From a legal and regulatory perspective, such incidents may trigger mandatory breach notification requirements under the UK GDPR and other data protection regimes if personal data is affected. Organisations must also consider contractual obligations to clients and third parties.

Click here to read the full SecurityWeek article.

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPCCyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPCCyber_ can be downloaded for free from the Apple Store or Google Play Store.

Data (Use and Access) Act 2025 comes into force

The much-anticipated Data (Use and Access) Act 2025 (the Act) received Royal Assent on 19 June 2025. The Act is broad, and it includes provisions to enable the growth of digital verification services, new Smart Data schemes like Open Banking and a new National Underground Asset Register. Designed to streamline compliance and support innovation, the Act updates core provisions of the UK GDPR, Data Protection Act 2018, and PECR.

The Act's main provisions relate to:

• Automated Decision-Making
• Subject Access Requests
• Children’s Data Protection
• Scientific Research and Broad Consent
• Recognised Legitimate Interests
• International Data Transfers
• Internal Complaint Handling
• Cookies and PECR Enforcement
• Law Enforcement and Intelligence Processing

One of the Act's most notable changes is to rules around automated decision-making (ADM) about individuals which produce legal or similarly significant effects. The previous restrictions on solely automated decisions under Article 22, UK GDPR has been updated. Under the new rules, these decisions are permitted in some circumstances, provided that appropriate safeguards are in place.

The Act has also made significant changes to the legitimate interests basis for processing personal data, implementing a new lawful basis for data processing where it is necessary and connected to a "recognised legitimate interest". Such interests include defence, emergency response, crime and security. This makes it easier for organisations to make a case that data has been processed based on a legitimate interest ground.

You can read Government's summary of the changes to UK’s data protection and privacy legislation in the Data (Use and Access) Act 2025 here.

AI risks leaving UK businesses exposed to liability

In a recent interview by Law 360, Richard Breavington – partner in the Cyber and Data Privacy team at RPC – commented on the legal risks potentially faced by businesses when implementing and relying upon AI agents.  Speaking about the risk of liability for losses caused to clients as a result of malfunctioning AI-based agents provided by third parties, Richard was quoted as saying:

"You've got this position where, actually, it's not your fault, necessarily, you're relying on a bit of new software that's cutting edge… But, if there's a problem, you're going to end up with liability and…unable to completely recoup that liability."

In addition to commenting on the potential for recovering from AI agent providers in respect of liability to third parties, the article also considers some of the potential challenges around insuring those liabilities under traditional lines of insurance.

The net result of these considerations is that businesses could face potential liabilities that are both difficult to recover in full from the party responsible and also not straightforward to insure.  "I don't think this is something that has been fully recognised" is the concluding quote.

Click here to read the article on Law 360.

US Cyber premiums drop

For the first time since records began in 2015, U.S. cyber insurance premiums declined in 2024. According to Insurance Business America, direct written premiums dropped by 2.3% in 2024, falling just below $7.1 billion. This marks a significant moment in the evolution of the cyber insurance sector, indicating the market is entering a new, more mature phase. Importantly, the decline in premium volume does not reflect a diminished demand for cyber coverage.

This mirrors the trends seen in the UK, particularly in relation to premiums for larger companies. Having experienced a significant spike in premiums in 2020, they are now frequently seeing rates remain the same or reduced at renewal. In fact, in the first quarter of 2025, prices dropped 7% on primary layer insurance in the UK, which makes taking out cover more accessible for small and medium sized businesses.

However, as recent attacks in retail demonstrate, decreased premiums are not a sign of a reducing demand or necessity for cyber insurance. Data suggests that ransomware claims were up by one-third in the first quarter of 2025 compared to the fourth quarter of 2024. Moreover, organisations of all sizes can be vulnerable to ransomware and social engineering attacks, so it is as important as ever to hedge appropriately against these risks by investigating the need for cyber insurance. Or, if already in place, considering the scope of coverage that their policy offers.

You can read more from Insurance Business here and from Marsh here.

Judgment Alert: Raine v JD Wetherspoon Plc [2025] EWHC 1593 (KB)

The High Court has recently clarified legal principles surrounding the misuse of private information, breach of confidence and data protection.

The case arose from an incident in which the Claimant, a former employee of JD Wetherspoon Plc (Wetherspoon), was targeted by her abusive ex-partner. Posing as a police officer, he successfully obtained the Claimant’s mother’s mobile phone number from pub staff, who disclosed the information in breach of the company’s own confidentiality policies. The number had been stored in a locked personnel file marked "Strictly Private and Confidential". This deception led to further harassment, exacerbating the Claimant’s pre-existing psychological conditions.

Bright J rejected Wetherspoon's argument that the Claimant's mother's mobile phone number did not constitute the Claimant's information or that she had no reasonable expectation of privacy in it. The judge dismissed JD Wetherspoon’s appeals in full, upholding the initial rulings for the Claimant's arguments of misuse of private information and breach of confidence. The High Court also found that the previous judge was wrong to reject the Claimant's Data Protection Act 2018 (DPA 2018) and UK General Data Protection Regulation (UK GDPR) claims. The court held that disclosure of information can constitute "processing" even if the disclosure is oral.

The Court upheld £4,500 in damages and a full recovery of the claimant's legal success fee for the exacerbation of the Claimant's existing psychological conditions.

Click here to read the judgment.

UK Government Responds to New Measures to Target Ransomware Attacks

The UK Government has released its response to the contributions received during its public consultation on its proposed ransomware legislation.

There were three proposals on which the Government requested insight:

(i) a ban on ransomware payments for all public sector bodies and operators of critical national infrastructure;

(ii) a ransomware payment prevention regime; and

(iii) a mandatory incident reporting regime.

There was widespread support for both the targeted ransomware ban, and the mandatory incident reporting regime with the two proposals garnering approval from almost 72% and 63% of participants respectively.

Despite the strong support for both proposals, commentators had concerns over about the scope and implementation of these proposals. Respondents emphasised that the success of these proposals would turn on the availability of sector-specific accessible guidance to support implementation and to reduce the administrative burden on SMEs. They also requested clarity over the inclusion of supply chains within the targeted ban and the inclusion of individuals within the reporting regime.

In contrast, the wider ransomware payment prevent regime received a mixed response with only 47% of respondents in favour.

The primary concern was that it would redirect and concentrate ransomware attacks to those outside of the regime, rather than reducing the number of attacks. There was also doubt about the Government's claims that the regime would enable law enforcement to intervene and investigate ransomware threats.

The Government has confirmed that it will continue to work with industry to refine its proposals and resolve concerns over the proposals' scope and implementation.

You can read the Government's consultation outcome here.

If there are any issues on which you'd like more information (or if you have any questions or feedback), please do let us know or get in touch with your usual contact at RPC.

Key developments 

ICO's new AI and biometrics strategy

On 5 June 2025, the UK Information Commissioner’s Office (ICO) published its updated AI and Biometrics Strategy, including its regulatory priorities for 2025–26. Entitled “Preventing harm, promoting trust”, the strategy aims to foster responsible innovation by clarifying how AI and biometric technologies—including automated decision-making (ADM) systems, facial recognition, and AI foundation models—can be deployed lawfully and transparently, while addressing public concerns around fairness and accountability.

In the strategy, the ICO identifies three cross-cutting areas of regulatory concern:

• Transparency and explainability: Individuals must be informed when AI is used and how it affects them. However, across ADM, facial recognition, and generative AI, research shows that opacity remains a significant issue, undermining public trust.
• Bias and discrimination: The ICO is particularly concerned about the risk of structural bias being replicated or amplified through unrepresentative training data. This risk is especially acute in unproven AI systems such as emotion recognition tools used in recruitment.
• Rights and redress: Individuals must have accessible mechanisms to challenge and rectify decisions made by AI systems, particularly where such decisions result in significant harm. Accuracy, appropriate safeguards, and effective redress mechanisms are essential to maintaining public confidence.

The ICO’s plan of action for 2025–26 reflects this ambition. It will update its existing guidance on ADM and profiling, and commence the development of a statutory Code of Practice on AI and ADM to support compliance with data protection principles. This guidance will also need to take into account recent changes introduced by the new Data (Use and Access) Act that allow for ADM in a wider range of situations if appropriate safeguards are in place. The ICO also intends to enhance oversight in high-risk sectors, including the use of ADM in recruitment processes. It will examine how developers of AI foundation models address privacy and safety concerns during training. Looking ahead, the ICO will take a proactive approach to emerging AI risks, including assessing the data protection implications of agentic AI and setting a high threshold for the lawful use of AI systems that infer subjective traits, intentions, or emotions.

(ICO AI and Biometrics Strategy)

Enforcement Actions

German privacy regulator imposes major fines (EUR 45 million) on Vodafone

In June 2025, Vodafone’s German subsidiary, Vodafone GmbH, faced fines that sum up to EUR 45 million by the German Federal Privacy Regulator due to infringements of privacy law (GDPR). Some headlines even referred to it as the “highest fine ever imposed in Germany” which is not fully accurate as it comprises two independent actions of 1.) EUR 15 million and 2.) EUR 30 million, thus each still falling short of the EUR 35 million fine imposed on Swedish retailer H&M in 2020. Nevertheless, it shows again that even large organisations with a major budget for privacy compliance and long-established processes need to continuously review and evaluate their compliance efforts in particular with regard to supply chain management and technical interfaces.

The Ruling and Imposed Fines

 The actual actions against Vodafone are due to incidents involving fraudulent activities by employees in independent partner agencies. These employees brokered contracts with customers on behalf of Vodafone, leading to fictitious contracts or unauthorised contract changes, causing financial harm to customers. Additionally, Vodafone exhibited security deficiencies in the authentication process for its online portal 'MeinVodafone' and the Vodafone Hotline, which exposed eSIM profiles to unauthorised third parties.

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI), Prof. Dr. Louisa Specht-Riemenschneider, imposed two fines totaling EUR 45 million on Vodafone GmbH:

• EUR 15 million: For failing to adequately review and monitor partner agencies, violating Article 28(1) sentence 1 of the GDPR.
• EUR 30 million: For security deficiencies in the authentication process, violating Article 32(1) of the GDPR.

Additionally, the BfDI issued a warning to Vodafone regarding vulnerabilities in certain distribution systems.

What are the reasons for the BfDI's Decisions?

The BfDI's decisions were driven by serious concerns about data protection and security lapses within Vodafone. The regulator identified that Vodafone did not sufficiently oversee its supply chain, namely the independent partner agencies, leading to fraudulent activities. Moreover, the shortcomings in the authentication processes posed significant risks, allowing unauthorised access to sensitive eSIM profiles.

Vodafone's Reaction to the Decisions

Vodafone has responded proactively to the BfDI's decisions by improving and, in some cases, completely replacing its processes and systems to eliminate future risks. The company has revised its procedures for selecting and auditing partner agencies and terminated relationships with fraudulent partners. Additionally, Vodafone has donated several million euros to organisations promoting data protection, media competence, digital literacy, and combating cyberbullying.

The BfDI in its press release explicitly acknowledged Vodafone’s efforts to cooperate with the regulator and to mitigate the risks it created for the customers. The regulator made it quite clear that the fines could have been substantially higher if Vodafone had been less cooperative.

What others can learn from the Vodafone decisions

 While Vodafone accepted the fines, other companies should learn from it in order to avoid similar financial and reputational damage:

• Companies should prioritise investments in modernising and consolidating IT systems to avoid security incidents and potential sanctions. The risk that an issue can create for the rights of the data subject determines the required level of protective measures and not the cost of the measures.
• Adequate oversight of the supply chain / data processors is crucial for actual compliance. Regulators as well as courts expect not only formal papertrail audits but documentation of actual checks and active oversight up to the weakest link in the chain of data processors.
• Proactive cooperation and transparency towards regulatory bodies can mitigate penalties.

Contributed by Matthias Orthwein, SKW Schwarz Rechtsanwaelte, Munich (Germany)

23andMe fined £2.31 million for failing to protect users' genetic data

 On 17 June 2025, the Information Commissioner's Office (ICO) announced a £2.31 million fine against genetic testing company 23andMe for failing to implement adequate security measures to protect the personal data of over 155,000 UK users following a major cyber attack in 2023. The ICO carried out their investigation alongside the Canadian data protection regulator.

The 2023 attack which exploited users' login credentials resulted in hackers accessing UK users' personal data, including names, addresses, family histories and other healthcare information. The ICO investigation found 23andMe to be in breach of UK data protection laws having failed to take the necessary basic steps to protect user data. The company had not implemented any multi-factor authentication or password protocols, their security systems were weak and unable to detect or manage cyber threats, and they had not proactively responded to obvious warning signs.

The ICO also found 23andMe's response to the breach to be inadequate. The cyber attack began in April 2023 but the company had failed to detect the breach and had then dismissed a report of data theft as a hoax. 23andMe had only launched a substantive investigation in October 2023.

The ICO received 12 consumer complaints to the ICO expressing concerns over personal data being exploited by malicious actors. In its report, the ICO recommends steps businesses should take to protect themselves against cyber attacks, in particular multi-factor authentication, vulnerability scanning, and security patching.

(ICO News)

Need to know

The EU proposes simplifying GDPR for smaller companies

On 21 May 2025, the European Commission published a proposal to extend certain GDPR exemptions previously available only to small and medium-sized enterprises (SMEs) to small mid-cap (SMC) enterprises.

The proposal seeks to amend Article 30(5) of the GDPR by extending the exemption from the obligation to maintain Records of Processing Activities (ROPA) to SMCs. SMCs are defined as organisations with fewer than 750 employees, an annual turnover not exceeding €150 million, and a balance sheet total not exceeding €129 million.

This change is intended to support enterprises that have grown beyond SME status, by allowing them to adopt a more simplified compliance approach. The Commission previously acknowledged that the existing ROPA obligations could be overly burdensome for such organisations.

The proposal also includes other changes to take into account the specific needs of SMCs in developing codes of conduct and certification mechanisms.

The proposal will now move through the EU’s legislative process, during which it may be further amended by the European Parliament or the Council.

(EU Commission proposal)

CBPR certification: A New Option for Cross-Border Data Governance

On 2 June 2025, the Global Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) certification systems officially launched, marking a significant development in international data protection. Evolving from the APEC CBPR framework—originally established to facilitate responsible data transfers among Asia-Pacific economies—the Global CBPR framework aims to provide a scalable and interoperable mechanism for enabling secure data flows across jurisdictions. While CBPR certification does not in itself guarantee compliance with the data protection laws of participating jurisdictions, it is recognised in some jurisdictions—such as Singapore and Japan—as a valid mechanism for facilitating lawful international data transfers under local law.

Unlike its predecessor, which was limited to APEC members, the Global CBPR system is open to any jurisdiction. As of June 2025, nine countries have joined as founding members: Australia, Canada, Japan, Mexico, the Philippines, South Korea, Singapore, Chinese Taipei, and the United States. Its core objective is to establish a common baseline for privacy protections, enabling businesses to transfer data across borders while demonstrating compliance with internationally recognised principles. Certification is voluntary and based on an independent assessment by an approved Accountability Agent.

The United Kingdom became the first Associate member of the Global CBPR Forum in 2023. Although Associate members do not yet issue certifications domestically, the UK's early engagement reflects strong support for global cooperation on trusted data flows.

The Global CBPR framework is not currently recognised as equivalent to the EU or UK GDPR. However, the Forum is considering material updates to the assessment criteria pursuant to which an organisation is to be certified—many of which reflect principles already embedded in the GDPR, such as breach notification, sensitive data handling, consent withdrawal, and records of processing. This suggests a growing alignment with high-standard privacy regimes and may support greater interoperability over time.

In the near term, UK businesses cannot yet obtain Global CBPR certification through a UK-based process, as full participation awaits further developments in the UK’s membership status. However, the Global CBPR framework may already serve as a practical reference point when assessing the adequacy of safeguards for international data transfers. Furthermore, as more jurisdictions adopt or align with the framework, it may become a credible and practical mechanism for ensuring robust data protection and demonstrating compliance with legal requirements across multiple jurisdictions

(Global CBPR)

(UK government’s announcement in 2023)

Other important developments

Data (Use and Access) Bill Update

On 19 June 2025 the Data (Use and Access) Bill received Royal Assent. The new law introduces targeted business-friendly changes to the UK GDPR. The ICO has also published guidance to explain the impact of the new law on organisations.

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPCCyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPCCyber_ can be downloaded for free from the Apple Store or Google Play Store.

UK government ransom ban – what does this mean for insurance?

RPC's Head of Cyber & Tech Insurance, Richard Breavington, was recently featured in Insurance Business' article on the UK government's proposed ransom ban and what it means for insurance.

The government has proposed legislation that would ban all public sector bodies and critical national infrastructure – including the NHS, local councils, and schools – from making ransomware payments. The aim is to make these entities less attractive targets for criminals; this would expand the current ban on ransom payments by government departments.

Speaking on how such a ban could impact organisations, Richard said: “If the option to pay a ransom is removed, the potential impact could be significantly greater because organisations are unlikely to be able to restore data unless backups are available or the data can otherwise be replaced from non-affected sources.”

For cyber insurers, a ransom ban would need to be factored into planning at both the underwriting and claims stages. For instance, there is a possibility that multiple insured organisations could be successfully attacked at the same time and be unable to pay a ransom.

Richard commented: “Insurers are developing various strategies to deal with this – including sophisticated modelling, asking questions upfront about supply chains to monitor exposure across insureds – and reinsurance. However, it remains a key concern in this area.”

Click here to read more from Insurance Business and here to read the GOV.UK consultation.

DPP Law Ltd faces a £60,000 penalty notice

The ICO required DPP Law Ltd (DPP) to pay a £60,000 fine after finding that they had infringed Articles 5(1)(f), 32(1), 32(2), and 33(1) of the UK GDPR.

These articles cover:

• Article 5(1)(f): Ensuring data is processed securely.

• Article 32(1) and (2): Implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

• Article 33(1): Notifying the Information Commissioner of a personal data breach without undue delay and, where feasible, within 72 hours.

DPP’s email server had stopped working and staff had no access to DPP’s IT network. DPP’s in-house IT manager established that all files across its servers had been corrupted. DPP’s external IT supplier believed that DPP had suffered a ransomware incident, despite not receiving any ransom demands.

The ICO determined that, by neglecting to undertake an assessment of the risks posed to data subjects as a result of the lack of availability of personal data, DPP did not notify the Commissioner until 43 days after the Cyber Incident, which was well-beyond the 72-hour reporting deadline. Furthermore, DPP demonstrated a lack of understanding of its obligation to notify the Commissioner of a personal data breach by not appreciating that lack of availability constituted a personal data breach.

The finding that DPP did not have appropriate technical and organisational security measures in place at the time of the incident provides a further precedent as to what that crucial standard actually looks like in practice.  Not for the first time, the lack of MFA in place was a factor in deciding that the standard had not been met.

The incident led to the exfiltration and dark web publication of personal data belonging to 791 individuals, including clients and expert witnesses. This included highly sensitive information relating to court proceedings and DPP’s legal advice to its clients.

Read the decision from the ICO here.

ICO issues notice of intent to fine 23andMe £4.59mn for data breach

On 24 March 2025, the UK Information Commissioner's Office (ICO) issued a Notice of Intent to fine 23andMe £4.9m in relation to a data breach that was reported in October 2023.

23andMe is a biotechnology company offering direct-to-consumer genetic testing services. Consequently, the company holds sensitive personal data for its customers.

The October 2023 data breach involved a hacker who claimed to have stolen DNA information from 23andMe customers, and subsequently, published the data of over 1 million customers as proof. It was later confirmed that the hacker had gained access to the personal data of 6.9 million customers in total.

The ICO launched an investigation into 23andMe with the intention to (i) identify the information implicated in the incident and any potential harms involved, (ii) examine whether adequate safeguards were in place, and (iii) assess whether 23andMe provided the required notifications to the ICO and affected data subjects. Given that the ICO had deemed 23andMe to be a custodian of sensitive information, the threshold for breaching its obligations was lowered.

This decision demonstrates the importance of identifying the sensitivity of the information held by an organisation and incorporating the appropriate technical and organisational measures to protect that information.

Click here to read the latest statement from the ICO.

The high stakes of cybersecurity issues in retail

Between 22 and 29 April 2025 three major retailers – Marks & Spencer, Harrods and the Co-Op – suffered cyber-attacks.

The effects of an incident on high profile retailers can be broad-ranging.  M&S had to pause all online transactions, and experienced widespread in-store disruptions. It has been confirmed that this single attack has resulted in the loss of more than £650m in the company's stock market value. The Co-Op, meanwhile, has been able to recover at a faster pace than M&S, who appear to have had their systems more comprehensively compromised. This might have been because the Co-Op's IT team discovered the incident while it was happening and made the decision to pull the plug on their systems during the attack, meaning threat actors were unsuccessful in deploying ransomware.

Cyber crime should be a cause for concern for all organisations. The number of "nationally significant" cyber attacks in the last 8 months has doubled compared to the same period a year ago.

In a recent speech, Cabinet Minister Pat McFadden has emphasised that cybersecurity can no longer be viewed as a luxury but must become "an absolute necessity" for organisations. 

A further point of interest on which we are starting to see comment is the extent to which these recent significant cyber losses could affect the cyber insurance market.  They provide a clear demonstration of the potential for rapid multi-limit losses.

Click here and here to read more from the BBC.

Main challenges of EU AI Act-GDPR interplay identified by Member States

On 14 March 2025, representatives from the EU Member States gathered to discuss and identify the compliance challenges that arise from the interplay between the EU AI Act and the EU GDPR.

The representatives have raised concerns surrounding the potential for conflicting legal requirements, inconsistent national governance approaches, and the need for legal advice to minimise the compliance burden.

The potential for conflict is created by the differing regulatory approaches underpinning the two pieces of legislation. The EU GDPR aims to protect personal data from a fundamental rights perspective, while the EU AI Act is primarily a piece of product safety legislation and protects personal data through targeted requirements based on risk levels.

This divergence could lead to contradictory outcomes where an AI system may be compliant with one piece of legislation, but not the other. It was stressed during the March discussion that the two laws must be interpreted and enforced coherently, and not viewed as distinct entities.

Additionally, the representatives called for the creation of joint task forces and technical working groups to create consistent interpretation of these laws across the EU Member States. The goal would be to create a uniform regulatory environment across the EU to reduce the administrative and financial cost of compliance.

The representatives emphasised the need for clear guidelines on how the two laws should interact, and how key concepts should be interpreted and applied. Currently, the Commission and European Data Protection Board are developing guidelines.

Click here to read more on MLex.

RPC at London Tech Week – 12 June 2025

Finally, join us on 12 June as we uncover the opportunities, challenges, and innovative solutions shaping the tech industry, presented by an exceptional line-up of experts. We'll be covering everything from how businesses can harness AI ethically for competitive growth to how tech is being used within organisations to bridge generational divides and unlock innovation. We'll also be sharing and celebrating the stories of inspiring women in the sector and looking at how tech and the use of tech has changed over the last decade and what the future looks like in terms of tech use in the media & entertainment, retail & consumer and other industries.

Find out more and register your place here.

If there are any issues on which you'd like more information (or if you have any questions or feedback), please do let us know or get in touch with your usual contact at RPC.

ICO launches investigations into use of children's data by social media and video-sharing platforms

As part of its campaign to ensure digital services are designed to safeguard children's personal data and in line with its 2024/2025 focus area on social media and video sharing platforms, the UK's Information Commissioner's Office (ICO) has recently launched investigations into TikTok, Reddit and Imgur to assess how the platforms handle children's personal data.

The ICO's investigation of TikTok, a video-sharing app that has gained immense popularity among younger audiences, is focused on TikTok's use of the personal data of 13-17 years olds to make recommendations and deliver tailored content. The investigation was triggered by the ICO's concerns about how young people's online activity is being used to provide potentially unsuitable and dangerous content to them.

Reddit and Imgur, both widely used for sharing images and participating in online communities, are under scrutiny by the ICO for their use of age assurance measures (i.e. methods to estimate or confirm the age of users), which play a crucial role in maintaining safe online environment for children's personal data.

This is the latest in a series of actions taken by the ICO since its Children’s Code was launched in 2021 and which are aimed at protection of children's privacy rights. On the back of the ICO's campaign, various platforms like X, Sendit, BeReal, Dailymotion, and Viber have implemented stronger privacy measures to safeguard children’s data.

Along with the announcement of the investigations into TikTok, Reddit and Imgur, the ICO provided a progress report on its Children's Code strategy, including an overview of the results of its enforcement activity and a table showing the compliance of 34 social media and video sharing platforms against key metrics. It is also worth noting that the new Data (Use and Access) Bill contains new requirements in relation to the offering of information society services to children.

In a sign of the increasingly cross-regulatory nature of enforcement, the ICO will be coordinating its work on children's data with Ofcom (which enforces the Online Safety Act), particularly in relation to age assurance. Ofcom's significant online safety enforcement powers include the ability to levy large fines and, in serious cases, restrict services or access to the offending platform. Coupled with the serious potential sanctions under data protection law, the risks are heightened for platforms that fail to comply with the law in this area.

(ICO's Website)

(ICO's Children's Code strategy progress update - March 2025)

CJEU - Data protection fines imposed on a subsidiary must be determined based on the total annual revenue of its parent company

In a case before the Court of Justice of the European Union last month, the court found that data protection fines against subsidiary companies should be calculated based on the group's total annual worldwide turnover, but the actual fine imposed should be determined by reference to additional factors.

The case concerned a request for a preliminary ruling from the High Court of Western Denmark in respect of Articles 83(4) to (6) of GDPR.  It related to a fine levied on a furniture retail chain for breaches of GDPR (specifically retention of former customer data) and whether or not the fine should be calculated based on the turnover of the furniture company's group or just of the company in breach. The court also addressed the meaning of "undertaking" (used in the relevant fining calculation provisions of GDPR (Article 83)).

The Court found that an "undertaking" refers to the competition law Treaty on the Functioning of the European Law (TFEU) meaning of the term, i.e. that it is "an economic unit" and relates to "any entity engaged in an economic activity, irrespective of the legal status of that entity and the way in which it is financed". The level of the fine should be assessed as a percentage of the group's (i.e. the "undertaking's") total annual worldwide turnover in the previous year.

The Court however drew a distinction between the basis for calculating the maximum fine and assessing what fine actually to impose in each case for breach of GDPR. Fines must be "effective, proportionate and dissuasive". The subsidiary's "actual or material economic capacity" must be considered to assess if the fine is proportionate. This includes taking into account if the company in breach is part of an undertaking/group. Other factors that should be considered when deciding on the level of fine are the type, severity and duration of the infringement, the number of data subjects impacted, and the extent of the damage to the individuals incurred. Authorities should also take account of whether the violation was negligent or intentional, the steps taken by the relevant controller or processor to mitigate the breach, an assessment of the controller or processor's responsibility for the breach and the types of personal data affected by the breach. In this way, the fine imposed will reflect the relevant circumstances and achieve its intended purpose (of being "effective, proportionate and dissuasive"). 

It is worth noting that the ICO's fining guidance (March 2024) takes the same view on the meaning of "undertaking" as taken by the Court: "Where a controller or processor forms part of an undertaking, for example where a controller is a subsidiary of a parent company, the Commissioner will calculate the maximum fine based on the turnover of the undertaking as a whole".  The ICO refers to Recital 150 UK GDPR which states that "Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEI for those purposes". The ICO guidance goes on to state that "While Articles 101 and 102 TFEU and EDPB decisions no longer apply to the UK following the UK’s exit from the European Union, the concept of an ‘undertaking’ is well established in UK competition law through UK and retained EU case law."

Although companies may take some comfort from the reasoning of the court in relation to calibrating fines based on the context/particular circumstances of the breach, the case highlights the importance of ensuring data protection law compliance across groups of companies and the potentially severe financial repercussions that can ensue if things go wrong.

(Judgment)

(ICO Fining Guidance)

ICO issues first fine against data processor for security failings

Advanced Computer Software, now trading as OneAdvanced (Advanced), has become the first data processor to be fined by the UK Information Commissioner’s Office (ICO) for security failings that resulted in a serious ransomware incident in August 2022. The fine, initially set at £6.09 million, was reduced to £3.07 million after the company made representations and agreed not to appeal. This marks a significant development under the UK GDPR and the Data Protection Act 2018, demonstrating the ICO’s readiness to hold processors directly accountable under the UK GDPR, particularly where there are substantial and prolonged security deficiencies.

Advanced was providing software and services to NHS organisations, which included processing special category personal data under Article 9 UK GDPR relating to health as well as the data of children, and vulnerable individuals. The ICO found that the company had failed to implement appropriate technical and organisational measures, as required under Article 32(1) UK GDPR, to ensure a level of security appropriate to the risk. This included not applying critical security updates, failing to follow National Cyber Security Centre (NCSC) guidance, and taking no action despite being aware of the relevant vulnerabilities as early as 2021. The breach, which occurred in 2022, resulted in the data of around 80,000 data subjects being accessed and disrupted services across the healthcare sector, classified as critical national infrastructure. The ICO concluded that Advanced had the resources and capability to prevent the incident but failed to do so over a four-year period.

The monetary penalty was issued under sections 149 and 155 of the Data Protection Act 2018, which empower the ICO to impose fines on a controller or processor that fails to comply with its obligations under Articles 25 to 39 of the UK GDPR. The Commissioner found a high level of culpability, particularly in light of Advanced’s role as a processor for public bodies and the sensitive nature of the data involved. This case serves as a warning that processors are not beyond the scope of enforcement and must meet their security obligations under the UK GDPR, especially when supporting public services that rely on the secure handling of special category data.

(ICO Fine)

RPC's Data Download Event: Insights from the ICO

At RPC's Data Download event on 27 February 2025, RPC's specialist data teams explored current and future challenges and risks in the field of data protection, including compliance, handling cyber incidents and data disputes. We were joined by Padi Dolatshahi, Principal Lawyer at the Information Commissioner's Office (ICO), who discussed the ICO's role in enforcing data protection law in the UK, particularly in relation to personal data breaches.

In her address, Padi urged companies to engage proactively with the ICO when breaches occur and provided recent statistics on reported cyber incidents, speed of reporting and categories of incident.  The presentation also outlined how the ICO’s engages with organisations following such data breaches and how it assesses the sufficiency of security measures and an organisation's compliance with UK GDPR. Padi also gave an overview of the ICO's data protection fining guidance and upcoming regulatory changes, including the Cyber Resilience Bill.

A copy of her slides can be found here.

The ICO's remarks and the other sessions at Data Download underscored organisations' need to remain proactive, transparent, and compliant in their data governance practices to navigate the evolving regulatory environment effectively.

Other important developments

EDPB launches its 2025 Coordinated Enforcement on the Right to Erasure, with 30 data protection authorities across Europe participating in an assessment of how controllers handle erasure requests under the GDPR.

In a meeting with the British Retail Consortium which RPC attended, the Department of Science, Innovation and Technology announced that the DUA Bill is expected to be passed in May with most data protection provisions being enforceable 6 months after.  The EU Commission has postponed its review of UK adequacy from June to December to allow for review of the DUA Bill.

The ICO has finalised its guidance on anonymisation and pseudonymisation. Separately, the ICO has published: (i) its 2025 Tech Horizons Report highlighting the most impactful technologies for the next few years; and (ii) a package of measures to support the UK government's growth agenda. 

In our March episode of The Work Couch, Jon Bartley and Helen Yost joined host Ellie Gelder in a two-part series which delves into data protection compliance in the employment context. Listen here.

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPCCyber_ can be downloaded for free from the Apple Store or Google Play Store.

ICO's first fine against data processor

At the end of last month, the ICO issued its first fine against a data processor in respect of a security breach.  The fine of £3m was imposed on Advanced Computer Software Group (ACS), which is a SaaS provider to healthcare organisations including the NHS.  The fine, which was originally £6m, was reduced following representations made by ACS to the ICO. Grounds on which the fine was reduced include the ACS' engagement with the National Cyber Security Centre, the National Crime Agency and the NHS in the aftermath of the incident. ACS estimated its costs of handling the incident at £21m.

The fine concerns a ransomware incident from August 2022 in which the special category health data of ACS' customers was stolen and systems were encrypted. The data included details of how to gain entry into the homes of 890 people who were receiving care at home. Hackers accessed ACS' systems via a customer account that did not have multi-factor authentication (MFA) in place. The key failures identified by the ICO, and which led to the fine, were:

1. A failure to adopt MFA across all user-facing systems;
2. Lack of comprehensive vulnerability scanning; and
3. Inadequate patch management.

The enforcement decision is important because it provides practical insight on the security standards expected when processing personal date, albeit in the context of particularly sensitive special category data. . It also shows a willingness of the ICO to pursue data processors, not just controllers, when breaches happen.

Click here to read more from the ICO. The ICO's analysis of ACS' technical failures are outlined at paragraphs 50-57 of the Monetary Penalty Notice.

Cyber Security and Resilience Bill: policy statement published

On 1 April 2025, a policy statement was published by the government, providing further detail on what the much anticipated Cyber Security and Resilience Bill will look like when it comes into force later this year. As expected, the Bill is in part effectively an expansion of the existing Network and Information Systems (NIS) Regulations.  Three measures under the Bill have been identified.

Bringing more entities into the scope of the regulatory framework

The Bill will bring Managed Service Providers (MSPs) into scope. These will be defined in the Bill and are expected to include providers offering IT services to businesses and public sector organisations with access to client data.

The Bill will contain measures aimed at strengthening supply chain security and will enable regulators to designate "critical suppliers". The Bill will allow the government to set stronger supply chain duties for operators of essential services (OES) and relevant digital service providers (RDSP).

Empowering regulators and enhancing oversight

1. The Bill will establish the Cyber Assessment Framework (CAF) on a stronger footing, so that firms follow best practice, and it is easier for them to do so. The Bill will provide the Secretary of State with powers to make regulations to update the existing requirements.
2. The Bill will improve cyber incident reporting through expanding the incident reporting criteria, updating incident reporting times, streamlining reporting and enhancing transparency requirements.
3. The Bill will improve the ICO's information gathering powers, for example through expanding duties of firms that provide digital services to share information with the ICO on registration.
4. The Bill will allow regulators to set up new fee regimes and to proactively raise funds.

Ensuring the regulatory framework can keep pace with the changing cyber landscape.

The statement reflects a desire to align the UK's cyber security position with the EU's NIS2 (Directive (EU) 2022/2555), though not all measures in NIS2 are apparent in the Bill, such as management liability. The increase of in-scope firms that are due to have the same duties as digital service providers will increase costs related to security improvements and compliance. The two-stage reporting system in which regulated entities will need to notify their regulator within no later than 24 hours of becoming aware of an incident will require them to be highly reactive.

Click here to read the cyber security and resilience policy statement.

UK data reform bill will be ready this spring, minister says

UK under-prepared for catastrophic cyber attack

Europol warns against use of AI in cyber attacks

Hambro Perks, now Salica Investments, to pay £2mn for stealing confidential information

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPC Cyber can be downloaded for free from the Apple Store or Google Play Store.

Government publishes response to its Call for Views on Cyber Security of AI

On 15 May 2024, the Department for Science, Innovation and Technology (DSIT) published its Call for Views on 'Cyber Security of AI' which outlined a proposed 'two-part intervention' approach, and 12 principles aimed at enhancing and maintaining cyber security standards for AI technology.

Following receipt of 123 responses to the Call for Views, the DSIT has now published a response paper which summarises respondent's key views and outlines the next steps. The salient points of the publication are that:

• 80% of respondents were supportive of the 'two-part intervention' approach, which first involves the development of a voluntary Code of Practice (Code), and then using that Code for the subsequent development of a global standard focused on baseline cyber security requirements for AI models and systems.

• There was overwhelming support for the 12 Principles outlined in the Code which included "Securing your Infrastructure" (Principle 6) and "Conduct appropriate testing and evaluation" (Principle 9).

• Respondents noted more detail/guidance is needed to implement the Code and that the existing market might not provide sufficient skills or capabilities to implement the Code.

The DSIT states it has taken the feedback on board and used it to update the Code and create new implementation guidance. The DSIT will now take the Code and guidance to the European Telecommunications Standards Institute (ETSI) to develop a new global standard focused on baseline cyber security requirements, in line with the two-part approach set out above.

Click here to consider the DSIT's full response.

Amendments to the Data (Use and Access) Bill and comments from the ICO

The Data (Use and Access) Bill (DUA) which was introduced in October 2024 has recently been passed to the House of Commons (HoC) from the House of Lords (HoL). During the DUA's time at the HoL several key changes have been made to the Bill, including:

• An amendment to Article 25 of the UK GDPR- Article 25 currently requires controllers to implement technical and organisational measures to ensure only necessary personal data is processed. The proposed amendment would require controllers handling children's personal data to consider newly introduced "higher protection matters" which require controllers to evaluate how to best protect/support children when implementing Article 25 measures.

• An amendment to PECR 2003 which extends the "soft opt in" exemption for text and email marketing communications to charities.

• A requirement for AI developers and operators of web crawlers to provide transparency information when requested, which demonstrates that UK copyright law is being adhered to when training AI models.

• An amendment to the Sexual Offences Act 2003 which would introduce a criminal offence for creating sexual deepfakes without consent or reasonable belief of consent.

• A requirement for the ICO to introduce Codes of Practice relating to AI automated decision making.

• A requirement for the ICO to regulate transparency for web crawler use.

The ICO has responded to these amendments mostly in a positive light, whilst noting it would like clarity on the policy intent behind "higher protection matters" as specified in the first bullet point above. The ICO has stated it looks forward to discussing the changes which concern its new areas of responsibility with the government, so it can "properly assess and account for the implications".  

Click here to see the latest version of the DUA and click here to read the ICO's response.

Lecturers' trade union obtains default judgment and injunction against (unknown) threat actors

In University College Union v Persons Unknown [2025] EWHC 192 (KB), the High Court has granted summary judgment and issued a final injunction against a group of unknown threat actors following a ransomware incident. The injunction prohibits the threat actors from publishing, disclosing or using the stolen data, and orders the threat actors to deliver/up delete the information and provide a witness statement confirming compliance with the same.   

This judgment followed a ransomware attack which occurred in August 2024 and targeted University College Union (UCU), a lecturers' trade union. The incident saw the unknown threat actor group extract and publish sensitive information relating to UCU's employees and third parties on the deep and dark web. Shortly after the incident, UCU applied for an interim injunction which was granted. As there was no engagement from the unknown persons, the Court has now issued a final injunction.

This decision provides an example of the process for obtaining injunctions against unknown parties, including to a final injunction.

Click here to read more from ICLG News.

Google releases report on Adversarial Misuse of Generative AI

Google's threat intelligence group has recently released a report on misuse of its generative AI model (Gemini) by bad actors. Some of the key takeaways from the report are that:

• Threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities.

• Advanced Persistent Threats (APT) relating to government-backed hacking activity used Gemini to support several phases of attack lifecycles.

• Information Operations which attempt to influence online audiences in a deceptive, coordinated manner used Gemini for: research; content generation including developing personas and messaging; translation and localisation; and to find ways to increase reach.

• Gemini's safety and security measures restricted content that would enhance adversarial capabilities.

Google says it is committed to maximising the positive benefits of AI to society while addressing the challenges and will continue to be guided by its AI Principles to ensure robust security measures. Google also highlights it has introduced the Secure AI Framework which consists of six key elements which all aim to keep AI systems safe and secure.

Click here to read Google's full report.

Qualified one-way costs shifting (QOCS) applies to wrongful disclosure of private information claim

In Birley and another (personal representatives of the Estate of Ms Rosa Taylor) v Heritage Independent Living Ltd and others [2025] EWCA Civ 44, the Court of Appeal held that QOCS applied to a mental health injury claim arising from a data breach.

The QOCS rules prevent Defendants from enforcing their litigation costs against unsuccessful Claimants and apply to personal injury claims. Introduced in the 2013 Jackson Reforms, QOCS aims to alleviate the need for After-the-Event (ATE) insurance premiums and protects Claimants from adverse cost orders, which many previously argued deterred individuals from bringing injury claims. In Birley, QOCS was applied despite the cost provisions for media claims, which allow for the recovery ATE insurance premiums and success fees also being applicable. 

The judgment is significant as it clarifies that (i) QOCS applies to all personal injury claims regardless of the method of injury and (ii) QOCS and media claims provisions which allow recovery of ATE premiums and success fees can exist in tandem

Click here to read more from Casemine.

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPC Cyber can be downloaded for free from the Apple Store or Google Play Store.

RPC looks back at recent developments

For the cyber market, the past year brought with it many legislative and regulatory changes, as well as sophisticated cyber-attacks and ground-breaking law enforcement activity.

We have produced our very own 'Key Cyber Developments' update to provide a recap of the key issues and changes that took place over the last year. This includes insights on:

• Key legislative and regulatory changes in the UK and EU;

• Significant cyber incidents;

• Domestic regulatory activity;

• Law enforcement activity, and more.

Click here to read our 2024 update in full.

Why 2025 will be 'pivotal' for cyber insurance

RPC's Richard Breavington comments on why he thinks it will be a big year for the cyber insurance industry.  Speaking to Insurance Business, Richard highlights the increasing regulation coming across the EU and UK which will increase minimum security standards in a broad range of sectors, as well as imposing additional notification obligations for cyber incidents.

Richard also discusses that ransomware groups are adopting new models, such as 'as-a-service' structures where affiliates independently broker access to victims' systems for high commission rates. These models could increase the volume of incidents and result in more unsophisticated attacks. Finally, it's predicted that we'll see more threat actors use AI to enhance the scale and effectiveness of their attacks.

Click here to read more from Insurance Business.

DORA comes into force

On 17 January 2025, the Digital Operational Resilience Act (DORA) became enforceable across EU Member States. DORA requires financial services entities and third-party ICT providers operating in the EU to comply with strict new technical requirements and standards to protect against digital threats. There is provision in DORA for significant enforcement action, including substantial fines, for organisations found to have been non-compliant.        

Click here to read our recent article on the content and likely effect of DORA.

Home Office Consultation: six proposals on the future of ransomware payments

On 14 January 2025, the Home Office released a public consultation seeking views on various methods aimed at combatting the criminal ransomware 'business models' exploited by threat actors. The Consultation is made up of two key documents: the Ransomware Legislative Proposal which contains 3 key broad proposals, and the Options Assessment which looks at 6 more detailed options.

The Ransomware Legislative Proposals include:

1. A targeted ransomware ban for public sector organisations;

2. A ransomware payment regime in which all planned ransomware payments must be reported before they are made; and

3. A mandatory incident reporting regime which requires victims to report ransomware incidents.

The six more granular options in the Options Assessment are:

1. A complete ban on ransom payments;

2. A targeted ransom ban for regulated critical national infrastructure and public sectors;

3. A ransom payment prevention regime for all payments;

4. Mandatory reporting of all ransom payments prior to transactions (sector specific or economy);

5. Mandatory ransomware incident reporting regime for all sectors; and

6. Mandatory ransomware incident reporting regime for targeted sectors.

Interestingly, there is also an 'Option 0' which is to do nothing.

The primary aims of the Consultation are to (i) reduce the amount of money flowing to ransomware criminals; (ii) increase the ability of operational agencies to disrupt and investigate ransomware attacks, and; (iii) enhance the government’s understanding of the threats in this area to inform future interventions.

The Consultation is open until 8 April 2025. Click here to read more and/or complete the Consultation from the Home Office.

FCA consults on incident reporting obligations

In December 2024, the FCA published a consultation paper for firms to report operational incidents and material third party arrangements. The paper closely mirrors proposals put forward by the Bank of England and PRA, which are designed to align with international standards such as DORA (as mentioned above).

These proposals aim to introduce a consistent, sufficient, and timely reporting framework for firms, payment service providers, UK Recognised Investment Exchanges, registered trade repositories and registered credit rating agencies. The FCA paper proposes a definition of "operational incident" and requires firms to report incidents where a breach meets one or more of the following thresholds:

• Consumer harm: where the incident could cause or has caused intolerable levels of harm to consumers from which they cannot easily recover.
  
  

• Market integrity: where the incident could pose or has posed a risk to the stability, integrity or confidence of the UK financial system.
  
  

• Safety and soundness: where the incident could pose or has posed a risk to the safety and soundness of the firm or other market participants.

The proposals would also involve the firm producing an initial report, intermediate report and final report following an incident, much like DORA. Further, firms would be required to report on 'material third party arrangements'. These are arrangements between a firm and a third party where the disruption or failure of the service could:

• Cause intolerable levels of harm to the firm's clients;
  
  

• Pose risk to the soundness, stability and confidence of the UK financial system; or
  
  

• Cast serious doubt on the firm's ability to satisfy threshold conditions under the FCA handbook or meet the operational resilience requirements under SYSC 15A of the FCA's Principles for Business.

Click here to read our article for further insights and click here to consider the FCA's Consultation which closes on 13 March 2025.

EU's Digital Fairness Act

In October 2024, through a 'Digital Fairness Fitness Check', the EU Commission evaluated the adequacy of consumer protection law and found issues with a number of harmful online tactics.  Examples of these include complicated subscription systems, dark patterns, addictive deign, unfair contract terms, lack of transparency and exploitative ads. Considering this, the EU Commission is expected to present a new 'Digital Fairness Act' to combat these harmful tactics. Whilst this act has not yet been formally introduced, it is anticipated that 2025 will bring a public consultation on the issue, and a first draft of the Act could be seen by 2026.

Click here to read more from Publyon. 

Government increases Data protection fees for data controllers

After a 2024 consultation on proposed amendments to the data protection fee regime, which mandates data controllers to pay an annual fee under the Data Protection (Charges and Information) Regulations 2018, the government has published the consultation results. These results were based on 103 complete responses from various organisations and individuals.

In short, the government intends to increase the fee regime by 29.8% for all three tiers of data controllers. The Tier 1 fee which applies to micro-organisations will be £52 (previously £40); the Tier 2 fee which applies to small and medium organisations will be £78 (previously £60); and the Tier 3 fee which applies to only large organisations will be £3,763 (previously £2,900).

Click here to read the government's consultation outcome for further details and thoughts behind the changes.

If there are any issues on which you'd like more information (or if you have any questions or feedback), please do let us know or get in touch with your usual contact at RPC.

Data Download

Our Data and Privacy Group will be hosting our exclusive conference, Data Download, on 27 February 2025, with sessions from 2pm. The RPC specialist data teams and the ICO will examine key data protection challenges, from compliance to managing cyber incidents and disputes. Attendees will gain practical insights through an immersive case study, hear directly from Padi Dolatshahi, Principal Lawyer at the ICO, and explore upcoming developments in 2025—all while networking with leading professionals in the field.

For further details and to RSVP, please click here. 

Navigating compliance in Italy: Garante’s Stance on OpenAI’s Gedi Partnership and GDPR Violations.

Italian enforcement action in the generative AI landscape gives insight into how Europe may view collaboration with, and compliance of, AI providers. 

The Italian Data Protection Authority (the “Garante”) issued two important decisions concerning generative AI over the last few months.

The Garante has formally warned the publishing group GEDI in relation to its agreement with OpenAI, which involves sharing GEDI’s editorial content to train OpenAI’s AI algorithms. The key issues included: (i) the risks arising from processing sensitive and judicial data contained in GEDI’s digital archives; (ii) that the data subjects had not been adequately informed about the use of their data or given the opportunity to object; and (iii) GEDI claimed a legitimate interest in using innovative methods for journalistic activities. However, the Garante ruled that this did not justify the transfer of personal data to OpenAI, as the training process falls outside GEDI’s control. The Garante concluded that the data sharing agreement could potentially violate GDPR and warned GEDI of possible sanctions.

In another decision, the Garante fined OpenAI €15 million and ordered it implement several measures concerning the collection of personal data to train generative AI models and respecting data subjects' rights. The Garante found OpenAI responsible for: (i) failing to notify the March 2023 personal data breach to the Garante; (ii) processing users’ personal data to train ChatGPT without a proper lawful basis; (iii) not adequately informing users about the processing of their personal data, including using that data to train its AI model; (iv) not implementing an adequate age-verification mechanism; (v) implementing an inadequate awareness campaign, since the one required in 2023 was implemented without having been agreed with the Garante and it was inadequate; and (vi) infringement of the accuracy principle,  owing to inaccurate output data from the AI model..

Just a few days ago, following the launch of DeepSeek, a generative AI tool, the Garante requested information from the Chinese companies that own the tool. This further actions confirm the focus of the Garante on generative AI. 

(Garante order in relation to GEDI)

(Garante decision in relation to OpenAI)

This article was authored by Laura Liguori of Portolano Cavallo in Italy, providing insights into the Italian regulatory approach to generative AI.

Data Protection in Generative AI: Perspectives from the ICO and the EDPB.

Insights from UK and EU Authorities on Ensuring Responsible Generative AI Development and Operation.

The use of personal data in the development and operation of generative AI models is a significant area of concern for data protection authorities. Both the UK’s Information Commissioner’s Office ("ICO") and the European Data Protection Board ("EDPB") have published guidance on how these technologies should align with existing data protection laws.

In December 2024, the ICO published a report outlining its stance on generative AI following its public consultation which garnered over 200 responses. The report highlighted several key areas including: (i) the lawful basis for using web-scraped data to train AI models; (ii) determining the data protection roles of entities in the AI supply chain; and (iii) the engineering of individual rights into generative AI models. The ICO found that a lack of transparency around how generative AI uses public data has eroded trust in AI systems, calling on AI developers to be more transparent about their data practices including clarifying: (i) what personal information is being collected; (ii) how it is being used; and (iii) how individuals and publishers can better understand these processes.

The ICO emphasised that while generative AI holds significant potential for the UK, it must be used responsibly and in accordance with data protection laws. Developers are urged to ensure that the personal data used to train these models is obtained lawfully, and that mechanisms for exercising individual rights are built into the models themselves.

Meanwhile, the Irish DPC has sought guidance from the EDPB to harmonise the regulatory framework across Europe on the use of personal data for AI training, developing and operation. The EDPB's opinion addressed questions about the anonymisation of AI models, the use of legitimate interest as a legal basis for processing, and the consequences of using unlawfully processed personal data in AI development and deployment.

The EDPB guidance suggests that the compliance of AI models must be evaluated on a case-by-case basis, deferring to local data protection authorities' judgment; it provides a non-exhaustive list of methods for data protection authorities to assess and demonstrate the anonymity of data in AI models.

The guidance also focuses on the validation of the legitimate interest lawful basis for AI model's development and deployment. It confirmed that legitimate interests could be a valid lawful basis for both developing and deploying AI models, as long as the balancing test favours the data controller’s or a third party's interests over the rights of data subjects, taking into account mitigatory measures. The EDPB has suggested to controllers that publishing this test may assist with increasing transparency and fairness.

Businesses which are considering or already do deploy or provide AI systems should review the relevant guidance in order to update their data protection compliance programmes.

(ICO's opinion on Generative AI developers)

(Opinion 28/2024 on certain data protection aspects related  to the processing of personal data in the context of AI models)

Exploring the ICO's Draft Guidance on Storage and Access Technologies

An overview of the ICO’s latest proposed guidelines for businesses on storage and access technologies.

The Information Commissioner’s Office (ICO) has published a draft update to its guidance on storage and access technologies, crucial for businesses in digital marketing and data management.

This final version will impact how organisations handle user data, aligning with current regulatory standards and legal developments. It is proposed that the guidance will cover a broader range of technologies beyond traditional cookies. Key updates include a structured approach with "must," "should," or "could" directives, integrating insights from recent case law and ICO positions, especially on online advertising norms.

The expanded coverage of PECR-regulated technologies offers detailed rules and examples, clarifying interactions with UK GDPR. A new chapter on consent management highlights practical strategies and common pitfalls for businesses implementing consent collection mechanisms such as cookie banners. Transparency and user consent are emphasised as central principles, with organisations urged to provide clear explanations and genuine choices regarding technologies like cookies.

The ICO is seeking public feedback until 5pm on Friday 14 March 2025.

(ICO guidance on the use of storage and access technologies)

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPC Cyber can be downloaded for free from the Apple Store or Google Play Store.

NCSC publishes its Annual Review

The NCSC has published its Annual Review which looks back at key cyber developments and observations between September 2023 and August 2024. Some of the NCSC's key findings are:

• Many nation-state threat actors and cyber criminals are using AI to increase the volume and heighten the impact of cyber-attacks.

• More recently, a greater proportion of threat actors are choosing not to encrypt systems and simply to threaten publication of sensitive data.

• The NCSC Incident Management (IM) team received 1,957 reports of cyber-attacks between the relevant period (down from 2,005 reports the previous year). 317 of 1,957 incidents were ransomware-related. 430 of the total incidents required support from the IM team (last year this was 371). 89 incidents were also described as nationally significant with 12 of them being at the "top end of the scale".

• The sectors reporting the highest levels of ransomware activity were academia, manufacturing, IT, legal, charities and construction.

• The NCSC believes organisations from all sectors are widely underestimating the severity of cyber threats in the UK.

• Global ransomware payments in 2023 topped $1 billion.

• There is a widening gap between the increasingly complex threats and collective defensive capabilities in the UK.

• The NCSC is pioneering research in the secure development of AI technologies.

To mark the release of this Annual Review, NCSC CEO, Dr Richard Horne, gave a speech.  He noted that the threat landscape is diversifying at speed and that talking about being resilient is not enough, rather existing guidance must be put into practice across the board to bolster defences.

Click here to read the NCSC's Annual Review and click here to read Dr Richard Horne's full speech.

Court of Appeal dismisses mass misuse of private information representative claim

In Prismall v Google UK Ltd and DeepMind Technologies Ltd [2023] EWHC 1169, Mr Prismall (the Claimant) had brought a representative action against Google and its artificial intelligence company, DeepMind Technologies (together, the Respondents). The Claimant alleged that the Respondents misused data belonging to 1.6m NHS patients (the proposed class members) by obtaining data from the Royal Free London NHS and using it to create a mobile app called 'Streams' which was used to help individuals detect kidney issues.

On 13 May 2023, the High Court dismissed the claim stating there was no prospect of establishing that the data relating to 1.6m class members could have been misused, and that such proceedings should not be allowed to proceed on an opt-out basis. The Claimant obtained permission to appeal.

On 11 December 2024, the Court of Appeal (CoA) handed down its judgment (Neutral citation: [2024] EWCA Civ 1516) following a hearing in October 2024. The CoA upheld the High Court's decision and dismissed the appeal. The CoA stated that a representative class claim for misuse of private information is always going to be very difficult because relevant circumstances will affect whether there is a reasonable expectation of privacy, which will affect whether the representative class have the same interest.  In this situation, showing that all members of the representative class have exactly the same interest in the claim is likely to be challenging.

This judgment highlights the difficulties in bringing data misuse claims on a class basis in the UK and may serve as a deterrent for representatives looking to bring such claims.

Click here to see the CoA's judgment and click here to access the High Court's judgment.

EDPB's statement calls for coherence of legislation with the GDPR

On 3 December 2024, the European Data Protection Board (EDPB) adopted a statement (Statement 6/2024) on the European Commission's second report on the applicability of the GDPR (COM (2024) 357)).

Whilst the EDPB's statement acknowledges that the GDPR has improved individuals' control over their own data and established high data protection standards through the EU, it notes there are outstanding challenges. More specifically, the EDPB notes that further clarity and coherence is needed between the GDPR and other EU statutory instruments such as the Artificial Intelligence Act, Digital Markets Act (DMA), and broader EU Data Strategy. It also indicates that further cooperation is needed between DPAs and other regulatory bodies.

The EDPB referred to some of its ongoing initiatives such as producing guidance to assist with understanding various EU statutory instruments and establishing cooperation mechanisms with other sectoral regulators. It also highlighted the need for additional financial and human resources to help DPAs and the EDPB deal with increasingly complex challenges and additional competences. The EDPB has encouraged reports from the European Commission and the Fundamental Rights Agency.

Click here to read the press release and statement from the EDPB.

EU's Cyber Resilience Act comes into force

On 10 December 2024, the EU's Cyber Resilience Act (CRA) has come into force.  Whilst most of the Act's obligations will not be applicable until three years from now, it marks a significant advance towards protecting products from cyber threats. The CRA applies to 'products with digital elements' (PDEs) which can range from Internet of Things (IOTs), computer components and even software. The CRA applies to manufacturers, distributors, and importers of PDEs.

Manufacturers are under the highest level of scrutiny as it is their responsibility to ensure that the PDE meets essential cybersecurity and vulnerability handling requirements, and to make notifications if there are severe PDE incidents.  Failure to comply with the CRA obligations can result in a fine of up to EUR 15 million or up to 2.5% of worldwide turnover.  Non-compliant products can also get banned, withdrawn or recalled from the EU. The provisions of the CRA will apply from 11 December 2027, with certain articles coming into force in 2026.

Click here to read our full article which contains further analysis and commentary on the CRA.

Nuclear Decommissioning Authority launches cyber facility

The Nuclear Decommissioning Authority (NDA) is responsible for cleaning the UK's earliest nuclear sites and is made up of four key competencies: Sellafield; Nuclear Restoration Services; Nuclear Waste Services; and Nuclear Transport Solutions. The NDA has recently announced its establishment of a specialised cyber facility, the Group Cyberspace Collaboration Centre (GCCC).  The facility will seek to collaborate with nuclear operators and the wider supply chain to work on technologies such as AI and robotics whilst enhancing collective ability to defend against cyber threats. The GCCC is a wholly owned subsidiary of the NDA.

Earlier this year, another of the NDA's subsidiaries which is responsible for managing the Sellafield site, Sellafield Ltd, was fined £332,500. This came from Sellafield Ltd's failures to meet standards, procedures and arrangements as set out in in its approved cyber security plan and breaches of the Nuclear Industries Security Regulations 2003, which occurred over a course of four years.

Click here to read more from Nuclear Engineering International on the establishment of the GCCC and click here to read regarding Sellafield's fine. 

On 23 October 2024, the House of Lords introduced the Data (Use and Access) Bill (DUA). The DUA is intended to replace the Data Protection and Digital Information Bill (DPDI) which was dropped during the parliamentary wash-up.  

Some of the key points in the DUA include:

• the introduction of open public data bases and smart data which is intended to free up Police and NHS resources;
• the power for the Secretary of State to alter which types of data can be classed as special category data, and provisions on access to business and customer data; and
• the introduction of a national register for underground services such as cables, water, pipes, and power.

The DUA does however remove some elements from the DPDI, including:

• the requirement for the ICO to consider the government's objectives;
• changes to the meaning of personal data;
• the requirement for overseas companies to have a representative in the UK, and;
• the right to refuse to respond to data subject access requests which are disproportionate.

Whilst some have commented that the Bill is less ambitious than the DPDI, this is still a significant piece of legislation which will introduce notable changes to the UK GDPR.

Click here to read the government's press releases considering further changes and click here to view the DUA in its entirety.

NCSC issues guidance for legal practitioners on cyber policies

The NCSC has released a list of preventative steps which solicitors, barristers and other legal professionals should incorporate to reduce the risk of falling foul to a cyber-attack. These steps include:

• Creating and testing backups of important data which would allow client data to be accessible even in the event cyber-attack.
• Keeping software updated and enabling automatic updates to ensure the latest security updates are in place.
• Enabling encryption on all devices.
• Protecting email accounts using strong passwords and using 2-step verification / multi-factor authentication.
• Controlling access to devices by using passcodes or biometrics where applicable and locking your devices when not at your desk.
• Turning on firewalls to prevent unwanted connections to devices.
• Limiting the number of administrator accounts.
• Enabling antivirus software.
• Ensuring lost or stolen devices can be tracked, locked or wiped, so that unauthorised individuals cannot access the information on the device.
• Auditing and reviewing privacy permissions connected with other apps and making sure that staff only have access to applications which are necessary for the purposes of their role.

For each recommendation, the NCSC has helpfully provided various links containing guidance on how to implement these measures on various systems.

Click here to read more from the NCSC.

Regulators' latest updates on Operational Resilience and Critical Third Parties

In August 2024, the Bank of England (BoE) published its Report on Operational Resilience on a Macroprudential Framework with a view to assisting financial entities and the wider financial system to prevent and respond better to operational disruptions.

This has now been complemented on 12 November 2024 by a Policy Statement PS16/24, titled "Operational Resilience: Critical Third Parties to the UK Financial Sector" (the Rules) which have been published by the BoE in collaboration with the FCA and the PRA (the Regulators). 

The Rules stem from the Regulators' recognition of the increasing reliance by financial entities on services provided by third parties and the impact disruptions can have to these services, which can include potential threats to financial stability and market integrity.

The Rules aim to harmonise various regulatory instruments into a new Critical Third-Party (CTP) regime.  This sets out measures to ensure CTPs can prevent and deal with disruptions from Macro Vulnerabilities and Transmission Channels. The Rules also outline 6 'Fundamental Rules' which OTPs are required to exercise whilst conducting business.

Click here to read our full article on the Rules and the UK's digital operational resilience landscape, and click here to access the Rules.

What does your cyber insurance cover? ICAEW provides insights

The ICAEW has emphasised that companies must be vigilant of exclusions and limitations within their cyber policies. RPC's Richard Breavington highlights that some policies require evidence of multi-factor authentication, effective patch management or other security measures; meaning that failure to follow these steps could prevent the policy from responding.

The ICAEW also refer to a report from Delinea which states that 47% of incidents linked to insurance claims are related to privilege and identify compromises, meaning that consequently, 41% of insurers now require evidence of privileged access controls before writing a policy.

The ICAEW use these points to highlight the importance of suitably assessing cyber policies to ensure the rights steps are being taken to ensure claims will be covered, and putting in place the right steps so businesses can be issued the right cyber policy in the first place. The ICAEW also comments that companies should explore AI-supported threat detection and monitoring solutions which can reduce likelihood of incidents and minimise cyber-related loss.

Click here to read more from the ICAEW on this topic.

Cybersecurity myths putting accounting professionals at risk

The Financial Accountant states that whilst over 560,000 cyber threats are discovered daily which mostly target SMEs, many accounting professionals still believe certain cybersecurity myths which leave them vulnerable.

These myths include assuming that:

"Only the big four accounting firms get hacked"- In reality, 81% of cyber threats target small to medium sized businesses.

"Silence is the best policy"- Staying silent can involve risk and can even be contrary to legal requirements if the breach meets applicable notification thresholds.

"You can choose who to report the incident to"- Reporting requirements differ by jurisdiction. Certain incidents may also require reporting to multiple jurisdictions, such as if the company is part of an EU supply chain. RPC's Richard Breavington comments that notifications to European regulators might be needed if European data subjects are affected.

"Backing up data eliminates risk"- In fact, many cyber criminals intentionally target back-up data, albeit having properly protected back ups is a crucial part of a firm's cybersecurity posture.

"Cybersecurity is 'set and forget"- Constant vigilance is required to mitigate cyber risks.

To read more on this topic, click here for the Financial Accountant's full article.

Australian draft law to encourage businesses to share private data with government.

Following escalating cyber threats, the Australian government is introducing the Cyber Security Act which will require businesses to report any ransom payments to authorities. The Act also encourages businesses to share private details with relevant agencies.

The new 'limited use' obligations within the Act will prevent sharing of information provided to the National Cyber Security Coordinator and Australian Signals Directorate – although it will not give businesses a complete indemnity from future prosecution. Under a new power aimed at protecting the country's critical infrastructure, businesses will also be forced to address serious cyber deficiencies within their risk management programmes.

The Australian government's cyber security minister, Tony Burke, has said the Cyber Security Act is long overdue and reflects their deep focus on cyber threats as well as keeping pace with emerging threats and positioning businesses and individuals to respond and bounce back from cyber-attacks effectively.

Click here to read more from ABC news.

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPCCyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPCCyber_ can be downloaded for free from the Apple Store or Google Play Store.

Cyber Security and Resilience Bill scheduled for 2025 parliamentary introduction

On 30 September, the UK Government confirmed that the Cyber Security and Resilience Bill (the Bill) will be introduced to Parliament by 2025. The Bill was introduced during the King's Speech in July, and largely aims to update the UK’s cyber defences and digital infrastructure following European legislation such as the Network and Information Security (NIS2) Directive and Cyber Resilience Act.

The Bill is anticipated to impose stricter rules regarding technical security and incident notification on a bigger pool of organisations classified as operators of essential services or relevant digital service providers.  The wider applicability of the Bill is set to foster higher cybersecurity standards and promote a better understanding of ongoing cyber threats, particularly in relation to the increasing targeted threats on the UK's critical infrastructure.

Click here to read the government's recent update on the Bill.

Long-awaited changes to Australian Privacy Act

Following the Australian Federal Government's Privacy Act Review which commenced four years ago, the Government has finally introduced its first substantial amendments in an 81-page bill. The key changes include:

• New statutory tort to address serious invasions of privacy which previously did not exist. This is to assist individuals in seek recourse for losses arising from breaches of privacy and will likely make businesses with large amounts of data more susceptible to class actions.
• Development of a Children’s Online Privacy Code to better protect children from online harms.
• Increased transparency for individuals on automated decisions which affected them.
• Streamlined information sharing during emergencies.
• Stronger powers for the Australian Information Commissioner.
• Criminalisation of 'doxxing' – i.e. releasing personal data in a menacing or harmful manner.

The proposed changes are mostly welcome, however some expected implementations have been omitted from the draft bill. Click here to read more on this from Colin Biggers & Paisley - part of RPC's Global Access Network and click here to learn more about the Network.

UK and allies issue joint cyber security warning amid China-linked campaign botnet

The NCSC and relevant bodies in the US, Australia, Canada, and New Zealand have issued a joint advisory informing organisations and individuals that Integrity Technology Group, a Chinese based company with links to the Chinese government and state actor, Flax Typhoon, has managed a botnet with over 260,000 compromised passwords around the globe.

The compromised devices are said to include firewalls, routers, webcams, and CCTV cameras – all devices which threat actors can use for a multitude of malicious activities. The joint advisory shares technical details to help organisations and individuals defend against the malicious activity as well as providing mitigation advice. It also highlights how unpatched and of end-of-life systems can be exploited by threat actors.

Click here to read more from the NCSC and click here to read the joint advisory.

FGS Global's Leadership in Crisis report reveals cyber security remains key concern among business leaders

In FGS Global's recent report, 'Leadership in a crisis', around 500 business leaders have been polled and interviews have been conducted with several of the UK's most prominent CEOs; unsurprisingly, cyber risk has been pinpointed as the biggest threat due to the financial, reputational, regulatory and operational impact that a single attack can potentially cause to a business.

The report reveals that 36% of the businesses polled have faced a cyber-attack and, despite growing prevalence, there is still a limited understanding of cybersecurity and cybercrime. FGS further comment that not enough companies learn as much as they could from crises. Despite emphasis on cyber security, only 40% of companies have implemented technological updates, 33% have strengthened security measures and 31% enhanced their data protection initiatives.

Click here to download the Leadership in Crisis report to read more about cyber risks and other current concerns prevalent in business leaders.

TFL still feeling the effects of last month's cyber-attack, but NCA makes first arrest

On 1 September, TFL fell victim to an aggressive cyber-attack which is still impacting its key IT infrastructure and affecting live tube arrival times, refunds for contactless pay-as-you-go journeys, photo applications for new Oyster cards and staff access to systems. The incident has also exposed 30,000 employees' passwords and bank details for around 5,000 customers. So far, the incident is said to have cost several millions of pounds.

But in an unusual turn of events, the NCA may have found the first culprit behind this attack.  It confirmed the arrest of a 17-year-old male who has since been questioned and bailed. Further details on the arrest have not been provided. However, Paul Foster, NCA deputy director and head of the agency's National Cyber Crime Unit has commented that "The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued co-operation with our investigation, which remains ongoing."

Click here to read more from the NCA and click here for the latest update from TFL.

Ireland to expand scope of NCSC's powers in times of emergency

The Irish Government's General Scheme for the National Cyber Security Bill has revealed it plans to place the NCSC on a statutory basis and allow the security agency to monitor all internet traffic in the event of pressing national security threats. This update comes amid rising cyber-attacks and an uptick in foreign interference during general elections. Richard Brown, director of the NCSC has stated these powers are similar to those granted to France's security agency during the Paris Olympics.

The powers will not be automatic.  The NCSC will have to apply to the High Court for the monitoring powers and will only be granted them where there are real and persistent risks to security of the state, integrity of public sector data or continuity of essential services. It is not yet known when this Bill will become law.

Click here to read more from Finextra and click here to read the Irish Government's General Scheme.

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPCCyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPCCyber_ can be downloaded for free from the Apple Store or Google Play Store.

The challenges and benefits of the Digital Operational Resilience Act (DORA) compliance

With less than four months until the deadline for organisations within scope to become fully compliant with DORA, RPC's Partner and Head of Cyber & Tech Insurance Richard Breavington has highlighted the challenges and benefits of DORA compliance in a recent interview.

Speaking to InsurTech magazine, Richard highlights the material cost of ensuring compliance with DORA's standards as one of the challenges posed by the new regulation, with the need for implementation of new policies, rules, and processes (such as incident management systems, mandatory threat-led testing, and employee training). Benefits include the harmonisation of previously varied and uneven national regulatory rules, and the establishment of an intelligence sharing mechanism, allowing the exchange of critical information, such as emerging threats and indicators of compromise.

The deadline for entities to become fully compliant with the DORA regulation is 17 January 2025.

Click here to read more from InsurTech magazine.

Cyber-attacks on law firms jumped by 77% over the past year

It has been reported that the number of successful cyber-attacks against UK law firms rose by 77% in the past year to 954, up from 538 the year before. Nearly three quarters of the UK’s top 100 law firms have been impacted by cyber-attacks, according to a report by The National Cyber Security Centre.

Law firms often hold information that can potentially be used by threat actors to attempt fraud and other crime, making them an attractive target.

Click here to read more from the Law Gazette.

Law firms have a record of paying ransoms, report claims

A report by technology researcher Comparitech has revealed that law firms targeted by ransomware threat actors have been paid on at least eight known occasions over the past six years. The report identified 138 ransomware attacks on the legal sector, resulting in almost 3 million individual records being compromised.

The largest known ransom demand was $42 million from a New York firm, which was refused. The UK is the second most affected country after the US, with a notable spike in attacks reported in London earlier this year.

Click here to read the full Law Gazette article. 

Provisional ICO decision to impose £6m fine on software provider following 2022 ransomware attack that disrupted NHS and social care services

The Information Commissioner's Office (ICO) have decided provisionally to fine Advanced Computer Software Group Ltd (Advanced) £6.09m for failing to implement measures to protect the personal data of 82,946 individuals.

Advanced provides IT and software services to organisations including the NHS and other healthcare providers and acts as a data processor for these organisations.  

The fine follows a ransomware attack in August 2022 where hackers accessed Advanced’s health and care systems via a customer account lacking multi-factor authentication. Although no evidence suggests the data was published on the dark web, the attack disrupted NHS services and compromised personal data such as medical records and home entry details for 890 patients.

Click here to read the full ICO article.

NCSC CEO shares insights into securing UK elections in cyber space at major international conference

Felicity Oswald, CEO of the UK's National Cyber Security Centre (NCSC), has emphasised the importance of long-term planning and vigilance in safeguarding the 2024 UK General Election from cyber threats.

Speaking at the Black Hat USA conference, she highlighted how the UK collaborated with partners across government, industry, and international allies to strengthen cyber resilience before polling day.

Despite the traditional use of paper ballots, significant digital infrastructure involved in the electoral process required robust protection against cyber actors. Oswald stressed the need for citizens to trust the democratic process and the integrity of online information. She shared these insights alongside experts from the US and EU, underscoring the global nature of election security challenges. The NCSC also provided updated advice to protect high-risk individuals and organisations involved in the election.

Click here to read the full NCSC article.

Deepfakes: the next frontier in digital deception

Machine learning and artificial intelligence (AI) tools, particularly deepfakes, raise concerns in cybersecurity due to their potential to spread disinformation. Deepfakes can convincingly mimic individuals' voices, making them a powerful tool for cybercriminals as anyone can produce realistic fake content.

This has led to costly scams, such as a fraud where deepfake technology impersonated a CFO and convinced a finance worker to pay $25 million to fraudsters.

Despite advances in AI, the basics of cybersecurity, such as verifying unusual requests and being aware of time-pressured requests, remain crucial. Legislation is emerging to address these threats, with the EU's AI Act categorising AI risks, the UK government's aim to establish AI specific legislation and similar measures being considering in the USA.

Click here to read the full Business Reporter article.

On 19th July 2024, a faulty software update by cybersecurity firm, CrowdStrike, triggered a global IT outage, affecting a substantial number of Windows devices.  This interrupted services for a number of organisations and caused significant disruption, including in air transport.

This incident, considered one of the most severe cyber events in history, has resulted in economic losses for numerous businesses. Notably, Delta Airlines and various financial institutions were severely affected, prompting threats of legal action against Crowdstrike for compensation.

The insurance implications of this event are still being assessed. Initial suggestions are that businesses may file claims under the ‘system failure’ provisions of their cyber insurance policies, given that the incident was not a result of a malicious attack. The potential volume and scale of these claims could affect the cyber insurance industry materially, including potentially the cost of premiums and the scope of policy wordings.

For more information, a BBC report into the incident is here and an article from Spiceworks which includes reference to the potential litigation and insurance consequences is here.

King's Speech announces new Cyber Resilience Law  

The King's Speech announced plans to introduce a new Cyber Security and Resilience Bill to Parliament in the coming months following an increase in cyber threats to critical organisations.

The Bill aims to update existing UK Regulations including the Network and Information Systems (NIS) Regulations 2018. According to a briefing paper published alongside the King's Speech, the Bill will extend the scope of the existing NIS regime to protect more digital services and supply chains. Additional incident reporting obligations will likely be imposed, including in relation to ransomware attacks to improve national threat understanding. Other measures will be put forward to strengthen regulators’ powers in relation to enforcement, costs recovery and the ability to carry out proactive investigations.

This is a step towards an updated cyber security regime in line with the developments in this field at European level, where the implementation deadline for the EU NIS 2 Directive is 17 October 2024.

Click here to read the full King's Speech and click here to read the accompanying briefing paper from the UK Government. 

ICO reprimands Electoral Commission

The Information Commissioner's Office (ICO) has reprimanded the Electoral Commission over cyber security failings relating to an attack in August 2021.

Hackers entered the Electoral Commission's servers and exploited a known flaw in the software that should have been fixed months before. This resulted in personal data, including names and addresses, of approximately 40 million voters being exposed to hackers for over a year until the problem was found.

The ICO's report said the Electoral Commission did not have appropriate security measures in place to protect the personal information it held and did not keep its servers up to date with the latest security patches issued months before the attack. The ICO also found that the Commission did not have sufficient password policies in place at the time of the attack, with many staff still using default passwords.

Click here to read the full reprimand.

NCSC and partners issue warning over North Korean state-sponsored cyber campaign to steal military and nuclear secrets

The National Cyber Security Centre (NCSC), alongside international partners from the US and South Korea, has issued a new advisory revealing a global cyber espionage campaign linked to the Democratic People’s Republic of Korea (DPRK). The group, identified as Andariel and associated with DPRK's Reconnaissance General Bureau (RGB), has targeted critical sectors including defence, aerospace, nuclear, and engineering, with a lesser focus on medical and energy entities. The attackers aim to steal sensitive technical information such as contract specification design and project details.

Andariel's activities have expanded to include ransomware attacks, notably against US healthcare organisations, to extort payments and fund further espionage. The advisory provides technical insights and mitigation strategies to defend against these threats. It highlights the group's tactics of exploiting known vulnerabilities, maintaining persistence, and evading detection. The NCSC and partners warn that Andariel has evolved from destructive attacks to sophisticated espionage and ransomware operations, sometimes combining both tactics against the same target.

Click here to read the full joint advisory. 

ICO takes action against two organisations for "risking public trust" by failing to respond to public requests for information

The ICO has issued enforcement notices to Devon and Cornwall Police and Barking, Havering and Redbridge Hospitals NHS Trust for failing to meet requirements under the Freedom of Information (FOI) Act 2000.

Investigations revealed both organisations had significant delays in responding to FOI requests and have been issued with enforcement notices for their ongoing FOI failings.

Devon and Cornwall Police responded to only 39-65% of requests within the required 20 working days' timeframe between 2022 and 2024, with a backlog increasing from 77 to 251 requests between December 2023 and June 2024. The Police have 30 days to publish an action plan and clear the backlog within 6 months. 

Barking, Havering and Redbridge Hospitals NHS Trust was found to respond to only 29% of requests within the required timeframe, with only 2.5% of requests made in January 2024 responded to in a timely manner. The Trust's backlog increased from 589 to 785 requests between April and June 2024. The Trust has been given 35 days to publish an action plan to clear the backlog by the end of the year.

Failure to comply with the enforcement notices may lead to Court proceedings.

Click here to read Devon and Cornwall Police's enforcement notice and click here to read Barking, Havering and Redbridge University Hospitals NHS Trust's enforcement notice.

NCSC and partners issue warning about evolving techniques used by China state-sponsored cyber attackers

The National Cyber Security Centre (NCSC), in collaboration with international partners from Australia, the US, Canada, New Zealand, Germany, the Republic of Korea, and Japan, has released an advisory highlighting the evolving tactics of China state-sponsored cyber actors. The focus is on APT40, a group linked to the Chinese Ministry of State Security, which has targeted Australian networks by exploiting vulnerable small-office and home-office devices.

These devices, often not running the latest software or lacking security updates, provide a weak point that attackers exploit to launch attacks and hide malicious traffic. The advisory includes two technical case studies demonstrating these attack methods, which are also used by other Chinese state-sponsored groups globally.

The UK has previously attributed APT40 as being part of the Chinese Ministry of State Security. Defenders are encouraged to follow the latest advice to help detect and mitigate the malicious activity.

Click here to read the full advisory.

The Information Commissioner's Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have launched a joint investigation into the data breach that occurred in October 2023 at the global direct-to-consumer genetic testing company 23andMe. 23andMe processed highly sensitive personal information, including genetic data that remains unchanged over time and reveals details about individuals and their families, such as health, ethnicity, and biological relationships. Last year the company experienced a data breach where this sensitive personal data was stolen by threat actors and made available online. The joint investigation will assess the scope of information exposed by the breach and the potential harm to affected individuals. It will also determine whether 23andMe had sufficient safeguards in place to protect personal data and whether the company provided proper notification about the breach to the regulators and affected individuals.

Click here to read more from the ICO.

Downturn in percentage of companies paying cyber ransoms 

A new report by insurance and risk management company Marsh has highlighted that 23% of clients affected by a cyber extortion event in 2023 paid the ransom, out of a (rising) total of 282 events, according to Marsh's report.

The report, which analysed over 1,800 cyber claims submitted to Marsh in the U.S. and Canada last year, revealed a significant increase in the median payment for ransomware. While fewer payors were recorded, the median payment rose to $6.5 million in 2023 from $335,000 in 2022, and the median demand increased to $20 million from $1.4 million.

In 2023, 21% of Marsh clients with a cyber policy reported an incident. The healthcare and communications sectors experienced the highest number of claims annually. Although ransomware accounted for less than 20% of reported claims, it remains a primary concern due to its frequency, sophistication, and potential severity.

The report recommends companies develop a "cyber resilience strategy" that considers the enterprise-wide economic and operational impact of cyber risks. Meredith Schnur, cyber practice leader at Marsh, U.S. and Canada, emphasised the importance of clients adopting a proactive approach to safeguard themselves.

Click here to read the Marsh report. Click here to read the accompanying press release.

Further developments in Snowflake data breach

Hundreds of customers of Snowflake Inc, a popular US-based cloud data platform, have recently reported suffering a data breach. Cyber criminals allegedly used stolen log-in credentials obtained via infostealer malware to illegally access companies' accounts, with hundreds of Snowflake customers' passwords reportedly found online.

As an unfolding incident, the full extent of the breach is still being investigated. However, it is estimated that hundreds of millions of records have been exfiltrated, including data from major companies like Ticketmaster, with details of over 550 million customers being exposed. The threat actor behind the attack claims to have accessed data from around 400 organisations. A report by Mandiant, a cybersecurity organisation, suggests that these credentials were "primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems".

A statement released by Snowflake has clarified that it has “not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration or breach of Snowflake’s platform", and there is no "identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel".

“This appears to be a targeted campaign directed at users with single-factor authentication. As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware.”

Click here to read the Mandiant report.

Lloyd's of London issues bulletin to update cyber coverage risk requirements

Lloyd's of London has issued bulletin Y5433 to update cyber risk underwriting requirements in relation to state-backed cyber-attacks. This follows the controversial Y5381 bulletin from August 2022, which first mandated the use of cyber-specific war exclusion clauses in cyber policies written in the Lloyd's market.

The bulletin explains further steps being taken by Lloyd's to limit the use of cyber-specific war risk exclusion clauses which do not comply with the requirements in the original Y5381 bulletin. In particular, non-compliant exclusions for which there has been no dispensation issued by Lloyd's are forbidden from 1 July 2024. Where dispensations have been granted, these will not be renewed on expiry and no new dispensations will be granted.

The Y5433 bulletin also indicates that one of the narrower types of exclusion previously categorised previously as being compliant (or at least outside of the expressly non-compliant category) will now be phased out. This 'Type 4' variant of the exclusion contained a carve back for losses suffered as a result of cyber operations carried out as part of war where the affected systems were situated outside of the warring states. This is now stated to be outside of Lloyd's risk appetite and will be phased out by policies incepting on 1 January 2025.

Despite the variable reaction to the initial Y5381 bulletin, this more recent bulletin reinforces the approach of insisting on robust exclusions meeting original requirements. This might well be due in part to the deterioration in the global geopolitical landscape since the original bulletin.

Click here to read Market Bulletin Y5433.

FRA publishes report outlining issues, best practices, and suggested solutions on EU data protection enforcement 

The European Union Agency for Fundamental Rights (FRA) has announced the publication of its report "GDPR in practice - Experiences of data protection authorities," based on interviews with representatives from data protection authorities in 27 EU Member States.

The report highlights several issues undermining EU data protection enforcement:

• a lack of resources, funding and staff which prevent authorities from fully carrying out their mandates, made more difficult by increased workloads generated from new laws such as the EU Artificial Intelligence Act (the AI Act);
• a need for more tools to reinforce data protection authority's supervisory capacity, including the ability to conduct undercover investigations or the possibility of fining organisations that refuse to cooperate;
• a need for more guidance and exchange of best practices for data protection authorities that often need to prioritise complaint handling over other tasks;
• EU countries and their public institutions should systematically consult the data protection authorities and seek their advice in advance of new legislation - currently, data protection authorities are often not consulted on new legislation or are given tight deadlines;
• a lack of awareness among individuals regarding their personal data rights and organisations that struggle to identify and prevent data protection risks, especially when it comes to AI systems;
• difficulties for researchers in accessing data – specific guidance and clarifications are needed around processing of data for scientific purposes; and
• data protection authorities struggling to regulate new technologies - regulators need to identify specific technology related areas where more clarity is needed and work closely together when advising on new technologies.

Click here to read the press release. Click here to read the FRA's report.

Please do feel free to forward on the publication to your colleagues or, better still, recommend that they subscribe to receive the publication directly.

If there are any issues on which you'd like more information (or if you have any questions or feedback), please do let us know or get in touch with your usual contact at RPC.

Key developments

DPDI Bill falls in 'wash up' ahead of General Elections

The Data Protection and Digital Information Bill has been dropped in the Parliamentary 'wash up' process following the announcement of the general elections this summer.

Read the full article.

ICO consults on "consent or pay" business model

The ICO has called for views on the use of "consent or pay" business models which will contribute to the ICO's final regulatory position on this issue.

Read the full article.

AI Update

The EU AI Act has been signed. In the UK, the AI and Digital Hub has been set up to provide one-stop-shop regulatory advice on innovative tech .

Read the full article.

Enforcement action

ICO orders Serco Leisure and community leisure trusts to stop processing biometric data for the purposes of monitoring their employees

On 23 February 2024, the Information Commissioner's Office (ICO) announced the issuing of enforcement notices ordering Serco Leisure, Serco Jersey, and seven associated community leisure trusts to stop using facial recognition technology, and fingerprint scanning, to monitor their employees' attendance at work (see here).

Read the full article.

CJEU finds that a press release by the European Anti-Fraud Office indirectly identified the subject of a fraud investigation

On 7 March 2024, the Court of Justice of the European Union (CJEU), annulling a finding of the General Court of the European Union (GC), confirmed that, to determine if a data subject is indirectly identifiable, it is necessary to view the information in its entirety and to consider 'all the means reasonably likely to be used' by individuals to identify a data subject.

Read the full article.

Need to know

The ICO has issued guidance on the use of fines under the UK GDPR  

Read the full article.

The ICO plan to create an AI tool to identify websites which are using non-compliant cookie banners

Read the full article.

UK's ICO and USA's FCC collaborate to tackle unwanted communications

 The UK's Information Commissioner's Office (ICO) and USA's Federal Communications Commission (FCC) have announced that they have signed a Memorandum of Understanding (the Memorandum) regarding the protection of consumers from unsolicited communications.

Read the full article.

The National Cyber Security Centre has published guidance for organisations considering payment in ransomware incidents, developed in conjunction with the Association of British Insurers, the British Insurance Brokers’ Association, and the International Underwriting Association.

Key points include:

• Alternative Solutions: Companies should consider viable backups and unexpected methods to recover systems and data instead of paying ransoms.
• Consulting  Experts: Decision-making should involve consulting insurers, law enforcement, and cyber incident response specialists.
  Be aware that  payment does not  guarantee access to data: There is a chance that decryption keys will not work and, even if they do, it will take time to run across large networks.
• Consider the correct legal and regulatory practice around  payment: There are a range of legal risks involved in paying a ransom which need to be considered and mitigated to the extent possible.
• Payment of a ransom does not fulfil regulatory obligations: The ICO has made clear that payment of a ransom, including for deletion of data, does not affect the level of risk to data subjects and the resulting notification obligations.
• Report to the UK authorities: The NCSC will usually expect to be informed about ransomware incidents, particularly where payment of the ransom is being considered.

Click here to read the NCSC's full guidance.

Leader of LockBit ransomware group sanctioned

The identity of the leader of LockBit, the notorious cyber-crime group, has been named by law enforcement agencies. This individual has now been sanctioned, as announced by the UK Foreign, Commonwealth and Development Office, alongside the US Department of the Treasury’s Office of Foreign Assets Control and the Australian Department of Foreign Affairs.

LockBit offers ransomware-as-a-service (RaaS) to a global network of hackers, supplying them with the tools and infrastructure to perpetrate cyber-attacks internationally. Between June 2022 and February 2024, it is estimated that more than 7,000 attacks were built using LockBit's services, with the top five impacted countries being the US, UK, France, Germany, and China.

Commenting on this development, the Director General of the National Crime Agency, Graeme Biggar, states that “These sanctions are hugely significant and show that there is no hiding place for cyber criminals... who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong."

Click here to read more from the National Crime Agency.

ICO urges organisations to boost cyber-security amidst growing threat of cyber attacks

The ICO has issued a call for organisations to boost their cyber security and protect the personal data they hold. This comes amid the growing threat of cyber-attacks as over 3,000 cyber breaches were reported in 2023.

The ICO refers to a report containing practical advice to assist organisations with understanding common security failures and addresses steps that can be taken to improve security and prevent cyber breaches. The report focuses on five leading causes of cyber-security attacks:

1. Phishing: where scam messages trick the user and persuade people to share passwords or accidentally download malware.
2. Supply chain attacks: where products, services, or technology organisations use are compromised and then used to infiltrate their own systems.
3. Brute force attacks: where threat actors use trial and error to guess username and password combinations, or encryption keys.
4. Denial of service: where threat actors aim to stop the normal functioning of a website or computer network by overloading it.
5. Errors: where security settings are misconfigured, including being poorly implemented, not maintained and or left on default settings.

Click here to read the ICO's statement. Click here to read the ICO's report.

Information Commissioner highlights persistent breaches of sensitive information failing people living with HIV

The ICO called out failing data protection standards at health services for people living with HIV following several breaches and concerns raised by major UK HIV representative-organisations.

In 2022/23, the health sector was the most common source of data breach reports to the ICO, accounting for over a fifth of all personal data breaches.

The ICO has previously issued fines and reprimands for data breaches involving various health organisations, such as the Central Young Men's Christian Association, HIV Scotland, and NHS Highland. These breaches led to a loss of confidentiality over the identity of HIV patients, which has led to a drive for better staff training, appropriate technical procedures and prompt reporting.

The ICO highlights some key pieces of advice for organisations, such as:

1. Ensuring that staff receive thorough data protection training.
2. Ensuring that appropriate technical measures are in place, such as passwords and access controls.
3. Avoiding using BCC when sending bulk communications and opting for bulk email services, mail merge, or secure data transfer services.
4. Training staff on the data breach reporting process.

Click here to read the ICO's press release.

Tech Minister delivers speech on UK cyber resilience

Tech Minister Saqib Bhatti MP recently delivered a speech to the National Cyber Security Centre's CyberUK 2024 conference in Birmingham. In his address, Mr Bhatti underscored the critical importance of cyber resilience for the UK.

The Government’s National Cyber Strategy focuses on several key areas: improving cyber resilience, fostering growth in the cyber security sector, enhancing cyber security skills, and addressing the security of new and emerging technologies such as AI, quantum computers, and semiconductors. He highlighted three significant challenges: ensuring that technology is “secure by design”; strategically managing cyber risk; and implementing effective rules and controls.

Mr Bhatti also set out a new Code of Practice for software vendors, which sets out how developers and vendors can look to ensure software is developed and maintained securely, with improved information sharing through supply chains. The code sets out four principles:

1. Secure design and development
2. Build environment security
3. Secure deployment and maintenance, and
4. Communication with customers.

He also announced a new Code of Practice in the Cyber Security of AI, which is based on the NCSC's Guidelines for secure AI system development and is intended to form the basis of an international standard on AI cyber security.

Click here to read Mr Bhatti's speech. Click here to read the Code of Practice for Software Vendors and click here to read the Code of Practice on the Cyber Security of AI.

Government issues cyber security standards for schools and colleges

The Government has published guidance on standards that schools and colleges should meet in relation to cyber security and user accounts. This aims to mitigate the significant operational and financial impact that cyber incidents and attacks have on schools and colleges.

The Government guidance also refers to the Cyber Essentials certification programme, which aims to provide these organisations with increased assurance over the technical elements of cyber security. Whilst Cyber Essentials is not a requirement and is open to organisations across all sectors, schools and colleges are urged to complete it as part of their cyber security activities.

Click here to read the government's guidance. Click here to read more about Cyber Essentials.

The UK government has published the results of a research study for UK cyber resilience. The study explores the policies, processes and approach to cyber security for 2,000 businesses, 1,004 charities and 430 educational institutions. The findings of the survey provides a description of the cyber security position of a representative sample of UK organisations, providing a snapshot of UK cyber resilience at this point in time.

Some interesting statistics include:

1. 7.78 million cyber crimes of all types have been experienced by UK businesses in the last 12 months.
2. 32% of businesses are experiencing attempted attacks at least once a week.
3. Malware impacted 17% of organisations that experienced a cyber incident.
4. Phishing remains the top method of initial access, and the cause of 84% of cyber incidents.
5. Just 22 % of businesses have a formal incident response plan in place.
6. Just 11% of businesses say they review the risks posed by their immediate suppliers and only 6% are looking at their wider supply chain.

It will be interesting to see how the final two points develop with upcoming EU's NIS2 Directive and Digital Operational Resilience Act (DORA) prompting affected UK businesses to focus further on cyber risk.

Click here to read the full UK Government survey.

ICO launches consultation on accuracy of generative AI models

The ICO has announced the launch of the third chapter of its consultation series on generative AI, focussing on how the accuracy principle of data protection law applies to the outputs of generative AI models and the impact that accurate training data has on the output.

The consultation explains that the level of accuracy required of the outputs of generative AI models depends on how the model will be used, with high accuracy needed for models that are used to make decisions about people or that are relied on by users as a source of information. It also notes that organisations developing and using generative AI models that have a purely creative purpose are unlikely to need to ensure that the outputs are accurate as their first priority. For example, the consultation highlights that models used to triage customer queries would need to maintain higher accuracy than models used to help develop ideas for video game storylines.

Where an application based on generative AI is used by individuals in consumer-facing services, the ICO notes that application developer need to consider:

• Providing clear information about the statistical accuracy of the application, and easily understandable information about appropriate usage; 
• Monitoring user-generated content;
• User engagement research, to validate whether the information provided is understandable and followed by users;
• Labelling the outputs as generated by AI, or not factually accurate; and
• Providing information about the reliability of the output. 

Click here to read the full publication by the ICO.

NCSC published new version of the Cyber Assessment Framework

The NCSC has published an updated version of the Cyber Assessment Framework (CAF). This follows an increase in the cyber threat to critical national infrastructure.

The updated CAF covers the increased use of AI technologies and makes changes to the previous CAF in relation to remote access, privileged operations, user access levels and the use of multi-factor authentication. It has also been revised to improve navigation across the CAF collection and consolidate references to both internal NCSC and wider external guidance.

The update has been completed in full consultation with NIS regulators and other interested parties. The NCSC explains that they have also improved alignment with Cyber Essentials by mirroring some of its requirements while ensuring the existing outcome-focussed approach of the CAF is retained.

Click here to read the NCSC press release.

CyberCube issues warning on increased cyberattacks targeting public sector

CyberCube, an analytics platform which provides data-driven insights for the insurance industry, has raised the rising risk of cyberattacks targeting public sector institutions, particularly government and election systems. In anticipation of the upcoming global electoral events, the report, "Global Threat Outlook, H1 2024," urges government agencies to enhance cybersecurity defences "in 2024 and beyond".

The report also discusses eight sectors vulnerable to cyber threats (telecoms, IT, education, retail, arts & entertainment, financials services and healthcare). CyberCube underscores healthcare as the most susceptible to cyber threats.

CyberCube explains that sectors like banking and aviation are frequently targeted but they maintain robust cybersecurity making them slightly less susceptible to threats. Sectors such as mining and agriculture are found to be targeted less but still maintain high security standards in any event.

Click here to read more from Insurance Business Magazine.

ICO publishes guidance to improve transparency in health and social care

The Information Commissioner's Office (ICO) has published new guidance on improving transparency in health and social care.

The health and social care sectors routinely handle sensitive information about the most intimate aspects of someone’s health, which is provided in confidence to trusted practitioners. Under data protection law, people have a right to know what is happening to their personal information, which is particularly important when accessing vital services.

The guidance has been prepared following receipt of feedback from a public consultation earlier this year to heath and social care organisations across the UK.

The guidance will help health and social care organisations to understand the definition of transparency and assess appropriate levels of transparency, as well as providing practical steps to developing effective transparency information. The guidance supplements existing ICO guidance on the principle of transparency and the right to be informed.

Click here to read the guidance. Click here to read the associated ICO press release.

International agencies publish joint guidance on securely deploying AI systems

Global government security agencies, including the UK's NCSC, have published the joint Cybersecurity Information Sheet "Deploying AI Systems Securely".

The guidance provides best practices for deploying and operating externally developed AI systems and aims to:

• improve the confidentiality, integrity, and availability of AI systems;
• ensure there are appropriate mitigations for known vulnerabilities in AI systems; and
• provide methodologies and controls to protect, detect and respond to malicious activity against AI systems and related data and services. 

The information sheet is for organisations deploying and operating externally developed AI systems on premises or in private cloud environments, especially those in high-threat and high-value environments. The sheet notes that each organisation should consider the guidance alongside their use case and threat profile.

Click here to read the CISA press release.

European Supervisory Authorities (ESAs) consultation seeks views on draft regulatory technical standards under DORA

The Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554) introduces a pan-European oversight framework of ICT third-party service providers designated as critical (CTPPs). ESAs have been mandated, under DORA, to develop draft regulatory technical standards (RTS) to harmonise the conduct of oversight activities by competent authorities and the ESAs.

Under Article 41(1) of DORA, the draft RTS should specify:

• the information to be provided by an ICT third–party service provider in the application for a voluntary request to be designated as critical;
• the information to be submitted by the ICT third–party service providers that is necessary for the Lead Overseer (who is appointed to conduct oversight of the assigned CTPPs and act as the primary point of contact for those CTPPs) to carry out its duties;
• the criteria for determining the composition of the joint examination team, their designation, tasks, and working arrangements;
• the details of the competent authorities’ assessment of the measures taken by CTPPs based on the recommendations of the Lead Overseer.

The consultation seeks feedback, until 18 May 2024, on whether the content of the RTS is sufficiently clear and detailed, and whether respondents agree with the impact assessment and main conclusions stemming from it.

Click here to view the consultation paper.

The Information Commissioner’s Office has published new data protection fining guidance setting out how it intends to issue penalties and calculate fines. This provides greater transparency for organisations on the ICO's likely approach to fines.

Amongst other things, the guidance covers:

• The legal framework that gives the ICO the power to impose fines - making it easier to navigate the complexity of the legislation;
• The methodology the ICO will use to calculate the appropriate amount of the fine.
• The new guidance replaces the sections about penalty notices in the ICO Regulatory Action Policy published in November 2018 (access this here at pages 24 and 27).

Click here to read the guidance and here to read the associated press release.

NCSC Head considers banning ransom payments

Ciaran Martin, Chief Executive of the UK's National Cyber Security Centre (NCSC), has reignited discussions about the feasibility of implementing a legal prohibition on ransom payments in ransomware cases. Martin has highlighted the escalating threat of ransomware, labelling it as the most detrimental cyber menace to businesses presently. He emphasised the urgency of finding effective measures to enforce a ban on ransom payments.

Banning ransomware payments has been a contentious issue, with proponents advocating for its implementation to curtail cybercriminal activities. However, those who have seen businesses who would be forced into failure without payment can sometimes take a different view.

A recent report by Emsisoft emphasised the necessity of disrupting the financial incentives that drive ransomware attacks through a comprehensive ban on payments. The report concludes that "the only solution is to financially disincentivise attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work… For as long as ransomware payments remain lawful, cyber criminals will do whatever it takes to collect them." By preventing victims from bowing to the demands of cyber-attackers, the profitability of ransomware schemes will decrease.

To read the Computer Weekly article, please click here. To read the Emsisoft report, please click here.

EDPB publishes opinion on the notion of a main establishment of a controller in the European Union

The European Data Protection Board (EDPB) recently published an opinion addressing a query from the French Supervisory Authority regarding the interpretation of certain aspects of the General Data Protection Regulation (GDPR). The focus was on defining the "main establishment" of a data controller under Article 4(16)(a) GDPR and the criteria for applying the one-stop-shop mechanism, particularly concerning the controller’s "place of central administration" within the Union.

The EDPB clarified that for an establishment to qualify as the main establishment under Article 4(16)(a) GDPR, it must make decisions regarding the processing of personal data and possess the authority to implement these decisions. Furthermore, the one-stop-shop mechanism is applicable only if such decision-making authority is within an establishment in the Union.

The Board emphasised that controllers bear the burden of proving where processing decisions are made and where the power to implement them lies. It stressed the importance of cooperation with supervisory authorities in this regard. Supervisory authorities retain the right to challenge a controller's claim based on an objective assessment of the facts.

While identifying a central management place in the Union aids in pinpointing decision-making authority, further assessment is necessary to qualify an establishment as the main one. Supervisory authorities must ascertain where processing decisions are made and the power to implement them before determining a main establishment. This clarification aims to ensure consistent application of GDPR principles across the Union.

To read the EDPB's opinion in full, please click here.

Increase in cyber security incidents involving electric vehicles and chargers

From 2019 to 2023, disclosable cyber security incidents in the automotive and mobility sector increased by more than 50%, according to Israel-based firm Upstream.  In 2023, there were 295 incidents with bad actors accounting for 64% of these attacks and 65% originating from dark web cyber activities.

For electric vehicles (EVs), the connected charging network is a target.  Recently, the Office for Product Safety and Standards told Wallbox that its Internet-connected Copper SB EV home charger was not properly secured against hackers and couldn’t be sold.  Updated Copper SB EV chargers can still be sold until June 30, but the company has stopped marketing the device.

To read Autoweek's full article on the issue, please click here.

Warning by UK Minister for Artificial Intelligence on cyber defences

The UK Minister for Artificial Intelligence has urged British businesses to bolster their cyber defences following new government data revealing that three-quarters of medium and large-sized businesses experienced cyber incidents in the past year. Additionally, nearly 80% of high-income charities faced security breaches, highlighting the growing threat posed by bad actors utilising AI to steal sensitive information and facilitate ransom schemes.

According to the insurer Hiscox, cyber-attacks on businesses have risen for 4 consecutive years. The government, in close collaboration with industry experts, is implementing measures such as the Cyber Governance Code of Practice to strengthen cyber protections.

To read the full City AM article, please click here.

The National Cyber Security Centre (NCSC) has issued its two-year predictions related to the growing threat posed by the use of artificial intelligence (AI) in ransomware attacks. In a recent report, the NCSC highlights the increasingly sophisticated use of AI by cybercriminals to perpetrate ransomware attacks, signalling a concerning evolution in cyber warfare.

Some key areas where AI is predicted to make its mark are:

• Enhancing social engineering methods by creating convincing interactions with victims;
• Assisting threat actors with identifying high-value assets for examination and exfiltration, intensifying the damage inflicted by ransomware attacks;
• By employing AI-driven techniques, attackers can create more convincing and targeted phishing campaigns, increasing the likelihood of successful breaches; and
• Assisting threat actors with malware and exploit development, vulnerability research and lateral movement.

While the adoption of AI in cyber operations has traditionally been limited to well-resourced and highly skilled threat actors, the NCSC warns that the commoditisation of AI-enabled tools could lower the barrier to entry for less sophisticated cybercriminals. This trend poses significant challenges for cybersecurity professionals tasked with defending against evolving threats.

In response to these emerging risks, the NCSC emphasises the importance of proactive measures and collaboration across sectors to improve cyber resilience. By staying vigilant and implementing robust cybersecurity strategies, organisations can better defend against the escalating threat posed by AI-driven ransomware attacks.

Click here to read the NCSC's report.

EU lawmakers ratify political deal on artificial intelligence rules

The European AI Act has been ratified as a provisional agreement by two key groups of lawmakers in the European Parliament ahead of a vote by the legislative assembly in April. The AI Act aims to set guidelines for AI technology used across multiple industries, from cars, to airline, to police services.

The legislation will also regulate foundational or generative artificial intelligence (AI) models, such as Microsoft-backed OpenAI. However, Big Tech firms remain concerned about the ambiguous language in some of the Act's requirements and the impact it may have on innovation.

The UK Government has recently confirmed that it is currently not intending to regulate AI specifically and will devolve responsibility to existing regulators.

Click here to read the full Thompson Reuters article.

Global Operation Disrupts LockBit Ransomware Group

In a coordinated effort led by international law enforcement agencies, a major operation claims to have caused a significant blow to the notorious LockBit ransomware group. The operation, dubbed "Operation Cronos", involved collaboration between the UK's National Crime Agency, the Federal Bureau of Investigation, Europol, and several other countries' authorities.

LockBit, is believed to be one of the world's largest criminal ransomware groups, whose activities have had far-reaching consequences, with high-profile attacks, including the UK's Royal Mail in January 2023.

Operation Cronos seized control of LockBit's infrastructure, including servers containing victim data, its leak site, communication servers, and file-share servers. Additionally, 11,000 domains associated with LockBit and its affiliates were seized.

The operation also resulted in the arrest of two LockBit actors in Poland and Ukraine, as well as the issuance of three international arrest warrants and five indictments by French and US authorities. One of the most significant achievements of Operation Cronos was the retrieval of decryption keys, allowing global law enforcement agencies to develop tools to recover files encrypted by LockBit ransomware.

However, cybersecurity experts remain cautious about the long-term impact of the takedown. While the operation might have dealt a blow to LockBit, the group has shown resilience in the past, and appears to be still functioning to at least some degree.  We have advised on ransomware claimed to be LockBit after the takedown and understand that the LockBit leak site is back up on the dark web. 

Click here, here and here to read news articles by the BBC, Infosecurity Magazine and the Insurance Journal respectively.  

ICO Greenlights Legal Services Certification Scheme

The Information Commissioner’s Office (ICO) has given the green light to a new certification scheme tailored for legal service providers tasked with processing personal data. This move, introduced under the UK GDPR, aims to improve data protection standards and enhance trust among consumers.

Emily Keaney, ICO Deputy Commissioner, highlights the significance of such schemes in ensuring adherence to data protection standards, particularly for entities like law firms and barristers’ chambers which can handle large amounts of sensitive personal data.

According to Keaney, participation in the certification scheme provides legal service providers with assurance of their commitment to data protection principles, streamlining the assessment process for third-party data processors. Additionally, it offers clients peace of mind, demonstrating a firm’s dedication to safeguarding their personal information and upholding robust information security practices.

The newly approved scheme marks the fifth set of UK GDPR certification criteria approved by the ICO. In summary, firms will need to comply with the following requirements:

• Develop and implement a comprehensive data protection training program for all staff, overseen by the Data Protection Officer (DPO).
• Establish procedures for handling complaints and conduct regular data protection audits, taking corrective actions as needed.
• Assess risks and implement measures to protect data in all processing activities, maintaining a register of risks and measures.
• Conduct Data Protection Impact Assessments (DPIA) before processing high-risk data, documenting assessments and regularly reviewing them.
• Document policies for all data processing activities, ensuring they follow a standard format, are easily accessible and are regularly updated using a change control policy.

Click here to read the ICO's statement.

Solicitor fined for failing to spot Friday afternoon cyber fraud

A solicitor agreed to pay £26,000 in fines and costs following orders by the Solicitors Disciplinary Tribunal (SDT) for failure to verify a clearly suspicious change of bank details of a client, which amounted to a payment diversion fraud. The solicitor also failed to inform their client of the payment diversion fraud promptly.

The incident involved interception of a conveyancing transaction email change by a subtle email address change. The payment diversion fraud involved £290,000 being transferred to a fraudulent account with the bank raising concerns about the recipient account two weeks later. The solicitor only became aware of the incident at this point.

Emphasising prevention, the SRA advises solicitors to train staff, educate clients, verify contact details and promptly report suspicious transactions.

Click here to read the full Law Society article. 

NCSC publishes vulnerability management guidance

The National Cyber Security Centre (NCSC) has published guidance on vulnerability management. The NCSC points out that all systems contain vulnerabilities which may take the form of a configuration issue for system administrators to resolve, software defects to be resolved by a vendor update, or a vulnerability which the vendor is unaware exists. The NCSC suggests that vulnerability management should be seen as a process to assess how well an organisation’s software update process and security controls are performing.

The guidance sets out five principles to help organisations create an efficient vulnerability management process:

1. Policy to apply updates by default, preferably automatically
2. Identify what systems and software are in place
3. Triaging and prioritising vulnerabilities
4. Take responsibility for risks of not updating
5. Verify and regularly review vulnerability management processes

Click here to read the full guidance.

The Growing Threat of Cyberattacks in the Automotive Industry: Protecting EV Charging Networks

Recent findings from cybersecurity firm Upstream reveal a surprising 295 cybersecurity incidents in the automotive and mobility sector in 2023 alone. Most of these attacks were orchestrated by malicious actors, posing a significant threat to the security of mobility assets worldwide.

The rise of electric vehicles (EVs) has further compounded these risks, as modern vehicles, especially those with electric drivetrains, increasingly rely on software-driven systems, leaving them susceptible to a new wave of cyber threats.

Michael Austin, Senior Research Analyst for EVs and Mobility at Guidehouse Insights, highlights the disruptive nature of car hacks, emphasising that even minor incidents could have profound impacts on individuals’ lives.

In a recent development, concerns have been raised about the security of EV charging networks. The Office for Product Safety and Standards in Britain issued a warning regarding the vulnerability of an internet-connected home EV charger, which, if abused, could disrupt the UK's critical national infrastructure.

Richard Breavington, Partner and head of the Cyber and Tech insurance team at RPC, emphasises the need for a holistic approach to cybersecurity. He explains, “Today’s story highlights that cybersecurity vulnerabilities are not always localised to computers and software,” highlighting the necessity of comprehensive cybersecurity strategies that encompass all aspects of automotive technology.

Click here to read the Autoweek news article.

In the recently released report, "A Hostage to Fortune: Ransomware and UK National Security," the UK Parliamentary Joint Committee on National Security Strategy has issued a warning regarding the elevated risk of catastrophic ransomware attacks. The findings highlight the pressing need for improved planning, increased investment, and enhanced cybersecurity measures.

Key findings from the report:

1. Sophisticated Ransomware Landscape: The report underscores the rise of a sophisticated ransomware ecosystem, with advanced malware becoming more easily accessible by criminals leading to potentially significant attacks.
2. Critical Infrastructure Vulnerability: Critical national infrastructure, particularly that relying on outdated legacy systems, remains highly susceptible to potential attacks. Supply chains are also identified as weak points, with the interconnectedness posing risks across multiple sectors.
3. Challenges in Resilience Implementation: Implementing cyber resilience measures involves practical challenges, emphasising the need for a cross-sector regulator. The government is urged to enhance oversight and establish effective regulatory measures to oversee cyber resilience upkeep and implementation.
4. Support for Local Authorities: Some local authorities lack active support in preventing and responding to cyber-attacks. The report calls for funding to establish a robust cyber resilience program for these entities.
5. Support for the Wider Public Sector: Ransomware victims, particularly smaller organisations, receive limited support from law enforcement. The report proposes funding for the National Cyber Security Centre and National Crime Agency to offer negotiation and recovery services for public sector victims.

In response to the report's findings, businesses in the UK are urged to take immediate action to enhance their cybersecurity measures. This includes the critical need for regular assessment and upgrading of cybersecurity protocols, especially within sectors constituting critical national infrastructure. Allocating resources to modernise legacy infrastructure, particularly in areas vulnerable to cyber threats, is highlighted as a crucial step. Additionally, businesses are advised to ensure compliance with the 2018 Network and Information System Regulations and prepare for upcoming cyber resilience standards for critical national infrastructure by 2025. The active participation in the National Exercise Programme is recommended to effectively prepare for the potential impact of a major national ransomware attack.

Click here to read the Parliamentary Committee's report.

RUSI's In-Depth Analysis on Cyber Insurance's Impact

A recent report by the Royal United Services Institute (RUSI) sheds light on the growing threat of ransomware and emphasises the need for robust cybersecurity measures.

The key points raised in the report include:

• Ransomware-as-a-service (RaaS), a model where criminals sell or rent ransomware to affiliates, is on the rise. These affiliates, equipped with RaaS tools, are responsible for executing ransomware attacks. The report underscores the need for a collective response to tackle this evolving threat.
• The report explores the role of cyber insurance in dealing with ransomware incidents. While cyber insurance is not seen as fuelling the ransomware epidemic, it is criticised for not instilling satisfactory ransom discipline among insureds. The low market penetration of cyber insurance outside the U.S. poses a challenge in improving cybersecurity practices on a broader scale.
• RUSI recommends several measures to enhance collaboration between the cyber insurance industry, government agencies, and law enforcement. It suggests tougher policy language mandating the sharing of forensic reports with insurers and the distribution of threat intelligence and government services through insurers. Additionally, there's a call for increased reporting of ransom payments via insurers to improve policy development and law enforcement efforts.
• The report delves into incident response services provided by cyber insurance policies, including legal counsel, digital forensics, crisis management, and more. Different models, such as lawyer-led, insurer-led, and those led by insurer-owned incident response firms, are discussed, highlighting the various approaches insurers take in responding to ransomware incidents.

The report contains recommendations to UK policymakers. These include:

1. Enhanced Oversight: Insurers should mandate written evidence of negotiation strategies and outcomes, fostering transparency and oversight.
2. Best Practices Development: Select ransomware response firms based on predefined criteria, including a proven track record, operational relationships with law enforcement, and compliance with anti-money laundering laws and FATF (Financial Action Task Force) standards.
3. Government-led Study: Commission a study to understand specialist ransomware response firms better, identifying best practices and fostering industry-wide benchmarking.
4. Licensing Regime: Explore a dedicated licensing regime for firms facilitating cryptocurrency payments. Ensure registration as money service businesses, aligning with national financial crime reporting requirements.
5. Market-wide Consensus: Collaborate to establish a market-wide consensus on conditions and obligations before considering whether to meet a ransom demand.
6. Reporting Obligations: Requiring policyholders to notify Action Fraud and the NCSC before paying a ransom. Regulators should intervene if necessary.
7. Integration of NCSC's Early Warning Service: Trial integration of the NCSC's Early Warning service into ongoing assessments of policyholders, enabling the distribution of intelligence at scale.
8. Operational Collaboration: Recruit secondees from the cyber insurance industry into the NCSC-led Industry100 cybersecurity secondment initiative, fostering deeper operational collaboration.
9. Financial Crime Reporting: Ensure existing financial crime reporting mechanisms are suitable for reporting ransom payments. Encourage cyber insurers to report ransom payments via the NCSC's or other channels.

Click here to read RUSI's report.

RPC Annual Insurance Review – Cyber

RPC has now published its Annual Insurance Review, outlining the events that shaped the insurance market in 2023 and discussing what to expect in 2024.

In the chapter focusing on Cyber, RPC looks at the following:

• The European and UK cybersecurity regulatory landscape expanded significantly, notably with the introduction of the NIS2 Directive at European level and the passing of the Online Safety Act 2023 in the UK. The NIS2 Directive broadens the scope of network security obligation requirements on to social network platforms, data centres, and managed service providers.  Whilst not implemented into UK law yet, NIS2 will have a direct impact on UK organisations offering services in Europe.  Also, Online Safety Act 2023 seeks to regulate online speech and media over user-generated content.  This will directly impact social media platforms and websites which allow user comments.
• Looking at 2024, organisations can anticipate increased scrutiny on basic security protocols amidst rising cyber threats. Ransomware incidents and business email compromises continue to surge, prompting a focus on implementing stronger cyber resilience measures. Cyber insurance underwriters are emphasising the need for security assessments, with regulators highlighting the importance of enhanced measures to protect personal data. This reflects a growing emphasis on elevated security standards across the market in light of ever-ingenious cyber-attacks.

Click here to read RPC's Annual Report.

Ransomware 2024: Exploiting Vulnerabilities, Law Enforcement Challenges, and Dark AI Risks

The cyber security consultancy firm S-RM has published an article outlining key cyber trends to watch out for in 2024. These centre around ransomware incidents whose frequency is not expected to abate. 

1. Exploitation of Software Vulnerabilities: Ransomware groups, focusing on exploiting software vulnerabilities, are anticipated to persist. The automation of exploitation before system patches is a growing concern, exemplified by the mass exploitation of vulnerabilities over 2023 in platforms like Atlassian Confluence and Citrix NetScaler.
2. Law Enforcement Actions: While law enforcement made strides in 2023 targeting ransomware groups like Ragnar Locker and ALPHV, the continuous rebranding and re-emergence of these groups post-takedowns suggests a need for sustained global efforts. Sanctions and disrupting flow of funds are strategies expected to be adopted at national level.
3. Evading Defences: Ransomware groups are likely to enhance methods of bypassing traditional security solutions, such as multifactor authentication (MFA) and endpoint detection and response (EDR). The acquisition of security tools for testing bypasses in dummy environments demonstrates their increasing sophistication.

Additionally, the migration of cybercrime to the Cloud is a cause for concern, emphasising the need for robust security measures and data backup strategies in cloud-based environments. Lastly, the use of AI in cybercrime, with the dark web featuring "Dark AI" models for malicious purposes, is expected to gain prominence, posing challenges to organisations in combating sophisticated attacks. Overall, businesses are urged to stay on top of the dynamic cyber threat landscape and fortify their defences accordingly.

The National Cyber Security Centre (NCSC) has issued its seventh Annual Review, underscoring key developments, achievements and trends from the past year.

The first chapter of the report discusses threats and risks. This chapter describes an increase in state-aligned groups and aggressive cyber activities, emphasising the need for enhanced cyber resilience in state infrastructure. The NCSC's Incident Management team, who deal with incidents of national significance to the UK, have experienced an increase in reports of cyber incidents in the UK last year of over 64%.

The second chapter of the report discusses resilience and how the NCSC supports the public and private sector to raise awareness about cyber threats and improve resilience generally. This chapter includes an interesting case study about work that has been carried out to bolster the security of the UK's Critical National Infrastructure. There is another case study on the threat of cyber interference that could influence democratic processes such as the next general election. This case study notes that the government has established the Joint Election Security Preparedness Unit to be responsible for coordinating electoral security.

The third chapter of the report discusses the growth of the cyber security market and the NCSC's initiatives to accommodate this.

The fourth chapter of the report discusses the development of technology and the risks associated with such developments. While AI is discussed, the NCSC highlights other advancements that have not been in the headlines as often such as semiconductors, quantum computing, cryptography and radio frequency transmissions.

The NCSC's CEO, Lindy Cameron notes in her foreword that the five main areas of specific interest to the NCSC over the past year has been:

1. AI cyber security
2. Securing the UK's critical national infrastructure
3. Defending the UK's democratic processes
4. The future of UK cyber security services (including the NCSC's role in their provision)
5. Lessons learned from the invasion of Ukraine

The NCSC's focus over the coming year will be:

1. Improving the UK's cyber resilience by improving understanding of threats for both businesses and national infrastructure
2. Ensuring that future technology shifts are deployed securely to counteract threats that take advantage of such developments
3. Growing the NCSC's expertise

Click here to read the full 2023 Annual Review published by the NCSC.

Booking.com scam emails threaten hotel reservations

Travellers using Booking.com faced a new threat this month as scam emails were circulated, falsely claiming to be from the popular hotel booking platform. Users report receiving convincing emails, allegedly from noreply@booking.com, urging them to confirm hotel payments or risk reservation cancellations. The emails contain personal details, which add to their apparent authenticity.

There have been instances of compromised reservations and unauthorised charges raising concerns. Some customers who followed instructions contained in scam emails might also have unknowingly exposed their bank card details in the process.

Booking.com denies that the issue originates from their systems and emphasises its commitment to safety. The company attributes the issue to sophisticated phishing tactics affecting partner hotels. Users are urged to verify emails, contact Booking.com directly, and scrutinise payment policies of the accommodation that they have booked.

Click here to read the Guardian's full news article.

Ransomware group reports victim to SEC for non-compliance

In a surprising move, the prolific ransomware group AlphV has escalated pressure on one of its victims in the US, publicly traded digital lending company MeridianLink, by reporting the breach to the US Securities and Exchange Commission (SEC). AlphV claims MeridianLink failed to comply with upcoming SEC rules mandating disclosure of cybersecurity incidents within four days of discovery. AlphV's complaint to the SEC was posted on the dark web after it had been made. Although the rules are not yet in effect, the ransomware group accuses MeridianLink of a "material misstatement" for not disclosing a significant breach compromising customer data and operational information.

The tactic is an attempt to exploit industry-wide anxiety following the SEC's recent enforcement action against SolarWinds' Chief Information Security Officer. While MeridianLink confirms a "cybersecurity incident," it asserts that there has been no evidence of unauthorised access to production platforms and minimal business interruption. This incident highlights the evolving strategies of ransomware groups.

Click here to read Ars Technica's news article.

Information Commissioner seeks appeal in Clearview AI case

The UK Information Commissioner is seeking permission to appeal the 2022 judgment by the First Tier Tribunal relating to Clearview AI Inc. That tribunal decision overturned the ICO's decision to issue a fine of £7.5 million and enforcement notice to the company.

The principal point of contention concerned the ICO's jurisdiction to issue the enforcement and penalty notices to Clearview. Clearview succeeded in appealing against the ICO's fines and enforcement action because it was used by law enforcement outside the UK. The three-member tribunal hearing the appeal concluded that although Clearview did carry out data processing related to monitoring behaviour of people in the UK, this fell outside of the ICO's jurisdiction.

The ICO are appealing the decision on the basis that the law was misinterpreted. The ICO's view is that Clearview was not processing for foreign law enforcement purposes and should not be considered as outside the scope of UK law.

John Edwards, UK Information Commissioner, emphasised the need to protect the data rights of UK citizens amid the alleged widespread impact of Clearview's mass scraping of personal information. The appeal aims to address whether commercial enterprises, profiting from processing digital images of UK individuals, can rightfully claim engagement in "law enforcement."

Click here for the full judgment and for more on the appeal here.

ICO and EDPS strengthen collaboration with Memorandum of Understanding

The UK ICO and the European Data Protection Supervisor (EDPS) have formalised their collaboration through a Memorandum of Understanding (MoU).
This agreement solidifies their joint commitment to protecting individuals' data rights and privacy, emphasising international cooperation. The MoU outlines how the authorities will share experiences, best practices, and information, promoting dialogue among data protection authorities and digital regulators. The collaboration builds on their active participation in global forums. John Edwards, UK Information Commissioner, sees the MoU as enhancing existing collaboration, offering pragmatic solutions to support organisations while upholding individuals' information rights. Wojciech Wiewiórowski, European Data Protection Supervisor, emphasises the concrete plans to prioritise fundamental rights across the EU and the UK. The MoU aligns with legal responsibilities and underscores the commitment to safeguarding personal data amidst digital innovation.

Click here to read the ICO's news story.

Former NHS secretary fined for illegally accessing patient records

Loretta Alborghetti, a former NHS medical secretary, has been found guilty and fined for unlawfully accessing the medical records of over 150 people. The breach occurred during her tenure in the Ophthalmology department at Worcestershire Acute Hospitals NHS Trust.

An investigation revealed Alborghetti's unauthorised access to patient records, with 156 records viewed over 1800 times within three months. Despite her role requiring access to specific patient information, the accessed records pertained to individuals unrelated to ophthalmology. Alborghetti pleaded guilty to unlawfully obtaining personal data, resulting in a fine of £648 following the ICO's investigation.

Click here to read the ICO's news story.

In July 2023, the European Commission proposed regulations to enhance cross-border cooperation under the GDPR. The current position under the European GDPR faces challenges such as unfair outcomes, inconsistent processes, and ineffective dispute resolution.

The proposal aims to improve procedure across EU jurisdiction, including the adoption of a General Form, strengthening the right of defence, and clarifying dispute resolution.

The European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the proposed regulations.  They set out the following further recommendations: extending the role of Supervisory Authorities; removing unnecessary formalities; safeguarding the right of Supervisory Authorities in one jurisdiction to object to decisions of another; establishing time limits for procedural steps; and address practical collaboration obstacles.

The hope is that accepting these suggestions can consolidate and improve the one-stop-shop mechanism across the EU. 

To read RPC's article on this, please click here.

QBE Study Reveals Employee Cybersecurity Gaps

A recent QBE study highlights common employee cybersecurity lapses, urging increased training and security measures. Findings show that:

1. Nearly a third of employees (31%) have engaged in actions that could jeopardise workplace cybersecurity.
2. These actions range from falling victim to phishing scams (5%) to accidentally introducing malware (7%).
3. Additionally, incidents of device loss or theft (6% and 7%) and password sharing (13%) were reported.
4. Less than half of respondents reported effective cybersecurity measures, including employee training (46%), multifactor authentication (43%), and phishing simulations (29%).

The study highlights the need for better employee education and a stronger cybersecurity plan.

Erica Kofie, Head of Cyber Proposition for QBE Europe, stressed the importance of ongoing employee education and sporadic phishing simulations. As cyber threats evolve, businesses must remain vigilant and continually update their strategies.

To read more, please click here.

Lloyd's of London warns of major $3.5 trillion cyber-attack on payments

According to a scenario modelled by Lloyd's of London and the Cambridge Centre for Risk Studies, 'a hypothetical but plausible cyber-attack would cause widespread disruption to global business. The US would take the biggest hit by losing $1.1 trillion over five years, followed by China and Japan with $470bn and $200bn respectively.

With cyber security breaches against financial services increasing from 187 to 640 across a 3-year period, cyber insurance saw over $9 billion in gross written premiums last year. This is predicted to grow to $25 billion by 2025. There are concerns that financial services firms, especially pension schemes, would be vulnerable to some form of cyber-attack resulting in a data breach. While hackers target pension schemes because of large amounts of valuable, sensitive and financial data, cyber security is fundamental to pension scheme trustees' legal duties.

To launch a payment system attack, hackers could plausibly plant malicious code in critical software used to confirm transactions and verify payments, create a back door to paralyse the payment system and divert any funds to the hacker's accounts.   

To read more, please click the Lloyd's article here. 

UK Information Commissioner Warns Data Breaches Endanger Domestic Abuse Victims

The UK Information Commissioner has issued a strong warning to organisations, urging them to handle personal information with utmost care to protect victims of domestic abuse from further harm.

Over the past 14 months, the Information Commissioner's Office (ICO) has reprimanded seven organisations for data breaches affecting domestic abuse victims. These breaches include:

1. Revealing Safe Addresses: In four cases, organisations disclosed victims' safe addresses to their alleged abusers, necessitating immediate relocation.
2. Identity Disclosure: Women seeking information about their partners had their identities disclosed.
3. Home Address Disclosure: Home addresses of adopted children were revealed to their birth father, who was incarcerated for offenses against their mother.
4. Unredacted Reports: Unredacted assessment reports were sent to individuals who posed risks to children.

The organisations involved range from law firms to government departments, and their breaches are reported to have stemmed from inadequate staff training and data protection procedures.

John Edwards, the UK Information Commissioner, urged organisations to implement basic security practices like comprehensive training and double-checking records to prevent further harm to victims. The ICO's revised enforcement approach aims to work closely with the public sector to prevent data protection issues, offering clear instructions for improving data protection practices to prevent similar incidents. For organisations working with domestic abuse victims, key actions include having processes in place to support data privacy requests, regularly verifying contact information to prevent data disclosure to outdated addresses and providing thorough role-specific data protection training for staff.

To read more, please click here.

FCA's Insurance Market Priorities for 2023 – 2025

The Financial Conduct Authority (FCA) has identified key priorities and areas of concern for the insurance market in the years 2023-2025, which include a cyber focus. These include addressing governance and culture, operational resilience, embedding the Consumer Duty, and reducing financial crime.

Market-Wide Priorities:

1. Higher Standards: Enhance governance, culture, diversity, and equity to improve customer outcomes.
2. Operational Resilience: Focus on operational resilience, especially concerning third-party services, to prevent customer harm.
3. Consumer Duty: Implement the Consumer Duty to ensure positive consumer outcomes for products, price, understanding, and support.
4. Preventing Harm: Strengthen oversight of Appointed Representatives to minimise potential harm.

Wholesale Insurance Specific Priorities:

1. Competition and Growth: Foster competitiveness in the London market to provide innovative solutions for customers.
2. Standards & Culture: Promote an inclusive culture, address non-financial misconduct, and prioritise diversity, equity, and inclusion.
3. Operational Resilience: Ensure effective operational resilience to minimise disruptions.
4. Cyber Insurance: Ensure clear policy wordings, fair claims handling, and products that meet customer needs.
5. Consumer Duty: Comply with the Consumer Duty, focusing on products, price, consumer understanding, and support.
6. Combatting Financial Crime: Implement controls to combat financial crime, especially in the context of international sanctions.
7. Financial Stability: Maintain sufficient financial resources to meet threshold conditions and service debt under stress scenarios.

These streamlined priorities highlight the FCA's focus on enhancing industry standards, protecting consumers, and ensuring market integrity.

To read the FCA's letter, please click here.

Cybersecurity breaches in the UK financial services sector have surged threefold between 2021-2022 and 2022-2023, with the pensions sector being hit the hardest, according to research conducted by RPC. Reported incidents to the ICO have risen from 187 to 640, with the pensions sector seeing a significant increase from 6 to 246 reports. This uptick is raising concerns, especially in pension schemes. Richard Breavington, Head of Cyber and Tech Insurance at RPC, emphasises the importance of cybersecurity in fulfilling legal duties for pension scheme trustees, as they can be held liable for inadequate cyber risk management.

You can read RPC's article here.

UK National Agencies Publish White Paper On Ransomware

The National Cyber Security Centre (NCSC) and National Crime Agency (NCA) have recently published a new White Paper on the ransomware industry. The paper outlines how it has grown in to one of the key markets for fraudsters and provides background on how the strategies of organised criminal groups (OCGs) have evolved.

The paper examines the entire attack path of the cybercriminal system. This includes how initial access is provided, the methods used to exploit that access and the systems through which OCGs have been able to monetise breaches.

A key focus in the paper is how targeting individual ransomware strains can provide only a limited benefit in preventing attacks. This is largely due to the adaptability of the industry to consistently reinvent their strategies. Instead, the paper proposes that a comprehensive approach is required focusing on threat actors further upstream who are driving the monetisation of ransomware to deal with the root causes of these attacks.

Some of the other key takeaways from the paper are:

• Ransomware attacks have significantly increased since the previous 2017 report, with an estimated 745,000 computer misuse offences last year and UK businesses remaining a valuable target for attacks.
• Smaller threat actors have become an increased threat to businesses due to the increased ease of access to ransomware tools creating fewer barriers to entry.
• One of the most significant risks has been the increased focus from criminals on maximising pay-outs by combining data theft with extortion in a bid to increase the pressure on victims to pay out and risking potential reputational damage for businesses.
• Often the initial access is gained not due to sophisticated techniques, but instead as a result of poor cyber hygiene.

The published Whitepaper is available here.

Memorandum of Understanding between the National Cyber Security Centre and the Information Commissioner

The Chief Executive of the National Cyber Security Centre, Lindy Cameron, and the Information Commissioner, John Edwards, have jointly signed a Memorandum of Understanding (MoU) outlining how the organisations will work together. This MoU acknowledges that both organisations possess distinct roles but can find common ground on specific issues and resolve conflicts on others.

The key features of the MoU are:

• The Commissioner will encourage organisations to work with the NCSC on cyber security matters.
• The ICO commits to considering how it can demonstrate that engagement with the NCSC will help to reduce regulatory penalties.
• The ICO will try to enhance the NCSC's awareness of cyber attacks in the UK by providing information on cyber incidents in an anonymised format.

Additionally, when a cyber incident holds national significance, specific incident details will be shared. This collaborative effort aims to contribute to making the UK a secure online environment, maintaining the relevance of NCSC's advice and guidance, and ensuring that NCSC services remain aligned with the threat landscape.

• In cases where both the NCSC and ICO are involved in a cyber incident, they will make efforts to coordinate their actions to reduce disruption to an organisation's attempts to control and reduce harm. In this process, the Commissioner will aim to facilitate organisations in focusing their efforts on engaging with the NCSC and its partners immediately, especially when it is crucial for mitigating the situation.
• The NCSC and ICO will encourage feedback to ensure continuous improvement in their collaborative efforts.
• The NCSC and ICO will strive to enhance available cyber security guidance.

You can read the Memorandum of Understanding here.

Fresh Sanctions Imposed on Russian Ransomware Group

The U.S. Department of Justice is issuing indictments against nine individuals linked to Trickbot malware and Conti ransomware activities. These individuals were allegedly influential members of the group with various key roles.

The group allegedly extorted £27 million from 149 UK victims and caused around $800 million in global extortion attacks.

These sanctions are the latest round of designations following the first joint UK-US sanctions against seven members of the same group earlier this year. All of these cyber criminals are now subject to travel bans and asset freezes.

As well as targeting criminals, the NCA, in collaboration with global partners, actively targets ransomware tools. The NCA recently helped dismantle the Qakbot malware, which caused widespread damage and was previously used by Conti group. Sanctions aim to disrupt ransomware operations and profit-making by such groups.

The NCA advises organisations to assist with obstructing activities of ransomware groups by bolstering online resilience. Ransomware victims should report incidents through the UK Government's Cyber Incident Signposting Site and enhance cybersecurity to prevent attacks.

You can read the article here.

Former Council Employee Fined for Unlawful Access of Data

On 13 September 2023, the Information Commissioner's Office (ICO) sentenced a former family intervention officer, for the unlawful access of social services records.

The officer previously worked for St Helens Borough Council and, for the period 17 January 2019 and 17 October 2019, was found to have unlawfully accessed the council's case management system without having a business need to do so. An internal audit carried out by the council found that the officer had looked at the records of around 145 people during this period of employment. She has since resigned from her position at the council and pled guilty to the offence of unlawfully obtaining personal data before Wigan and Leigh Magistrates Court. As a result, the officer was fined £92, ordered to pay court costs of £385 and also paid a victim surcharge of £32.

Andy Curry, the head of investigations for the ICO, said that they were pleased with the ruling and that it sent a clear message "that we will take action against people who take it upon themselves to abuse their position of trust."

The full statement from the ICO can be located here.

Casinos Advised to Stay Vigilant Amid MGM Resorts Cyberattack

MGM Resorts has experienced a more than 6% drop in its stock price, prompting an FBI investigation into a recent cyber incident. The $14 billion company, known for its global hotel and gaming operations, including those in Las Vegas, has encountered disruptions such as malfunctioning slot machines, offline restaurant reservations, hotel bookings, digital room keys, and corporate email systems, as evidenced by social media posts.

Credit rating agency Moody's has cautioned that the cyberattack exposes significant risks within the company, which had suffered a previous attack in 2020 that exposed personal data of 10 million customers. MGM has acknowledged the potential "material effect" of this week's cyber incident on its operations, as reported in a filing with the US Securities and Exchange Commission.

While the FBI's investigation lacks specific details, Reuters sources suggest that a hacking group called Scattered Spider is responsible for the attack. This group, identified last year, has targeted various businesses, earning a reputation as a prominent threat actor in the US, according to Charles Carmakal, Chief Technology Officer at Mandiant Intelligence. Bloomberg also reported that another entertainment company, Caesars, fell victim to the same group.

You can read the article here. 

1. A profitable business model that continues to evolve with new methods of extorting victims.
2. Challenges around securing organisations of different sizes.
3. Low-cost barriers to obtain ransomware tools alongside limited risks due to the low prospect of punishment which fail to disincentivize potential cybercriminals.

The paper also reviewed the British government's current stance on ransomware payments, which outlines that extortion payments should not be paid in any instance. It determined that this approach has not assisted in responding to attacks. The report therefore outlined 9 recommendations to both the insurance industry and the UK government. These include increased oversight, appointing specialist panel firms to assist with breaches and introducing additional ransomware reporting to assist victims in enabling access to law enforcement support.

Further information can be located here and the full report can be found here.

Philipp (Respondent) v Barclays Bank UK PLC (Appellant)

On 12th July 2023, the Supreme Court ruled in favour of Barclays Bank following an ongoing dispute with their customers, Mr and Mrs Philipp, who fell victim to a fraud, after the Bank, on instructions of the customers, transferred two payments totalling £700,000. 

The Supreme Court held that the Bank did not owe a duty under its contract or under common law not to carry out the payment instructions if, as was alleged, the Bank had reasonable grounds for believing that the customers were being defrauded.

This case limits the scope of the Quincecare Duty, which established that banks have obligations to protect customers when the bank is on reasonable inquiry that there may be a risk of fraud. Therefore, the case may have a bearing when Insurers and/or Insured clients are considering a recovery against a bank, following successful payment diversion fraud.

Where a bank customer has been the victim of an authorised push payment fraud and had been deceived into instructing the bank to make a payment to fraudsters, provided the customer's payment instruction had been clear and is given by the customer personally or by an agent acting with apparent authority, the bank is under no duty to make inquiries to clarify or verify such instructions. The bank's duty is to execute the instruction and any refusal or failure to do so would prima facie be a breach of duty.

Click here to read the full judgment.

Windows Defender-Pretender Attack Dismantles Flagship Microsoft EDR

SafeBreach researchers have found a security feature bypass vulnerability in Windows Defender, which they disclosed to Microsoft to patch for the vulnerability in April 2023, that allowed threat actors to hijack the antivirus software, hijack the signature-update process and to obtain access, delete benign files and cause disruption.

The research goal was to verify 3 concerns:

1. whether the update process could be used to import known malware into systems that the software is designed to protect; and
2. whether Windows Defender could be made to delete signatures of known threats; and
3. deleting benign files and triggering a denial-of-service condition on a compromised system

The researchers were able to achieve all three objectives. The research was inspired by Flame Cyberespionage Campaign that targeted organisations in the Middle East in 2012.

Based on the potential for signature update processes to be exploited as a new attack vector, SafeBreach says that more research is needed to ensure the security of this process. Safebreach also outlined that this vulnerability reflects the serious risks involved in data protection and how even the most reliable security tools can be used as loopholes.

Click here to read the full Dark Reading article.

Ransomware Attack Hits Japan’s Biggest Port, Disrupting Cargo Shipments  

A recent ransomware attack caused a container terminal at the Port of Nagoya in Aichi Prefecture to suffer an outage that lasted from the morning of Tuesday 4 July to the morning of Thursday 6 July.

Nagoya port authority claimed that ransomware group Lockbit 3.0 was responsible for the hack.  It is one of the several ports to be recently targeted globally, alongside Portugal's Port of Lisbon and Jawaharlal Nehru Port Trust in India in 2022. These attacks pose increased risks for the ports due to more ports moving towards automated data systems creating new potential vulnerabilities for hacking organisations to exploit.

Click here to read more from the insurance journal.

GDPR fine calculation: A look at the EDPB's new guidelines and the UK's approach

New guidelines seek to harmonise the methods of calculating administrative fines adopted across EU Member States.

Five key steps have been introduced for authorities to consider before imposing an administrative fine for breach of the GDPR: 

1. identify the processing operations in the case and evaluate the application of Art 83(3) GDPR (intentional or negligent infringement of several provisions in the GDPR;)
2. identify the starting point for further clarification of the fine by evaluating the classification of the infringement in the GDPR, considering the seriousness of the infringement, the circumstances of the case and evaluating the turnover of the undertaking; 
3. evaluate the aggravating and mitigating circumstances related to past or present behaviour of the controller/processor;
4. identify the relevant legal maximums for the different infringements – increases applied on the previous or next steps cannot exceed this maximum;
5. analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness, and proportionality.

To summarise the principles involved:

• The calculation of the amount of the fine is at the discretion of the supervisory authority, subject to the GDPR
• The GDPR requires that the amount of the fine shall in each individual case be effective, proportionate, and dissuasive (Article 83(1) GDPR).
• When setting the amount of the fine, supervisory authorities shall consider a list of circumstances that refer to features of the infringement or of the character of the perpetrator in accordance with Article 83(2) GDPR.
• The amount of the fine shall not exceed the maximum amounts provided for in Articles 83(4) (5) and (6) GDPR.
• The quantification of the amount of the fine is therefore based on a specific evaluation carried out in each case, within the parameters provided for by the GDPR.

These steps are under continuous review and may be subject to change in the future. 

Click here to see the breakdown published by iapp and full guidelines here.

New Legal Framework for EU-US Data Privacy Rules

On 10 July 2023, the European Commission issued its adequacy decision for the EU-US Data Privacy Framework. The decision determines that the US now ensures an adequate level of data protection, comparable to that of the EU. This decision will enable companies participating in the framework to transfer data from the EU to the US without requiring additional safeguards or risking GDPR enforcement.

Previously the EU and US had a Privacy Shield agreement in place, which had allowed businesses to freely share data. However, this had changed following the Schrems II ruling which invalidated the Privacy Shield by determining that the level of access allowed by US surveillance programmes were not permitted under EU law. Following this ruling, on 7 October 2022 President Biden signed an executive order introducing enhanced safeguards for the US, limiting data access so that it is only when necessary and proportionate to resolve the issues previous raised in the Schrems II ruling and paving way for the adequacy decision.

There is some potential for this adequacy decision to be challenged, with criticisms arising over how US organisations may interpret the "proportionate" requirements. It is therefore possible that the CJEU may consider a further decision on the new framework. However, until a further ruling is made, EU and US organisations can continue to rely on the framework to transfer data.

As the UK does not fall under this framework, businesses transferring data to the US from the UK will need to continue to rely on other transfer mechanisms. However, the UK government is currently working on its own adequacy decision for the US announcing in June an intention to establish a 'data bridge'.

Further information from the Law Society Gazette can be located here.

Data Breach for Norfolk and Suffolk Police

The Norfolk and Suffolk police have issued apologies following the accidental publication of 1,230 victims of abuse. This accidental publication occurred when this information was included in a Freedom of Information response as a result of a technical issue.

The published data included personal data relating to the victims, witnesses and suspects along with descriptions of the offences investigated. The police have confirmed that immediate steps were taken to remove the data and they have subsequently contacted all impacted parties to inform them of the breach. The ICO has confirmed that the breach is under investigation and have stressed how significant it is for organisations to ensure that robust measures are in place to protect data, especially where an organisation holds sensitive data.

This is the second time in the past year the Suffolk police has been involved in a personal data breach. The previous breach occurred back in November 2022 when the personal details of sexual abuse victims briefly appeared on their website. Norfolk's chief constable has confirmed that they have updated their processes to prevent future similar breaches but acknowledges that the breach may impact people's trust in their organisation. 

Further information can be located here.

Ransomware remains a persistent challenge for organisations despite the efforts of government agencies and cybersecurity professionals. In the first quarter of 2023, 838 organisations fell victim to ransomware attacks and were named on dark-web data-leak sites. Cyber professionals anticipate that ransomware attacks will continue to remain a key driver for cyber risk. This is due to the large financial gain which cybercriminals continue to reap from their relatively low efforts. 

Reports suggest that the first quarter of 2023 saw a resurgence in the number of ransomware attacks.  This was largely due to an increase in supply chain attacks, as cybercriminals pivot towards exploiting vulnerabilities in third-party vendors. This method enables threat actors to hit multiple targets in one attack (a form of cyber risk aggregation). It serves as an effective reminder that an organisation is only as secure as the weakest link in its supply chain.

Additionally, the enhanced organisation and resource management of cybercriminals means that they are continuously seeking out novel methods of refining their business models and techniques. This has led to the development of innovative ways to infiltrate systems and extort money from their victims. A good example of this is Ransomware-as-a-service (RaaS), whereby cybercriminals provide affiliated groups with all the technical advice and tools they need. Purchasers of these services are in turn supported by a host of ransomware attack services, including customer service hotlines, leak-websites, extortion negotiation and payment services. The average cost of a ransomware attack has reached the $4.5m mark in 2022, as per IBM’s Cost of a Data Breach Report.

Click here to read the Commercial Risk Online article.

Active Cyber Defence report published by the NCSC

The National Cyber Security Centre (NCSC) has produced its sixth annual report on findings from the Active Cyber Defence (ACD) programme. The report is part of the NCSC's commitment to transparency, and its aim to better understand the reality of cyber-attacks, as well as the efficacy of its products and services.

Despite the types of vulnerabilities being exploited by threat actors evolving over time, the NCSC's ACD initiatives continue to address enduring cyber security challenges. This is said to be achieved by sharing knowledge of threats, closing down vulnerabilities and responding to breaches. As the evolution of artificial intelligence continues to transform the landscape of cybersecurity, the NCSC is seeking to tackle challenges through increased automation.  This is with a view towards generating the scale and reach required to tackle emerging cybersecurity threats.

Whilst ACD services were initially concentrated on building the cyber resilience of the public sector, the NCSC is now adopting a ‘whole of society’ approach.  For example, its Early Warning service can now be accessed by all organisations. The service is designed to automatically inform an organisation of potential cyber attacks on their network, as soon as possible. Additionally, the NCSC is continuing its rollout of simple, free-to-use government services which can be used by organisations that might not have access to cyber security expertise.

Click here to read the NCSC's sixth annual report.

AI must have better Cyber Security according to CEO of the NCSC

Top cybersecurity officials have issued warnings surrounding the urgent need for cybersecurity to be built into AI systems. Implementing robust systems during the early stages of AI development will inevitably be key. Robert Hannigan, former head of the UK's GCHQ, has said that as the increasing automation of everyday activities grows in tandem with our dependence on AI, an attack on these AI-run systems could ultimately have a "devastating effect". For example, concerns have already emerged around the potential for AI systems to generate malicious code to hack into devices, write fake messages to be spread at a large scale across social media or formulate convincing emails in different languages for use in phishing attacks.

Experts are also fearful that companies who are competing to secure their position in a growing market will inevitably focus on getting their systems out for sale as fast as possible without considering the risks of misuse. Lindy Cameron, CEO of the NCSC, warned that "the scale and complexity of these models is such that if we don't apply the right basic principles as they are being developed in the early stages it will be much more difficult to retrofit security".

Whilst threat actors continue to seek out novel ways to utilise AI alongside malicious software to subvert traditional cybersecurity systems undetected, cybersecurity experts must correspondingly explore the potential use of AI in detecting these attacks. 

Click here to read the BBC news article.

Microsoft to offer free cyber security tools following major hack

Microsoft is offering free cybersecurity tools to some government and commercial customers following criticism of the tech giant’s handling of a major hack that compromised US government email accounts.  Coming under increasing pressure from US cybersecurity officials, Microsoft announced that it would provide free cloud security logs in the next few months.

Whilst these logs do not themselves prevent attacks, they can form a critical component of digital forensics and incident response in the aftermath of a cyber breach. Such logs help incident response teams to conduct more complete investigations which provide greater clarity around cyberattacks.  This in turn contributes towards the improvement of systems aimed at thwarting future cyberattacks.  

Lack of available logging has impacted high profile incidents in the past. For instance, a lack of logging was cited as complicating the investigation into the SolarWinds attack of 2020, which involved state-sponsored hackers installing malicious code in a software update from SolarWinds Corp to infiltrate US federal agencies and commercial companies.  

Microsoft's usual business model has involved charging customers extra for access to these security logs. Microsoft's customer base and monopoly on data across the cybersecurity industry, means this decision will likely have a broad impact.

Click here to read the CNN news article.

Crimeware tool WormGPT: AI for BEC attacks  

Cybercriminals have developed a generative AI tool called WormGPT designed to help grammatically challenged criminals craft convincing business email compromise (BEC) messages. The crimeware tool is being promoted across illicit online forums for use as a subscription-based model. The tools creators claim that the product has no ethical constraints and can be used to generate content for urgently soliciting funds from targeted victims as well as customisable malware code.

The FBI's Internet Crime Complaint Center reported a rise in BEC scams across 2022, totalling $2.7 billion in losses. This contrasts with figures of $2.4 billion in 2021 and $1.8 billion in 2020. According to Daniel Kelley, cybersecurity expert at SlashNext, the use of generative AI will help to democratise the execution of sophisticated BEC attacks. This will enable attackers with limited skills to use this technology and so broaden the existing spectrum of cybercriminals. Organisations should be alert to the trend of AI crimeware tools, which mimic human intelligence to complete illegal tasks. 

Click here to read the full SC Media article.

London Borough found to misuse private information and breach the UK GDPR from accessing and sharing information about an individual's finances (Yae Bekoe v London Borough of Islington [2023] EWHC 1668 (KB))

On 5 July 2023, a High Court awarded a Claimant, Mr Bekoe, £6,000 for misuse of private information and breach of the provisions of the UK GDPR.

The factual background to the claim was that in 2015, London Borough of Islington (the 'LBI') commenced possession proceedings against Mr Bekoe for possession of property belonging to his deceased neighbour. During these proceedings, LBI disclosed to the court evidence of Mr Bekoe's bank accounts, mortgage accounts and mortgage balances.  

Mr Bekoe claimed that LBI had misused his private and confidential information and brought a claim against LBI for misuse of private information and breach of rights under the UK General Data Protection Regulation ("GDPR") as a result of significant delay in responding to a Subject Access Request and alleged destruction of his data by LBI.

The Judge upheld the claim and noted that Mr Bekoe had a reasonable expectation of privacy in relation to his financial details. It was held that LBI had misused Mr Bekoe's private information and breached several provisions of the UK GDPR.

Click here to read the full judgment.

Government and industry meet to progress the fight against fraud

A Joint Fraud Taskforce ('JFT') meeting took place on 11 July 2023 to consider tackling fraud and protect the public from scams, following the commitments made in the Fraud Strategy which was published on 3 May 2023.

Committee members discussed the growing volume of fraud originating on social media platforms and the development of an online fraud charter which will ensure that tech companies take action to block scams, make it easier to report frauds and ensure that fraudulent content is removed swiftly.

The development of a cross-government anti-fraud public awareness campaign was also on the agenda to consider the best way to streamline messages to the public in respect of fighting against fraud.

The security minister also called for tech firms to implement stronger measures to tackle fraud ahead of the Online Safety Bill.

Click here to read the Home Office news story.

The UK's National Cyber Security Centre (NCSC) partnered with the Solicitors Regulation Authority (SRA), Action Fraud, and the National Crime Agency (NCA) to produce a report analysing current cyber security threats faced by the legal community. The report provides practical guidance on how organisations can remain alert to these growing threats.

Legal practices and lawyers have become an increasingly attractive target for cyber criminals. This is due to the essential role they play in the UK economy and wider society, as organisations in the legal sector routinely handle large amounts of money and highly sensitive client information.

The most common forms of attack which the report warns against include phishing, business email compromise and ransomware. Supply chain attacks have also been identified as a key threat against which organisations must remain alert. Many smaller firms outsource their IT and data responsibilities to specialist support companies. As recently highlighted by the MOVEit compromise (click here for our previous coverage on this), this can potentially have far-reaching ramifications on companies if a data breach occurs.

The report places an emphasis on organisations reporting cyber-attacks. This will allow the NCSC to provide support and incident response to mitigate harm and protect an organisation from future attacks.

Click here to read the full NCSC report.

Clop ransomware claims responsibility for MOVEit extortion attacks

The Clop ransomware group has claimed responsibility for the recent ransomware attack which exploited a zero-day vulnerability in the MOVEit Transfer tool designed to securely transfer sensitive files. The attack is estimated to have affected hundreds of companies globally which used this software.

The group began its attacks on 27 May, taking advantage of low staff presence at MOVEit over the US Memorial Day weekend. Servers belonging to corporations utilising the software were ultimately breached. The Clop group claims to have deleted all stolen data relating to governmental, military and hospital bodies, however these claims cannot be verified.

Zellis, a UK-based HR and payroll solutions provider has confirmed that a small number of its customer base has been affected by the data breach. This includes airline company Aer Lingus, who has however confirmed that no financial or bank details relating to current or former employees were stolen.

British Airways also confirmed that some of its data had been stolen as part of the Zellis breach. However, the British airline provider is yet to disclose any further details as to the nature of the affected data.

The Clop group stated on 6 June that it would begin to publish stolen data from 'hundreds of companies' on 14 June if a ransom was not paid, encouraging affected corporations to contact them to commence negotiations.

Click here to read the Bleeping Computer article.

Cyber risk firm, Resilience, evaluates the recent wave of attacks

A recent report from cyber risk firm Resilience has found that despite an increasing number of ransomware attacks, 80% of affected organisations are able to recover data and systems without giving in to ransom payment demands. Over the last quarter of 2022 and the start of the first quarter of 2023, the number of attacks is reported to have doubled.

However, new approaches to cyber risk such as balancing risk acceptance, mitigation and transfer, have prevented ransom payments from increasing in line with the rate of cyber-attacks.

Resilience reports that none of its clients made an extortion payment in 2022 and that they were half as likely to pay a ransom to recover systems during a cyberattack compared to industry averages. The company's new approach centres around bringing together risk, finance and security roles that have previously operated in silos to create "cyber resilience".

According to its annual claims report, the leading cause of loss is ransomware at 17.8%, transfer fraud at 17%, vendor data breaches at 11.8% and business email compromise at 10.4%. With regards to the leading point of failure, based on primary claim notices, phishing attacks are in the lead at 23.4%, followed by risk from third-party vendors at 22.1% of claims.

Click here to read the full article by Commercial Risk.

Cyber Threat Advisory: Fortinet Vulnerability

Cybersecurity solutions provider Fortinet has released a security advisory for a critical vulnerability in its SSL VPN. The service is widely used for gaining remote access in the public and private sectors. The vulnerability affects both the iOS and Android versions of the software and was identified during an internal audit of Fortinet’s codebase. Security experts believe that the vulnerability is being exploited to compromise affected devices remotely.

Incidents relating to the vulnerability have so far been associated to a Chinese-nation-state cyber group, Volt Typhoon (Insidious Taurus). A proof-of-concept exploit for the vulnerability has subsequently been published online, increasing the likelihood that a broader range of nation state and financially motivated cybercriminals will imminently begin to exploit it.

Corporations using the SSL VPN are being urged to consider disabling the service if it is not critical to business operations, or to apply Fortinet recommendations for hardening of FortiOS applications. In addition, corporations have been advised to review their systems for signs of exploit of the vulnerability. Potential indicators of compromise include an abnormal amount of ‘/remote/logincheck’ and ‘/remote/hostcheck_validate’ requests as well as suspicious reboots.

Click here to read the full S-RM article. 

UAE: ChatGPT used to launch cyber and ransomware attacks, says head of cybersecurity

Dr Mohamed Al Kuwaiti, Head of Cybersecurity at the UAE Government, recently appeared on a panel at the Cybersecurity Innovation Series Conference in Dubai. During the discussion, Dr Al Kuwaiti issued warnings surrounding the increased use of AI tools such as ChatGPT by threat actors.

AI services are being used to draft ransomware scripts and phishing emails which assist threat actors in curating more convincing attacks. With the use of generative AI on the rise, corporations must be alert to the rapid information processing capabilities of these tools and their ability to assist threat actors in the automation of their processes. This has the potential to contribute to a proliferation in the number of cyberattack attempts taking place globally.

Dr Al Kuwaiti confirmed that the UAE government had been the victim of recent cyberattack attempts. These attacks impacted crucial infrastructure such as electrical, energy, transportation, aviation, education and healthcare sectors, with the main focus of the attacks being the financial sector. In response to these growing threats, the UAE government has begun utilising AI tools in its cyber defence mechanisms alongside cloud security systems.

Raising public awareness of cybersecurity across the state will also be a key objective of the UAE government in the near-term future.

Click here to read the full MSN article.

The new fixed recoverable costs regime ('FRC') is due to come into force on 1 October 2023, despite opposing opinions from various legal associations.

Under the new rules, professional negligence claims issued on or after 1 October 2023 where £100,000 or less is sought, will be subject to a sliding scale of FRC. The new limits on recovering costs will apply to claims allocated to the fast or newly created intermediate track, regardless of whether the actual sums incurred by the parties are higher or lower than the FRC.

In practice, the new rules are likely to apply to less complex cases where:

• The sum sought is between £25,000 and £100,000.
• The trial will last 3 days or less.
• There are no more than 2 experts giving oral evidence per party.
• There are no more than 3 parties (2 claimants and 1 defendant or 1 claimant and 2 defendants); and
• There are no allegations of fraud.

These changes are likely to have a significant impact on litigants and insurers, which will give rise to new tactical considerations and impact the likelihood of claimants pursuing litigation, if they are unable to recover a significant portion of their legal costs.

See RPC's full article here and Lawyer's Covered publication here.

Big names caught up in big cyber attack

British Airways (BA), Boots, BBC and Air Lingus are among the latest companies caught up in a recent mass hack. The exploit at the root of this mass hack was disclosed last week by US company Progress Software. Progress Software warned that hackers were able to access its MOVEit Transfer tool, which is designed to move sensitive files securely and is utilised globally. It is suspected that the ransomware group, Cl0p, is responsible for the hack, who are alleged to be based in Russia.

Staff at BA have been warned that personal data, including possible bank details, may have been stolen by the group. Other personal data relating to staff at the BBC has also reportedly been compromised.

The National Cyber Security Centre has urged organisations using the compromised software to carry out security updates that have been provided by Progress Software. The National Crime Agency is aware of a number of UK-based organisations that have been impacted by a cyber incident as a result of the security flaw and is "working with partners to support those organisations and understand the full impact on the UK."

Click here for the full article.

Cyber-attack costs conveyancers £7m

In November 2021, conveyancing services giant, Simplify, suffered a cyber-attack when a threat actor gained unauthorised access to their systems, including internal files containing personal data. This incident led to a major IT systems outage. Simplify spent 10 weeks restoring their systems and had to significantly reduce their level of new cases. The group complied with all relevant obligations required by the Information Commissioner's Office (ICO), which does not intend to take any further action against the group.

According to the parent company, UKLS Acquisitions Limited, this impacted Simplify's results for the financial year which, had it not been for the cyber-attack, would have been on track to turn around a record number of completions.

Simplify also suffered from a one-off cost of £7.3m and exceptional income of £6.8m arising from the cyber-attack alone. Although the giant successfully recovered from its insurers in relation to lost business, they had to enter discussions with its funders to fulfil long-term funding and capital structure of the group. Shareholders have since injected a further £15m of working capital into the company.

This provides a stark example of the impact than ransomware can have on professional services businesses. Please see Lawyer's Covered publication here and Legal Gazette's full article here.

AI and "Friday Afternoon Frauds" on Law firms

Law firms are under continuous pressure to stay aware of fraud risks. The rapid progress of AI technology gives new rise to more uncertain risks of phishing fraud. There is particular concern about GPT-4, the successor of Open AI's ChatGPT, where there have been reports of scammers using generative AI to clone voices to perpetrate frauds.

Although law firms aim to keep up to date with possible fraud risks, new technology assists in undermining routine checks that law firms tend to rely on. For example, following up with a client on the telephone following the receipt of a suspicious email. The use of new technology will mean that scammers can clone voices and potentially undermine routine checks employed by firms.

The Law Society presently has guidance including warning signs to make firms familiar with ongoing fraudster activity, which can be found here. However, this guidance does not take the impacts of generative AI into account.

RPC have prepared a blog suggesting that the Law Society will need to strike a balance between addressing specific risks as they emerge and putting in place flexible guidance which can respond to a variety of novel, and yet unknown, risks.

See our full article here.

The "Unicorn Kingdom's" AI White Paper

The UK's AI White Paper has recently been published, heralding a pro innovation and light regulation approach. However, the Future of Life Institute almost simultaneously published an open letter calling for a six-month halt in work on AI systems more powerful than the generative AI system: GPT-4.

The White Paper suggests a wait and see approach to allow regulation to be appropriate for innovators of AI to progress and thrive. There is no intention to introduce legislation and the framework will be principles-based. There are also no current plans to appoint a separate AI regulator. The Government suggests monitoring functions to determine how the regulatory framework can be performed. This monitoring will include test beds, sandbox initiatives, conducting horizon scanning, and promoting interoperability with international regulatory frameworks. This approach differs from the US and EU's more formal risk-based focus.

The current Government consultation is ongoing and due to close on 21 June 2023. We await further details as to the implementation of the regulatory framework. However, the concern is that with such a tentative approach to regulation, businesses, large and small, operating in the UK's AI landscape could require more immediate regulatory certainty to protect them.

See our full article here.

Joint blog post by the NCSC and ICO on transparency around cyber attacks

The National Cyber Security Centre (NCSC) and the ICO have co-produced a blog post which aims to dispel common misconceptions that can discourage organisations from reporting a cyber-attack. This follows concerns that unreported incidents are denying organisations the opportunity to learn from them and prevent future attacks. The post focuses on six misconceptions that often discourage organisations from reporting attacks, particularly ransomware attacks, and sets out to dispel them.

The six ‘myths’ which the NCSC and the ICO have identified as commonly held by organisations that have fallen victim to cyber incidents are:

1. If I cover up the attack, everything will be ok
2. Reporting to the authorities makes it more likely your incident will go public
3. Paying a ransom makes the incident go away
4. I’ve got good offline backups, I won’t need to pay a ransom
5. If there is no evidence of data theft, you don’t need to report to the ICO
6. You’ll only get a fine if your data is leaked

This latest press release comes amidst threat actors continuing to cause significant disruption through cyber attacks. The NCSC and ICO are growing increasingly concerned that silent incidents make future attacks more likely, while sharing information amongst communities about an attack can ultimately improve the threat landscape for everyone.

The NCSC and ICO have also stressed the importance of transparency in the aftermath of an attack, highlighting that a lack of evidence that data has been stolen does not mean theft did not take place. Reporting incidents in accordance with regulatory responsibilities can help improve wider awareness and cyber resilience.

Click here to read the full NCSC publication or here to access the blog post.

The need for cybersecurity

The argument that 'cyber-attacks won't happen to me, they only target big companies' is unsustainable for smaller businesses in today's climate.

Smaller companies ("SMEs") can be the victim of security incidents on the basis of the security vulnerabilities that they might have, rather on the basis of any specific targeting. It can also be more profitable to carry out a simple, less risky attack on a small company than a large corporation with a dedicated security team. The NCSC, supported by BT, are taking clear steps to tackle this issue as apart of the Cyber Aware campaign.

SMEs should remain vigilant and keep a firm focus on getting their basic security protocols right, to reduce the risk of falling victim to a cyber-attack. For example, ensuring that antivirus protection is in place for all systems and devices, securing back-up data, implementing regular patching across systems and keeping passwords secure. Further, using business-grade Wi-Fi with built-in security and protection should be standard for SMEs to ensure total security across the firm and updating all relevant business devices to guarantee that everything has the correct protection.

BT has noted that the NCSC is offering support to them as a CNI operator and targeted guidance and tools for smaller companies as part of the Cyber Aware campaign.

See BT's full article here.

Global ransomware payments double in one year

A recent survey by British cybersecurity firm Sophos has revealed that the average global ransomware payment rose to £1.2 million over the past year. The average payment by UK organisations in 2023 is also higher than the global average. The Sophos report was drawn from a survey of 3,000 senior IT and cybersecurity professionals across a range of organisations, such as schools, retailers, and healthcare providers.

The two main trends identified in the report concern the targeting of high grossing companies as well as sectors with a lower level of resources and technology. The average pay-out by companies with revenues of more than $5bn a year was approximately $2.5m. Sophos have warned that this illustrates the tendency of threat actors to adjust the amount they will accept based on an organisation's ability to pay. The education sector was the most likely to have experienced an attack last year. IT, tech and telecoms companies reported the lowest level of attack, likely indicating a higher level of cyber readiness.

The Sophos report acts as a good reminder to organisations to ensure that they are regularly engaging in sound cyber practices. The report noted that nearly all organisations that had their data encrypted were able to retrieve it, largely through backup systems. Having proper backups for data recovery as well as general cyber readiness is imperative for all companies, and especially those without the annual revenue to consider funding a ransom payment.

Click here to read the full Guardian article.

Royal Mail Ransomware Negotiation Analysis

Cyber security consultants, STORM Guidance have produced a detailed report analysing the negotiation transcript released by LockBit in the wake of its ransomware attack on Royal Mail International (Royal Mail). The attack caused a notable outage and delays across the UK. The key findings from the transcript revolve around the lack of formal negotiation techniques used by those negotiating on behalf of Royal Mail as well as the emotiveness of the negotiators.

LockBit's release of the Royal Mail ransom transcript is likely a retaliatory attempt to cause Royal Mail as much damage as possible. This is following what STORM Guidance refer to as the potentially "antagonising" approach taken in the negotiation. Reducing the risk of antagonising can be achieved through short, polite, and specific posts with careful wording and attention to posting cadence.

STORM have issued a warning to companies engaging negotiators when faced with a ransomware attack as many providers of ransomware negotiation services are not formally trained. This could pose a risk. An untrained ransom negotiator might potentially make mistakes that result in unnecessary loss such as the early release of breached data or the victim being exposed to further attacks by an antagonised threat actor.

Click here to read STORM's article. You can then download the full report by following the simple instructions on STORM's website.

Ransomware Driving SOC Modernization Requirements

A new global research study has explored the direct impact of ransomware threats on the investment decisions of organisations regarding their Security Operations Centres (SOCs). The report follows a global survey of 1,203 security professionals from eight countries across a dozen industries.

More than 58% of respondents said that their SOC spends a large proportion of its time responding to ransomware and supply chain attacks. With a rise in ransomware threats increasing the need for automation across the sector, many respondents are now focusing their efforts on leveraging industry-leading detection, prevention, visibility, and automation technologies. The report proposes that modernisation in the realm of SOCs will be focused across specific areas such as deploying new detection capabilities with better efficacy and looking for ways to augment staffing by contracting for managed services.

Managed Detection and Response (MDR) services have been earmarked as a key tool for the future, helping to remove the burden and arduous process of alert triaging and prioritization which in turn gives time back to security teams to conduct remediation and focus on other priorities.

Click here to read the full Cybereason report.

Windows zero-day vulnerability exploited in ransomware attacks

Tech giant Microsoft has issued a software update remedying a zero-day vulnerability in the Windows Common Log File System (CLFS). The vulnerability was being actively exploited by cybercriminals to escalate privileges and deploy ransomware payloads.

Security researchers warned that the Nokoyawa ransomware gang has used other exploits targeting the CLFS driver since June 2022, with similar yet distinct characteristics, linking them all to a single exploit developer. Industries targeted by the threat actors include retail and wholesale, energy, manufacturing, healthcare, and software development. The use of zero-day attacks by cybercrime groups illustrates their growing sophistication. Organisations should remain alert and ensure that their systems are running the most up-to-date software versions.

Click here to read the full Bleeping Computer post.

Study shows how fast AI can crack passwords

Security experts have issued warnings over the security risks being posed by new generative AI services. Password Generative Adversarial Network (PassGAN) uses machine learning algorithms instead of having to run manual password analysis on leaked password databases. These PassGANs generate password guesses after autonomously learning the distribution of passwords by processing previous real-world security breaches.

In a recent study published by Home Security Heroes, PassGAN processed a list of over 150,000 credentials and was able to crack 51% of all common passwords in less than one minute, 65% in less than an hour, 71% in less than a day, and 81% in less than a month. With growing concerns amongst industry experts, Microsoft announced its new Security Co-pilot suite that will help security researchers protect against malicious use of modern technology.

The following key tips on password security remain more relevant than ever:

• Use at least 12 (and ideally 18+) characters or more, with upper and lowercase letters as well as numbers and symbols. All passwords with 18 characters that include both letters and numbers were found to be safe from AI cracking for now.
• Use non-SMS based two-factor authentication / multi-factor authentication.
• Use auto-generated passwords where possible.
• Refrain from re-using passwords across accounts.
• Refrain from using public Wi-Fi, especially for banking and similar accounts.

Finally, do not enter any of your real passwords if using an AI tool to test the strength of your own passwords. This follows wider concerns around inputted "prompts" remaining visible to server hosts.

Click here to read the full 9to5Mac article.

Peter Mansfield, partner at RPC, recently chaired a panel on digital risks at RPC's Global Access Week. During the discussion, Mansfield warned that new and emerging risks, which arise as we move into the fourth industrial age (the digital transition), will make it increasingly difficult for insurers to price and understand future exposures. Typically, insurers use historical data in order to quantify risks. However, Mansfield underlined that the market was ultimately entering an age of unknown risks.

The panel also explored the potential for cyber insurance to improve commercial cyber security as company's engage in the security-related "basic hygiene" required by their insuring policies. However, Eleonora Sorribes, partner at French law firm, HMN & Partners, warned that organisations would need to be careful not to adopt an increasingly lax approach to their engagement with safety protocols simply because they are covered by a cybersecurity policy.

Click here to read the Insurer article.

"Same Interest" test clarification for representative actions under CPR 19.6

CPR 19.6 provides that where more than one person has the same interest in a claim, that claim may be brought by or against one or more of the persons as representatives if they have the same interest as other parties.

The High Court in Commission Recovery Ltd v Marks & Clerk LLP [2023] EWHC 398 (Comm), has recently revisited the "same interest" test for representative actions under CPR 19.6. The Court had to decide whether the entitlement of the Claimant class could be calculated on a common basis. The claim in question was for secret commission. There were some differences in the claims and the remedies sought.

The High Court held that the "same interest" test does not require claimants to have identical claims or interests. It relied heavily on the Supreme Court's decision in Lloyd v Google [2021] UKSC 50. That case affirmed that the entirety of a class may be represented by a sole representative in circumstances where the position of other class members would not be prejudiced.

The High Court's ruling solidifies the existing position and potentially leaves room for further development as to the system of collective redress. In circumstances where a data breach may cause mass harm to a collective group of individuals, the "same interest" test may be relevant to a group of claimants potentially seeking to bring a claim through a sole representative.

Click here to read the full Judgment.

The Data Protection and Digital Information (No.2) Bill introduced in the House of Commons

On 8 March 2023, the UK government introduced the Data Protection and Digital Information (No.2) Bill (the "Bill") to Parliament. The first version of the Bill was prepared in July 2022 and paused in September 2022 to allow for further consideration with businesses and data experts.

The changes seek to amend current legislation that the UK "inherited" from the EU in the form of the GDPR. The new data laws are set to "cut down pointless paper work for businesses" according to the UK government's press release.

Key changes from a cyber breach response perspective

The Bill includes the following changes:

• Article 5(1)(b) - This Article prohibits data processing that is not compatible with the original purpose for which the personal data was collected. The amendments clarify the rules around compatibility of further processing of personal data.
  
  
• Article 6 - The Bill provides new examples of legitimate interests in processing personal data, including "national security, preventing crime, direct marketing, intra-group transmission of personal data where necessary for administrative purposes and ensuring security of network and information systems".
  
  
• Article 12A - Requests from data subjects under Articles 14-22 and 34 can be rejected where they are found to be "vexatious or excessive". The Bill provides examples of such requests, including requests which are "intended to cause distress, are not made in good faith, or are an abuse of process".
  
  
• Article 30A - The Bill extends record keeping requirements to include all controllers/processors (including small businesses) that carry out processing of personal data which is likely to result in a high risk to the rights and freedoms of individuals. These controllers/processers must maintain appropriate records of processing. The Bill specifies exactly what the controller's and processor's records must include.
  
  
• Article 33 - A personal data breach notification to the ICO shall communicate the name and contact details of the "senior responsible individual" rather than the "data protection officer", following amendments made by the Bill. The senior responsible individual is a "designated individual [who] must be part of the organisation’s senior management". Notification obligations to the ICO do not apply to personal data processed for law enforcement purposes if it is for the purposes of safeguarding national security.
  
  
• Article 34 - Data subject notifications obligations relating to personal data breaches do not apply to personal data processed for law enforcement purposes if it is for the purpose of safeguarding national security.
  
  
• The ICO has been granted new power to issue a new notice compelling a person to attend an interview to answer questions for the purposes of investigating a suspected offence under data protection legislation. Failure to comply with an interview notice can result in a monetary penalty. It will be a criminal offence to knowingly or recklessly make a false statement in response to an interview notice.
  

Click here to read the UK Gov press release.

The NCSC discusses the cyber security risk of Chat GPT and large language models

Artificial Intelligence (AI) has been trending across the past 12 months, with OpenAI's ChatGPT (an AI chatbot that uses deep learning to produce human-like text) claiming headlines. The platform operates on large language models (LLM), an algorithm which can be trained on a large amount of text-based data. The LLM technology can analyse the relationship between different words and accordingly execute a probability model. Users can then proceed to "prompt" the algorithm by asking it questions that lead to the provision of an answer based on the relationships of the words in its model.

ChatGPT can allow users to ask an LLM questions as if holding a conversation with a chatbot. This includes the ability to use "prompt augmentation" which involves providing context information about the question.

Privacy concerns have begun to emerge since query "prompts" remain visible to the LLM host (this being OpenAI in the case of ChatGPT). These companies tend to store queries and use them as a foundation to develop the LLM service/model at a future point in time. Users of these products are being encouraged to thoroughly understand the use and privacy policies of public LLM platforms prior to asking sensitive questions which may include user-identifiable information.

Additional concerns include the potential for threat actors to coax an LLM into writing highly capable malware or assisting in escalating privileges and finding data once a threat actor has gained access to a network. There is also scope for LLM's to assist threat actors in carrying out social engineering attacks by helping to write convincing phishing emails in the native language of a target. Although AI remains an exciting development which has the potential to boost efficiency within society, organisations and individuals must remain vigilant of bad faith actors who seek to exploit new systems for their own malicious gain.

Click here to read the NCSC blog post.

Ransomware gang claims to have breached Amazon-owned Ring

The infamous ransomware group known as ALPHV claims to have compromised Ring, the Amazon-owned company that builds smart doorbells with cameras. ALPHV became popularised following the group's use of the BlackCat encryptor malware. Ring's logo recently appeared on the groups "leak site", alongside a threat to publicly leak the smart doorbell operator's data.

Amazon itself has remained silent on the matter, issuing a short statement that it has "no indications" of Ring experiencing any ransomware attacks. The US tech giant did however announce that a third-party vendor fell victim to a ransomware attack and that Ring is now engaged in an effort to learn more about the incident. Amazon reiterated that the impacted vendor does not have access to its own customer records.

Questions have emerged regarding the data which ALPHV has accessed and is now leveraging, as well as how the group was able to compromise the target network. It is not yet clear which third-party vendor has been compromised and whether it is considering negotiating with hackers or paying a ransom. No further details will likely be known until ALPHV leaks the data, or the targeted company files a report with the Securities and Exchange Commission (SEC).

Click here to read the Tech Radar article.

ICO shares resources to help designers embed data protection by default

The Information Commissioner's Office (ICO) has produced new guidance which aims to assist tech service providers in embedding data protection into their products and services from their inception.

The guidance deals with key privacy considerations for each stage of product design, covering "kick-off" up until the "post-launch" period. It includes examples of good practice as well as practical steps which the ICO would expect organisations to take, when designing products and services, in order to comply effectively with data protection laws. Key takeaways for organisations include the need to involve other stakeholders in privacy discussions, as well as ensuring that there is a lawful reason for processing any personal information, in line with a Data Protection Impact Assessment (DPIA) and keeping track of personal information that is handled. The guidance also recommends that organisations should always check whether any privacy risks arise from new products or features which involve new uses of personal information. Organisations should think about how threat actors could use these new sources maliciously.

Whilst the ICO has recommended technical privacy-enhancing methods such as hashing or encryption, there remains no substitute for a genuine consideration of privacy during the design process. Especially in the light of the potential consequences where leaked information and personal data end up in unauthorised hands.

Click here to read the full ICO blog post.

Artificial intelligence in the role of assessing cyber risk

The University of Warwick has produced a review assessing the opportunities for using AI to help reduce cyber risk and threat exposure within the insurance sector. Cybercrime has been on the rise since the onset of the COVID-19 pandemic, with the emergence of sophisticated new methods of attacks. The integration of an efficient digital form of cyber security through the use of AI could help. If employed effectively, AI could help combat cyber risks and perform tasks such as detecting and preventing cyber-attacks in real-time, resisting novel cybercrime and increasing the effectiveness of cyber security teams.

AI is already used in back-end functions such as fraud detection. Machine Learning (ML) techniques are also being used. For example, Support Vector Machines used a ML algorithm that learns from examples of fraudulent and non-fraudulent activity reports to identify credit card fraud.

There are further opportunities that the insurance sector can take with AI. Natural Language Processing has been earmarked as a leading interdisciplinary focus which, when applied to cybersecurity, can encourage interactions in the insurance industry between people and machines. This can assist in identifying the risk of a phishing attack by scanning vast amounts of datasets for email conversations or tracking emails that enter an organisation's network in order to identify patterns of malicious behaviour.

AI and ML could also help defend against DDoS attacks by comparing network traffic with real-time data streams collected from threat-intelligence sources to spot attack trends.

Click here to read the full WTW post.

Countering Ransomware Financing

The Finance Action Task Force (FATF) has produced a report analysing the methods used by criminals to carry out ransomware attacks. The study also covers how payments are made and laundered, with the aim to improve global understanding of the financial flows linked to ransomware and highlight actions that countries can take to effectively disrupt ransomware-related money laundering.

The report explores how ransomware criminals tend to opt for virtual assets such as cryptocurrencies to facilitate large-scale cross-border transactions. This circumvents the involvement of traditional financial institutions that have anti-money laundering and counter terrorist financing (AML/CFT) programs. Of particular concern therefore are jurisdictions with weak or non-existent AML/CFT controls. The FATF report proceeds to explore potential solutions to the problem, with the key takeaway being a need to regulate the virtual asset service provider (VASP) sector and build upon and leverage existing international cooperation and information exchange mechanisms. This is due to the globalised nature of ransomware attacks which necessitate an increased focus on rapid cross-border funds tracing and effective asset recovery.

Finally, ransomware attacks have been found to be generally underreported, with detection potentially a challenge in the private sector alongside the negative potential reputational impacts to the victim’s business. Moving forward, the key objective for regulators will be to create an environment where victims feel encouraged to report incidents. This is even more crucial given the current state of underreporting hampering regulators' ability to substantively investigate money laundering related to ransomware.

Click here to read the full FATF publication.

The OFSI has reiterated that payment of ransomware demands could constitute a breach of financial sanctions, carrying heavy penalties. Nevertheless, new guidance published by OFSI provides some comfort for organisations who feel to be in a position where paying the ransom is the only choice available. Several mitigating factors will be taken into account when assessing a ransom payment in a ransomware situation which is discovered after the event to have been in breach of financial sanctions. Those measures include the following:

• Early reporting and cooperation with law enforcement (including Action Fraud and the NCSC) and regulatory bodies (such as the ICO).
• Early self-reporting if it becomes suspected that a payment was made to a designated individual or organisation.
• Carrying out appropriate checks at the time of payment to ensure the transfer is not made to a sanctioned entity as far as it is possible to check.
  

This new guidance should be welcomed by organisations faced with the undesirable option of having to pay a ransom demand. While enforcement is still a possibility in those situations if the payment turns out to have been made to a designated individual or organisation, the guidance from OFSI indicates that fines or criminal sanctions are less likely if the mitigating steps set out in the guidance have been followed.

Click here to read the OFSI guidance post.

LockBit releases entire negotiation history with Royal Mail

High profile ransomware organisation Lockbit recently leaked the entire negotiation history between it and Royal Mail International, revealing a ransom demand of $80 million.

This rare release sheds light on key negotiation tactics from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) when dealing with threat actors.

LockBit set the ransom at £65.7 million, a sum it calculated to be 0.5% of Royal Mail International's annual revenue. They also went on to say that this was eight times less than the cost of a regulatory fine in the UK.

Royal Mail International's negotiator relayed the message that "under no circumstances will we pay you the absurd amount of money you have demanded". Royal Mail has never publicly confirmed that the cyber incident it suffered was ransomware in nature, or even an ‘attack’, despite sources speaking to multiple news outlets indicating that to be the case. The NCSC and the NCA have both confirmed their involvement in assisting with the attack. LockBit initially distanced itself from the incident but has admitted that one of its affiliates carried out the attack.

Click here to read the full IT Pro article.

UK cracks down on ransomware actors

On 9 February the UK, in collaboration with the US Government, sanctioned a group of seven Russian criminals in the first wave of new coordinated action against international cybercrime. UK Foreign Secretary James Cleverly said: "By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account". The NCA assessed that the sanctioned group was responsible for extorting at least £27 million from 149 UK victims, including hospitals, schools, businesses and local authorities, although their full impact is believed to be much higher.

National Crime Agency Director-General Graeme Biggar called the crackdown a hugely significant moment for the UK and collaborative efforts with the US to disrupt international cyber criminals. It is highly likely that the recently sanctioned individuals evolved from previous cyber organised crime groups and likely have extensive links to other cyber criminals, notably EvilCorp and those responsible for Ryuk ransomware. NCA's CEO Lindy Cameron confirmed that, “ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be". By working with key partners, the NCSC is helping to "improve collective resilience".

Click here to read the NCA article.

NCA takes down HIVE ransomware organisation

In association with the FBI and German law enforcement, the NCA has taken down servers used by the HIVE ransomware group. Anyone attempting to access HIVE infrastructure will now be met with a law enforcement splash page, explaining that the network has been seized and is no longer available for use.

HIVE resources were previously available on the dark web, allowing users to deploy ransomware attacks on their targets. From June 2021, the HIVE ransomware group had targeted over 1,300 victims, receiving more than $100m in ransom payments. The FBI developed the capability to avoid HIVE encryption and NCA investigators supported a number of victims in the UK to remove the impact of the ransomware from their systems. Paul Foster, Deputy Director of the NCA’s National Cyber Crime Unit commented that, while HIVE was a service which enabled cyber criminals to steal millions from businesses across the globe, with several UK organisations suffering significant disruption and financial losses, the combined might of international law enforcement, is "a tremendous example of action to take down illegal IT infrastructure".

Click here to read the NCA article.

Click here to read the Computer Weekly article.

Royal mail restarts limited overseas post after cyber- attack

Royal mail has started clearing its backlog of overseas post and has started receiving new international letters, following ransomware attack earlier this month. In a bid to mitigate impacts of the attack, Royal mail continues to work with authorities and is trying 'operational workarounds.' Royal Mail, as a private company, is required to keep authorities and regulators informed, however it has said little to the public.

The ransomware used in the attack is Lockbit. Computer security firms say the software involved has been developed and used by criminal gangs with links to Russia. The ransom demand is expected to be in the millions, although sources close to the investigation say there are "workarounds" to get the systems going again. This attack is significant, as Royal Mail is deemed part of the UK's "critical national infrastructure". The back-office system that has been affected is used by Royal Mail to prepare mail for despatch abroad, and to track and trace overseas items. The threat actors are likely to be threatening Royal Mail with the prospect of having potentially sensitive data published by a certain deadline.

It is not yet clear whether Royal Mail is considering negotiating with hackers or paying a ransom. However, firms that rely on posting items overseas have seen ongoing impacts to their businesses. Royal Mail has apologised and asked companies not to send international parcels or any mail that requires a customs declaration for the time being. Domestic postal services remain unaffected.

Click here to read the full BBC article.

Cyberattacks triple in last year according to Ukraine cybersecurity agency

The UK Government's security minister Tom Tugendhat warns of a ‘persistent threat’ of Russian attacks on Ukraine's critical infrastructure. Ukraine's cybersecurity agency says Russian hacking is, at times, deployed in combination with missile strikes. Russian hackers carried out 10 attacks a day against “critical infrastructure” during November 2022, as part of the wider effort to leave millions without power amid plunging temperatures.

The Ukrainian cybersecurity agency stated that Russian cyber-attacks were also coordinated in conjunction with “information-psychological and propaganda operations" trying to “shift responsibility for the consequences [of power outages] to Ukrainian state authorities, local governments or large Ukrainian businesses”. The UK has provided a £6.35m package of support, helping Ukraine with incident response, information sharing, hardware and software.

Russia's "near abroad" have also been targeted. In late October 2022, Poland’s senate was hit by a cyber-attack, a day after the country’s upper house had unanimously adopted a resolution describing the Russian government as a terrorist regime. Poland later blamed the pro-Russian group NoName057(16) for a denial-of-service attack aimed at shutting down its website. British organisations are urged to continue to review their digital security during what the NCSC considers to be an “extended period of heightened threat”.

Click here to read the Guardian article.

The darker side of ChatGPT

Since its debut less than two months ago, ChatGPT has become well-known and is used worldwide for a wide range of jobs. For anyone working in the software industry, its amazing capabilities provide quick and understandable code samples. On the flip side ChatGPT is advanced in its capacity to construct sophisticated malware that contains dangerous code.

ChatGPT could be used to create polymorphic malware. This malware’s advanced capabilities can evade security products and make mitigation cumbersome with very little effort or investment by the adversary. Cyber Ark ran a test using ChatGPT and found that it is possible to create a polymorphic program that is highly evasive and difficult to detect. This creates significant issues for security professionals.

The concept of creating polymorphic malware using ChatGPT has been shown to be relatively straightforward. By utilizing ChatGPT’s ability to generate various persistence techniques, Anti-VM modules and other malicious payloads, the possibilities for malware development are vast. This is a field that is constantly evolving.

Click here to read the Cyber Ark article.

New program offers most vulnerable in society free cyber security support

The NCSC offer charities and legal aid firms free support to put cyber protections in place. The new government Funded Cyber Essentials Programme offers some small organisations in high-risk sectors practical support at no cost to help put baseline cyber security controls in place. The information held by these organisations can be highly sensitive – including, for example, personal data relating to vulnerable individuals. Eligible organisations will receive 20 hours of expert support to help implement the five technical measures needed to gain Cyber Essentials certification – firewalls, secure settings, access controls, malware and software updates. Cyber Essentials is a government-backed certification scheme which helps organisations of all sizes guard against online threats and demonstrate a commitment to cyber security.

The offer is currently available to micro or small businesses that offer legal aid services and micro or small charities that process personal data, for example those working in safeguarding such as domestic abuse charities or online chat support services.

Click here to read the NCSC blog post.

A company working in 'security-sensitive and highly classified projects of national significance' has successfully withheld its identity when obtaining summary judgment against the unknown perpetrators of a $6.8m 'ransomware' attack. In XXX v Persons Unknown, Mr Justice Cavanagh agreed, in paragraph 29 of the judgment, that a derogation from open justice was needed to prevent the court itself becoming 'the instrument of harm'. National firm Weightmans LLP, who acted for the company identified as XXX, said the verdict shows the value of 'persons unknown' injunctions in managing the fallout from cyberattacks. Previous injunctions have required the victims to be named in open court. In making their judgement the Court had to balance the overarching and fundamental public interest in open justice with the risk that disclosure of the Claimant's identity and of details of the evidence, might facilitate the very injury that the proceedings were intended to restrain.

The judgment, which followed a private hearing, cited paragraph 36 of Various Claimants v The Independent Parliamentary Standards Authority [2021] EWHC 2020 (QB) noting that derogations from open justice can be justified as necessary on two grounds: maintenance of the administration of justice and harm to other legitimate interests. The judge found that the mere fact that a business would suffer negative consequences if a cyberattack becomes public knowledge would not automatically justify secrecy (paragraph 25). However, in this case, anonymity was justified by the nature of its work and the risk that, if its identity was known, 'third parties with malign intent' might locate the stolen information on the so-called 'Dark Web'. ' The company in question was a 'multi-discipline company'... whose clients 'require the utmost discretion, secrecy and protection from external threats'. Some of the company's data was also protected by the Official Secrets Act (paragraph 28).

Industry professionals regularly debate the value of an injunction in cases of cyberattacks. There’s always the risk that, by virtue of seeking the injunction in open court, businesses draw attention to the fact their IT systems have been breached or that data has been stolen and give others an indicator of where the data can be found. However, this judgment provides authority that in certain circumstances at least, the risk of publicity arising from the making of the injunction application itself could be possible to navigate.

Click here to read the full case on Bailii.

Client losses from cyber-attacks on law firms continue to fall

The Solicitors Regulation Authority (SRA) has revealed that client losses resulting from cyber-attacks on law firms have fallen to £700,000 in the first 10 months of this year. This compares to £10m in 2017, a figure that has dropped most years since. A panel discussion at an SRA compliance officer conference in Birmingham on 8 November 2022, revealed an 'improving picture', adding that it tended to be clients who were targeted by email
fraudsters, rather than their solicitors.

Ransomware was identified as the main form of cyber-attack against law firms and the conference speakers maintained the stance that firms should not pay up. Rachel Clements, a regulatory speaker at the conference mentioned, 'not only are you essentially paying a criminal… but it could expose you, your firm, and your clients to additional risks'. Research cited indicated that 80% of businesses that paid ransoms were targeted again, often by
same attacker.

The GDPR requires firms to implement 'appropriate measures' to restore data, but the ICO's legal director confirmed that paying a ransom does not constitute an appropriate measure. William Wright, a partner at Paragon International Insurance Brokers, noted that cyber-insurers expect to see a raft of controls in place before issuing a law firm with an insurance policy, ranging from encryption and email scanning to intrusion detection and patch management. He also emphasised the importance of multi-factor authentication as increasingly becoming a pre-requisite to obtaining insurance. Lastly, he flagged the need for segregated back-ups and staff training, given that “most cyber-attacks we see are
human related”.

Click here to read the Legal Futures article.

EU boosts action against cyber threats

On 10 November 2022, the European Commission and the High Representative put fforward a Joint Communication on an EU Cyber Defence policy and an Action Plan on Military Mobility. This is in a bid to address the deteriorating security environment following the unstable Russia and Ukraine conflict and to boost the EU's capacity to protect its citizens and infrastructure.

Recent cyber-attacks on energy networks, transport infrastructure and space assets show the risks that they pose to both civilian and military actors. The new EU Cyber Defence Policy aims to strengthen coordination between military and civilian cyber communities. The aim is to reduce dependence on critical cyber technology while enhancing efficient cyber crisis management across the EU. The four pillars making up the policy are: increased coordination between cyber defence players, standardisation and certification across the whole cyber defence ecosystem (including non-critical software), investment in cyber capabilities in a collaborative way and partnering to address common challenges.

The Commission and the High Representative, including in his capacity as Head of the European Defence Agency (EDA), will present an annual report to the Council of the EU to monitor. They will also assess the progress of implementing the actions in the Joint Communication on the EU Cyber Defence Policy. Member states are invited to provide contributions on the progress of implementation measures taking place in the national
context.

Click here to read the European Commission article.

Ex-NATO general classifies cyber defences as important as missile defences

Retired U.S. General Ben Hodges commanded U.S. Army forces in Europe from 2014 until 2017 and has long argued that civilian infrastructure is an essential pillar of military strategy. He has now added that cyber protection is just as important as missile defence systems to guard the German North Sea ports. He highlights that a cyber-attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send
military reinforcements to allies.

With Russia increasingly threatening attacks on quasi-civilian infrastructure as part of its ongoing conflict with Ukraine, Hodges has flagged Bremerhaven and Hamburg as the most important seaports on which the alliance depends, for both military equipment and commercial cargo. A 2017 cyber-attack (NotPetya) attributed to Russia, first targeted Ukraine but rapidly spread to suppliers with operations across eastern Europe. Outages in computer systems meant Danish shipping giant, Maersk, lost track of its freight.

In light of this, Hodges has reacted with anxiety to Berlin's decision to allow Chinese group COSCO Shipping Holdings Co. Ltd to buy a stake in a terminal in Hamburg, noting that the Chinese may now be able to influence and disrupt activities at critical transportation infrastructure. The Chinese foreign ministry has however, confirmed that 'cooperation between China and Germany is a matter for the two countries and third parties have no right to meddle and intervene'. The threat of nation sponsored attacks on critical infrastructure continues to be watched closely across all nations.

Click here to read the Reuters article.

Current trends in ransom payments

Ransomware attacks which were prevalent in 2020 and 2021, partly due to increased remote working, have now decreased. In its mid-year 2022 Cyber Threat Report, US security company SonicWall identified a 23 per cent drop in the number of ransomware attempts. It attributed this to several factors, including a 'downward' trend in the number of organisations willing to pay cyber criminals.

Cyber security group Coveware, confirmed that 85 per cent of ransomware cases they handled in 2019 ended in payment, however by Q1 of 2022, the proportion had fallen to 46 per cent. Many organisations are now finding ways to recover their data via backups or establishing that certain data is not critical. Other factors contributing to the decrease in ransomware payments, include the slump in the price of difficult-to-trace cryptocurrencies which were the preferred pay-out method of threat actors. Russia's invasion of Ukraine has also hit the sector, as many Russian threat actors have been disrupted by sanctions or have focused on conflict related attacks rather than ransomware on private organisations. UK and US governments firmly advise against ransom payments as it does not necessarily guarantee victims will get their data back but rather emboldens attackers by rewarding them.

The US states of North Carolina and Florida have now explicitly banned state and local government agencies from paying hackers and other states are exploring similar policies. Deciding to pay is often on a case-by-case basis, involving an exercise of weighing up the price tag of the ransom demand against the potential cost of not paying.

For example, organisations with confidential client data, can opt to pay to avoid potential reputational damage. In some cases, it makes more economic sense to pay the ransom than to recover the data or systems from backups. IBM's Cost of Data Breach Report showed that average costs for victims opting to pay ransoms were $630,000 lower than those who chose not to pay.

Due to the fear of threat actor links to Russia, many are opting not to pay on ethical grounds, and also from fear of violating sanctions. According to Sophos, only 4% of victims were able to retrieve all their data from hackers. Hackers could also sell or leak stolen data at points in the future, leaving no guarantees. Deciding to pay relies on an element of trust in threat actors to delete data, which there is no reliable evidence that they will do. Many
experts warn that the total ransoms paid may be far higher than is currently known as there are no rules around disclosing payments.

Click here to read the FT article.

ICO and Cabinet Office reach agreement on New Year Honours data breach fine

On 15 November 2021 the ICO issued a fine to the Cabinet Office following an investigation into the 2019 data breach, where the Cabinet Office published a file a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.

The Cabinet Office appealed against the amount of the fine to the First-tier Tribunal (General Regulatory Chamber) in December 2021, alleging the level of penalty was “wholly disproportionate”. The penalty was for failing to implement appropriate technical and organisational measures to keep personal data secure, in contravention of Articles 5(1)(f) and 32(1) of the GDPR. The appeal related solely to the amount of the fine and the facts leading up to the imposition of the penalty were not in dispute.

On 3 November 2022, the ICO announced its agreement to reduce the £500,000 Monetary Penalty Notice (MPN) imposed on the Cabinet Office in 2021 to £50,000, which the Cabinet Office has agreed to pay. In a bid to work more effectively with public authorities, the ICO's John Edwards commented that they acted pragmatically recognising 'the current economic pressures public bodies are facing' and the fact that 'in certain cases fines may be less critical in achieving deterrence'. He added that the ICO will continue to work with the Cabinet Office to ensure people’s information are being looked after. Edwards confirmed that the ICO is willing to use discretion to reduce the amount of fines on the public sector in appropriate cases, coupled with better engagement including publicising lessons learned and sharing good practice.

Click here to read the ICO press release.

Brief facts

The respondent AB was employed as marketing consultant by entities that were part of a group called IP Global (“Ex-Employers”). As part of that role, the respondent managed an investment fund known as the “Edinburgh Fund”.

In the second half of 2017, the respondent left his role and joined a competitor QIP as “Head of Fund Raising”. In August 2018, the respondent contacted the appellant MR (who was an investor in the Edinburgh Fund) on the latter’s personal email address with a view to offering the appellant further investment opportunities by QIP.

The appellant was concerned that the respondent knew his name, personal email address and investment activity in the Edinburgh Fund (collectively, the “Personal Data”). Among other things, the appellant responded to the respondent’s email wanting to know how the respondent had come to access the Personal Data and what steps he would take to protect it.

The respondent claimed that he obtained some of the Personal Data from Linkedin, but did not provide the appellant with any further assurances relating to the Personal Data.

The appellant was joined as plaintiff to an action commenced by the Ex-Employers against the respondent under what was then s32 of the PDPA (which we shall refer to by its current section number, s48O) for an injunction restraining the respondent from using the appellant’s personal data, and an order that the respondent undertake to destroy the appellant’s personal data that was in his possession.

This was granted by the District Judge, but overturned on appeal to the High Court. The matter was then referred to the CA who largely affirmed the District Judge’s decision.

What is s48(O) of the PDPA

S48(O) of the PDPA grants a person who suffers loss or damage directly as a result of a contravention of certain parts of the PDPA, a civil action for relief in Court. Many issues were considered by the CA. We will summarise the key parts of the CA’s decision in terms of what they mean for

1. individuals commencing actions under s48(O)

2. individuals facing a claim under s48(O), and

3. corporations who employed the individuals in (2).

For Individuals commencing actions under s48(O)

The first important point to note is that the CA affirmed that a claimant could rely on emotional distress as part of “loss or damage”. This aligns the position in Singapore with the UK position expressed in Vidal-Hall and others v Google Inc (Information Commissioner intervening) [2016] QB 1003 where it was recognised that “distress… is often the only real damage that is caused by a contravention.”

The second point relates the test such individuals need to meet in order to prove their case for loss or damage, which the CA enunciated for the first time. The CA identified a multi-factorial approach considering (1) the nature of the personal data involved in the breach, (2) whether
the breach was one-off or continuing, (3) the nature of the defendant’s conduct, (4) the risk of future breaches causing emotional distress and (5) the actual impact of the breach on the claimant.

In finding in favour of the appellant, the CA placed particular emphasis on the fact that the respondent refused to give the appellant an undertaking not to use the Personal Data in the future. The CA appeared to take the view that the matter would have been resolved if the respondent had given such an undertaking in the course of his email exchange with the appellant. The CA also considered the actions taken by the appellant after receiving the initial email from the respondent (confronting the Ex-Employers and writing to the respondent) in considering whether emotional distress was in fact suffered.

For individuals defending actions under s48O

The first point to note relates to whether individuals are subject to obligations under the PDPA which apply to “organisations”. The respondent sought to argue that such obligations should only apply to business entities, not individuals. The CA swiftly rejected this position on the basis that the definition of an “organisation” in the PDPA included natural persons. One therefore should be careful when assuming that only corporate entities are subject to the obligations under the PDPA.

The second point to consider is the respondent’s attempt to rely on a defence in s4(1)(b) of the PDPA, which provides that the specific sections of the PDPA do not impose obligations on employees acting in the course of their employment. The CA held that it was too late for the respondent to try to rely on this provision as he had not adduced evidence of (1) what was done, (2) what the employment required him to do as an employee (3) whether the employee deliberately evaded practices set up by the employer to deter such action. It is therefore important for defendants to consider the defences in s4 of the PDPA early with their counsel.

Finally, we reiterate the finding that the respondent never undertook to not use the Personal Data in future. It is puzzling why the respondent did not do this in this case, as he had stated over email to the appellant that he would not be contacting the appellant again. Potential defendants should immediately obtain advice from legal counsel when faced with a potential claim under s48O so that appropriate remedial measures can be taken.

For employers

The CA considered the question of when it is that an employer would be liable for the actions of an employee. It held that an employer’s liability under the PDPA was not strict, but fault based. It reiterated that an employer would only be in breach of the PDPA if it fails to do what a reasonable person would consider appropriate in the circumstances.

As an example, the CA suggested that if an employer has developed and implemented policies and practices necessary for the organisation to meet its obligations under the PDPA, but a rogue employee takes pains to evade such supervision and thereby breaches the PDPA, it would be artificial to say that the employee was acting within the course of his employment.

This once again underscores the importance of employers ensuring that they have taken sufficient steps to ensure that their processes with regards to personal data collection, storage and use are compliant with the PDPA.

The National Cyber Security Centre (NCSC) and the police have been investigating a series of attacks attempting to take down a London-based cryptocurrency exchange, Currency.com. The attack involved coercing millions of computers worldwide to bombard the company's website with numerous requests in a bid to crash its systems.

The attack commenced within hours of Currency.com founder's announcement that he was pulling the company out of Russia following Russia's invasion of Ukraine. This is believed to be the first suspected Russian war-linked cyber attack on a UK company.

The NCSC believes that the attack has not been orchestrated by the Kremlin, but instead is likely to have been carried out by criminals who are possibly Russian in origin. Evaluation by Currency.com suggests that between 18 and 32 percent of the attacks stemmed from Russia and Belarus.

The attack follows warnings by Liz Truss, the Foreign Secretary, of “significant consequences on normal people and businesses in Ukraine and across Europe”, with a further announcement from the NCSC reiterating that organisations should follow their guidance on protecting themselves against attacks of this nature (see here).

Click here to read the full article as published by VTL News.

Five things we learned from DPPC 2022

More than 3000 data protection professionals from across the country attended this year's Data Protection Practitioners' Conference. The key takeaways include:

• Training materials for business and organisations: John Edwards has highlighted the publication of the ICO information governance and legislation training modules, which it provides to its staff as part of its internal training. He has encouraged organisations and staff to take a look at these materials in the coming weeks to improve their data protection and information rights expertise.
• Privacy professionals: John Edwards has reiterated the importance of data protection professionals' role within organisations, adding that the ICO could take further steps to connect DPOs with other members of the community to pool expertise and experience.
• Safeguarding children: it is imperative that businesses and organisations have the confidence and know-how to share data in circumstances where this would safeguard children and young people.
• Personal data and equality in a digital age: the key issue of how data protection sits alongside inequality was also considered, particularly in the context of supporting organisations to make good decisions about collecting good-quality data to address this. For example, artificial intelligence, if poorly implemented, can perpetuate biases as the processes rely on existing data which may already be entrenched with inequality.
• The future of data protection reform: the UK Government's introduction of the new Data Protection and Digital Information Bill to Parliament is believed to strike a good balance between reducing regulatory burdens on businesses and recognising the value of rigorous data protection.

Click here to read the full article as published by the ICO.

Cyber attack targets IT firm used by Northern Ireland's health service

Health officials in Northern Ireland have disabled the health system's access to services provided by an NHS IT supplier, Advanced, after a cyber-attack caused a significant outage across the NHS computer system. The cyber criminals are suspected to have made demands for payments in exchange for not leaking information and removing the malware. The perpetrators are understood to be independent cybercriminals rather than being state-sponsored.

Advanced offers digital services to patients, including patient records, emergency prescriptions and support for NHS 111. It also provides the IT system that supports finance, procurement and logistics across Northern Ireland's health and social services. As such, there were concerns that the threat actors could have gained access to confidential health records, including mental health records, and leak them if the ransom demands were not met.

The Department of Health confirmed that "contingency measures" had been put in place following the attack. As of yet, there is no direct effect on services, including payroll and patient records; however, access was shut off as a precaution and to avoid exposing other critical systems to a risk of attack. At this stage, the incident could take weeks or months to be fully resolved.

Click here to read the BBC's full article and here to read the Guardian's full article on this news.

Microsoft warns about SEABORGIUM phishing attack that befriends you first to rob you later

The Microsoft Threat Intelligence Centre (MSTIC) has released a warning about a highly persistent phishing campaign known as "SEABORGIUM". Despite this campaign having existed since at least 2017, Microsoft believes that it has now collated sufficient information on SEABORGIUM and its operation in practice to publish detailed guidance describing the ways in which potential victims can protect themselves against it.

Typically, the threat actors involved in SEABORGIUM initiate an attack by observing their potential targets through the use of fake social media profiles. In addition to this, email addresses are often set up to impersonate real individuals in order to contact their victims, gain trust, and develop rapport.

If the target replies, SEABORGIUM proceeds to send a weaponized email, with the malicious website links inserted directly into the body of the email or via email attachments. These links in turn direct the target to a phishing portal mirroring the sign-in page for a genuine provider and invite them to insert their login information. In this way, SEABORGIUM is able to intercept any credentials.

SEABORGIUM has been observed to use stolen credentials to sign directly into victims' email accounts. Once they have gained access, the threat actors are then able to exfiltrate emails and attachments from inboxes, set up forwarding rules to accounts where the threat actors have long-term access to collected data and using fake accounts to communicate with people of interest attempting to gain access to sensitive information.

Click here to read Microsoft's full article and here to read  Neowin's full article on this news.

Bad for Privacy, but Great for Security: Apple AirTag Used to Identify Airport Staff Thief

An air traveller used an Apple AirTag to locate her missing luggage, which resulted in the arrest of an airline worker with over $16,000 worth of luggage recovered. The introduction of tracking devices such as the Apple AirTag enable users to track the position of their possessions in real time.

Unlike a typical tracker which may use GPS signal to identify location, AirTags use a combination of Bluetooth and UWB that can be picked up by other UWB-supporting Apple products (such as iPhones, iPads, and MacBooks). Once an AirTag has been picked up by another Apple device, the location details are streamed to the iCloud so that the device's owner can identify where their AirTag is.

Although Apple AirTags have shown themselves to be a useful tool in certain circumstances, their tracking ability has raised considerable privacy and security concerns. There have been various reports of people discovering AirTags in their bags, cars, and other possessions without their knowledge, which has many worried that criminals are using them to track valuable targets.

Click here to read the full article as published by Electropages.

Solicitors have been asked to help combat a rise in payments being made to ransomware criminals. In some cases, solicitors have been advising clients to pay in the belief that it will safeguard data or lead to a lower penalty from the ICO.

The National Cyber Security Centre (NCSC) has requested that the Law Society reiterate to its members its advice on ransomware and highlight that paying a ransom will not keep data secure or be considered by the ICO as a mitigation in regulator action. Conversely, the ICO and NCSC have stated that paying ransoms can further incentivise criminals and will not guarantee that data is safely returned.

This advice comes as ransomware attacks are becoming more sophisticated and destructive, with the UK government working with partners across the board to mitigate the threat. In December 2021, the National Cyber Strategy was launched to strengthen the UK's role as a responsible cyber power.
Tackling cybercrime is at the heart of this plan, with the legal sector playing a key role in helping reduce the impact and scale of this threat.

Click here to read the NCSC's press release.

International data protection and privacy authorities provide guidance against the threat of credential stuffing attacks

The latest report from international data protection and privacy authorities, including the ICO, has recognised "credential stuffing" as a substantial growing cyber threat to personal information.

This cyber-attack method exploits people's propensity to use the same username and password combination across multiple online accounts. The attacks are automated and most commonly take place on a large scale, making use of credentials obtained from unrelated data breaches in order to gain access to online accounts across different websites or applications.

The report provides guidance for organisations (here) and the public (here) on how to prevent, detect and lessen the risk of these attacks. The guidance to organisations notes that the implementation of measures to protect personal data from credential stuffing attacks will generally be required, at least implicitly, under data protection and privacy laws. Among the recommended security measures listed, multi-factor authentication is identified as the most efficient method in securing online accounts against credential stuffing.

Click here to read the ICO's press release.

Commercial cyber capabilities must be used legally and responsibly, says UK NCSC CEO

The head of the UK's NCSC, Lindy Cameron, has highlighted the significance of legal and responsible use of commercial cyber capabilities.
In a speech delivered at the Cyber Week hosted by Tel Aviv University, Cameron has identified that the intersection between academia, industry and governments hold the key to responding to the latest cyber threats. Cameron commended Israel's sophisticated cyber capabilities, where export controls are tightened, making it more difficult for nations with troubling records on privacy and human rights to acquire intrusive spyware.

Cameron discussed the rising trend in ransomware and how the commercialisation of such capabilities dramatically lowers the technical knowhow required to conduct criminal operations. Cameron pointed out that ransomware remains the most significant global cyber threat most organisations have to contend with. Ransomware is now being offered by gangs as a service, making it easier than ever to perpetrate this type of crime.

In order to counteract these attacks, Cameron stressed the need to form partnerships, as well as to pool resources and skills in order to develop a network which is naturally resilient.

Click here to read the NCSC's press release.

Cyber-attack causes a fire in steel factory in Iran

On 27 June 2022, a cyber-attack on a steel maker in Iran caused a serious fire in a steel factory and damage to equipment.
A hacking group known as Predatory Sparrow has stated that it is behind the attack and has released a video to support this claim. The video footage of the incident shows factory workers escaping the plant before the machine started spewing molten steel and fire, as well as people pouring water on the fire with hoses.

Predatory Sparrow claimed that this attack was one of three attacks it had carried out against Iranian steel makers on the same day in protest of unspecified acts of "aggression" by the Islamic Republic. The group has since gone on to share data allegedly stolen from the companies, including confidential emails. The sophisticated nature of the attack, including apparent efforts by the group to shield people at the scene of the incident from injury, has led many to believe that Predatory Sparrow is either operated or sponsored by a nation state. If a state is proven to have caused physical damage to the Iranian factory, it may have violated international laws prohibiting the use of force and provided Iran with legal grounds to hit back. Investigations by the Iranian authorities are currently taking place in efforts to identify the state perpetrator behind the attack.

Despite there being previous incidents that have had a physical impact in the real world, such as the 2010 Stuxnet attack, nothing as serious as this has previously taken place, with there being very few confirmed cases of cyber-attacks causing physical damage.

Click here to read the BBC article.

Speech introducing the ICO's plan for the next three years: ICO25

On 14 July 2022, Information Commissioner John Edwards delivered a speech at Woburn House to introduce ICO25, the ICO's strategic plan outlining its regulatory approach and priorities for the next three years.

The plan includes a pledge to protect the information rights of vulnerable individuals, whilst affording organisations higher levels of certainty and flexibility to enable "businesses to invest and innovate with confidence". In terms of providing greater certainty, the aim is to clearly set out legal requirements and the approach that the ICO will take when enforcing these.

There are also plans to introduce "a series of services, tools and initiatives, allowing organisations to benefit from ICO advice and the experience of others".

The ICO25 plan's priorities over the upcoming three years include:

• Examining how the benefits system utilises algorithms;
• Tackling predatory marketing calls;
• Considering whether the use of AI within the recruitment sector adversely impacts ethnic minorities and neurodiverse individuals; and
• Continuing its support of children's privacy.

Click here to read the full speech by John Edwards.

Data Protection and Digital Information Bill introduced into Parliament

On 18 July 2022, the Data Protection and Digital Information Bill was introduced into Parliament. This followed publication of the government's response to its consultation, "Data: a new direction".

The Bill has been designed to update and streamline the UK GDPR and Data Protection Act 2018 in order to reduce legislative burdens on organisations whilst still preserving a good standard of data protection regulation. The purpose of the Bill will be to bring in higher levels of flexibility and introduce various measures involving personal data and other types of information, such as digital information.

Some various proposed amendments to the Bill as it stands, include:

• Reforming the ICO;
• Changes to PECR, relating to cookie rules, unsolicited direct marketing and communications security (for example, network traffic and location data);
• Clarification of the rules on international transfers and cross-border flows of personal data;
• Establishing a framework for the provision of digital verification services;
• Changes to Part 3 (law enforcement) and Part 4 (processing by the intelligence services) of the Data Protection Act 2018; and
• Changes to police use of biometrics.

The second reading is due to take place on 5 September 2022.

Click here to read the UK Government publication.

Looking back on the last 18 months, the data privacy laws of several Asian jurisdictions have been updated to incorporate stronger protections for individuals’ personal data. This article provides an update on a handful of jurisdictions in Asia and summarises some of those main changes, including the far-reaching implications of the new data protection law in Mainland China.

Introduction

Many jurisdictions in Asia are in the process of updating, or have already updated, their data protection regimes. Many of these changes were expected developments following a lengthy period of legislative debate, as a part of incremental steps towards strengthening data protection. For example, in Hong Kong, the Personal Data (Privacy) Ordinance has been amended include new provisions regarding ‘doxxing’.

Other jurisdictions have made more wholescale changes which represent a shakeup of the data protection regime, with both territorial and extra-territorial effects. For example, the Personal Information Protection Law in Mainland China, which came into effect on 1 November 2021, appears to reflect the European GDPR in its commitments to data protection and introduces a new standard for data protection – it also has broad extra-territorial application.

This article provides a brief overview of some of the key changes made, or expected shortly, in Hong Kong, Singapore, Japan, Taiwan and Mainland China. 

Organisations operating in Asian markets will need to assess the impact of these changes on their businesses and take steps to ensure compliance. The data protection regimes in Asia are catching up to the GDPR in the EU, although there is no common data protection regime. Asian jurisdictions protect data differently, but increasingly with greater care and greater pro-active steps needed by those who use and process data. Failure to adhere to these stricter requirements could result in substantial penalties and, perhaps more importantly, significant reputational damage.

Hong Kong

Our previous article listed a number of proposed amendments to Hong Kong’s Personal Data (Privacy) Ordinance (PDPO). On 29 September 2021, the Hong Kong Legislative Council passed an amendment bill which focusses largely on only one specific subject matter – ‘doxxing’. 

Although there is no indication of when, it is expected that some of the other proposed amendments should form part of a larger package of amendments to the PDPO in the future. 

Amended PDPO

The amendments to the PDPO took effect from 8 October 2021. They include provisions specifically aimed at combatting doxxing activities. Doxxing is the act of publishing private or identifying information about an individual on the internet, typically for malicious purposes – this has become more common in Hong Kong in recent years, including by protaganists on both sides of the Hong Kong protests. In Hong Kong, between June 2019 and April 2021, the Privacy Commissioner for Personal Data (PCPD) received around 6,000 complaints of doxxing-related activities.  

The new provisions fall into three categories:

• the criminalisation of doxxing offences, with more severe sanctions where the doxxing caused actual harm to the victim(s)
• criminal investigation and prosecution powers for the PCPD in relation to such offences, and 
• power for the PCPD to direct the removal of doxxing content and issue cessation notices with extra-territorial effect.  

Doxxing offences

The new two-tier offences under Section 64 of the PDPO are as follows:

“Specified harm” is defined quite broadly and includes pestering, harassment, molestation, threats or intimidation, physical harm, psychological harm, harm causing the person to be reasonably concerned for their safety or wellbeing, and damage to property. 
Applicable defences include: 

• a reasonable belief that the disclosure was necessary for preventing or detecting crime
• a reasonable belief that the data subject gave their consent to the disclosure
• a reasonable belief that disclosure was in the public interest and was made for news activity purposes, and 
• where the disclosure was required or authorised by law or a court order. 

PCPD powers to enforce, investigate and prosecute 

Before the PDPO was amended, the PCPD was required to refer doxxing cases to the Hong Kong Police Force and the Department of Justice for investigation and prosecution. This delayed the handling of cases. Now, the PCPD itself can conduct its own investigations, and has the power to request relevant materials, documents and information and to stop, search and arrest without a warrant any person reasonably suspected of committing a doxxing offence. 

The PCPD also has the power to initiate a prosecution in respect of summary offences at the Magistrates’ Court. 

For more serious cases, the PCPD can still refer cases to the Hong Kong Police Force or the Department of Justice. 

New provisions also empower the PCPD to issue cessation notices with extra-territorial effect to Hong Kong persons or non-Hong Kong service providers where there has been a disclosure of personal data of a data subject (who is either present in Hong Kong or a Hong Kong resident) via a written or electronic message without the data subject’s consent (meeting the elements of the first of the two-tier offences). This can be used to target social media users and, potentially, platforms.

The cessation notice may demand:

• removal of the disclosure from the relevant platform, eg websites and mobile applications
• discontinuance of hosting services for whole or part of the platform on which the disclosure was made, or
• restriction of access to the disclosure or the relevant platform.

Failure to comply with a cessation notice may result in a fine of HK$50,000 and two years’ imprisonment on first conviction. On subsequent convictions, the fine may increase to HK$100,000. 

Comment

The PCPD’s Implementation Guideline on the amended PDPO states that the new provisions target the disclosure of personal data without consent in a doxxing context only. However, the new two-tier offences adopt wide descriptions without mentioning the term ‘doxxing’ which could enable the PCPD to use the new investigative powers and offences more broadly, particularly since the PCPD’s power to request materials, documents and information appears not to be limited only to the new two-tier offences. 

So far, though, the new provisions have been used only in the doxxing context for which they were intended. The PCPD arrested its first two suspects under the new doxxing provisions (for suspected breach of section 64(3A) PDPO) on 13 December 2021 following a victim’s complaint and on 26 April 2021. It conducted a joint operation with the Hong Kong Police Force on 11 May 2022 in which another person was arrested (for suspected breach of section 64(3C) PDPO), and issued its first doxxing charges on 20►May 2022 (against the first arrested suspect). 

Between October 2021 and the end of February 2022, the PCPD issued “more than 460 cessation notices to 12 platforms to request the removal of over 2,400 doxxing messages”. 

Beyond individuals, this has implications for both employers and services providers/online platforms:

• employers should update their internal policies to reflect these changes, in particular to avoid an employee committing an offence of doxxing while working, which could subject the organisation to an investigation, and
• online service providers and social media companies should ensure that they are aware of the new provisions of the PDPO, and create a procedure for responding to and complying with any demand received from the PCPD.

As it is an offence not to comply with an investigation, if in doubt, service providers and any companies receiving a demand or cessation notice should seek legal advice.

The PDPO continues to evolve. The 2021 amendments to the PDPO focussed on doxxing, while leaving other expected amendments such as mandatory data breach reporting and a power for the PCPD to impose direct administrative fines. The PCPD has confirmed, however, that she is working with the HKSAR Government to implement these and other amendments to the PDPO. The PDPC has also recently issued guidance on recommended model clauses for cross-border personal data transfers (see Hong Kong data protection: cross-border transfers of personal data). We will cover key developments in separate articles.

The PCPD has also recently issued Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data. This Guidance note is explained in more detail in our previous article.

Singapore

Our previous article listed the key amendments to Singapore’s Personal Data Protection Act (PDPA) which came into effect on 1 February 2021. As part of the update to the PDPA, follow-up amendments to the Personal Data Protection (Notification of Data Breaches) Regulations 2021 and Personal Data Protection Regulations 2021 have been made, taking effect on 1 October 2021. These include minor clarifications on what constitutes ‘significant harm’ for mandatory data breach reporting, ways organisations may provide the business contact information of their Data Protection Officers and defences for egregious mishandling of personal data. 

The Advisory Guidelines on Enforcement of Data Protection Provisions indicate that the increased financial penalties will take effect on a further date to be notified, and no earlier than 1 February 2022. However, there is no update on when the Data Portability provisions will take effect, which will provide an avenue for individuals with an ongoing relationship with an organisation to request for their personal data to be transmitted in accordance with prescribed requirements to a receiving organisation. 

We set out below some key updates in Singapore which occurred in the last 18 months. 

Cybersecurity 

The Cyber Security Agency of Singapore (CSA) announced, on 5 October 2021, the launch of the updated National Cybersecurity Strategy 2021. In particular, the National Cybersecurity Strategy explains Singapore’s plan to advance international norms and standards on cybersecurity in Singapore and to take a proactive stance against cyber threats. 

The National Cybersecurity Strategy sets out the numerous ways in which Singapore (and businesses in Singapore) can adopt a robust infrastructure against cybersecurity threats. This is important in light of the increased levels of cyber activity that have been recorded in Singapore. As part of our cyber incident response service work, we have seen an increasing number of Singaporean companies become the targets of cyber incidents such as ransomware attacks. 

The first High Court PDPA case 

The Singapore High Court handed down its first ever decision under and on the scope of the PDPA on 25 May 2021. In Bellingham, Alex v Reed, Michael [2021] SGHC 125, the High Court considered the question of what constitutes “loss or damage”, the threshold requirement which data subjects need to satisfy to pursue a right of private action under PDPA.

The High Court held that “loss or damage” must refer only to heads of loss or damage applicable to torts under common law – namely financial loss, damage to property and personal injury including psychiatric illness. Broader concepts of emotional harm (such as humiliation, loss of dignity, injury to feelings and distress) and/or loss of control over personal data are not covered. 

Comment

The High Court’s decision to adopt a purposive and narrow interpretation of “loss or damage” lowers the potential litigation risk arising from private actions under the PDPA by affected data subjects. Data subjects must now prove that the misuse of personal data results in financial loss, damage to property and personal injury, such as psychiatric illness, in order to pursue a private action. 
Of particular importance is the High Court’s finding that the purpose of the PDPA was as much to enhance Singapore’s competitiveness and position as a trusted business hub as it was to safeguard individual personal data against misuse. The High Court also noted that the position in Singapore differed from the position in other jurisdictions, such as the EU, where the data protection frameworks were driven primarily by the need to recognise the right to privacy of data subjects.

Japan

Our previous article listed the key amendments to Japan’s Act on the Protection of Personal Information (APPI) which came into effect on 1 April 2022. That said, stricter financial sanctions had already come into effect, and transitional measures for providing personal data to third parties through an opt-out method had come into effect on 1 October 2021. 

Through the latest changes, financial penalties have increased to a maximum fine of ¥100M (approx. USD755k) for companies, and individuals responsible for a breach of APPI may be subject to a fine of up to ¥1M (approx. USD7.5k) and up to a year in prison. 

Furthermore, on 24 March 2021, the Cabinet of Japan issued an Order to enforce the amended APPI and the Personal Information Protection Commission (PPC) issued Enforcement Rules for the amended APPI. Together, these documents help to clarify the amended APPI provisions. For example, the Order has provided the following helpful explanations: 

data breach notification: the Order has clarified that a notification must be made to the PPC when a breach has or is likely to: (a) involve sensitive personal information; (b) risk property damage; (c) have been committed for an improper purpose, such as a cyberattack; or (d) effect more than 1,000 data subjects. A preliminary report must be made promptly after recognising the breach and a final report must be made within 30 days (or 60 days in the case of (c))

pseudonymisation: the Order has set out processing standards for pseudonymised information (ie processing personal data so that it cannot be used to identify a data subject), which includes the deletion or replacement of the following: (a) descriptions that can identify specific individuals, such as names; (b) individual identification codes; and (c) descriptions that may cause property damage. 

Comment

Companies conducting business in or with Japan should be mindful of the stringent nature of the amendments to APPI which will all come into effect in April 2022. Whilst the Order and Enforcement Rules are helpful for companies to understand their personal data obligations when providing goods and services in Japan or handling the personal data of data subjects in Japan, companies should seek legal advice from Japanese counsel if they have any specific queries.  

Taiwan

Following our last article, there have been no further updates on the proposed amendments to Taiwan’s Personal Data Protection Act (PDPA) and Cybersecurity Act (CSA). Due to the COVID-19 pandemic, the Legislative Yuan’s review of both Acts has been on hold. 

On 25 May 2021, the Personal Data Protection Office (PDPO) announced that Adequacy talks were still active between Taiwan and the EU. Therefore, as part of Taiwan’s pursuit of an Adequacy Decision from the EU, businesses in Taiwan should expect amendments to the Acts to be announced this year. It is expected that the legislative process to amend the Acts will reconvene in the early months of this year.

Mainland China

This article cannot conclude without mentioning the most significant development seen in Asian data protection legislation in the last 12 months – Mainland China’s new Personal Information Protection Law. 

In 2021, the National People’s Congress of the PRC passed the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). Along with the Cyber Security Law (CSL), which was enacted in 2016, the three pieces of Chinese legislation present the three pillars of Mainland China’s data protection system which forms an overarching framework for governing data processing and cybersecurity issues. 

PIPL

PIPL received a lot of attention around the time it came into effect on 1 November 2021, and with good reason. PIPL provides a robust data protection system which is similar in many ways to the EU’s GDPR. Of particular importance to multi-national corporates, PIPL has extra-territorial effect.  

Our key takeaways from PIPL are as follows:

extra-territoriality: PIPL applies to companies that process the personal information of Mainland Chinese individuals inside or outside of Mainland China for the purposes of offering products or services to them or analysing and assessing their behaviour. Article 3 of PIPL is very similar to Article 3 of GDPR, both of which set out the extent of their extra-territorial application

more rights for data subjects: PIPL provides more rights for data subjects and appears to emphasise the need for consent before processing personal information. PIPL requires personal information to be processed under one of seven legal bases, which include where the individual has voluntarily and explicitly provided consent to such processing, and where it is necessary to conduct human resources management in an employment context. Separate consent from data subjects must also be obtained when processing sensitive personal information such as biometric data, medical and health data and financial accounts. Data subjects have the right to access and copy their personal information, correct and delete personal information, restrict or refuse the processing of their personal information, and find out the ways in which their personal information is being used. Data subjects can also opt out of targeted marketing, including push notifications and pop-ups

restrictions on cross-border transfers of data: PIPL stipulates that firms with critical information infrastructure and large amounts of personal information must store this data within Mainland China. If they wish to transfer it out of Mainland China, they will first need separate consent from individuals. Then, they will have to meet certain requirements, such as passing a security assessment of the state cyberspace authority and obtaining the required certification, or entering into a standard contract with the overseas recipient of the data (which will be made available by the cyberspace authority in due course) 

sanctions/penalties: companies that contravene PIPL may face a maximum fine of RMB 50m (about HK$60m) or 5% of their annual turnover. Other penalties can include suspension of operation or loss of license. Individuals responsible for a breach may also be subject to a fine of up to RMB 100,000 (about HK$120,000). Other penalties can include disqualification from acting as a director, supervisor, senior manager or data protection officer. 

Comment

When PIPL came into effect, it was still subject to implementing regulations that had not been issued. Some of those are still awaited. PIPL therefore presents both uncertainty and an aspirational challenge to companies – the Chinese authorities will expect companies to work towards complying with PIPL while the precise implementing rules are finalised. In the context of personal data, however, it can often be cumbersome to change data compliance and governance processes once they have been implemented. 

Companies with businesses or customers in Mainland China need to consider the impact of the new legislation on their operations and data processing activities. Due to the extra-territorial effect of PIPL, companies outside Mainland China that are impacted by the law should already have taken or be taking appropriate steps towards compliance. In many cases, companies may need to conduct a full review of their data processes in order to make the changes necessary to comply with this new ‘Chinese GDPR’. 

Given the business ties between China and many countries around the world, the new law will pose challenges for many businesses around the globe, particularly those in the retail and e-commerce sector which collect and process consumer data. That said, businesses which already comply with the EU’s GDPR should be used to data consolidation and compliance projects and may not need to alter too many of their processes and practices. 

Given the potential financial penalties for non-compliance, businesses in any doubt should at least try to comply and seek legal advice from PRC counsel (to whom we would be happy to make introductions).

Conclusion

The costs of data security compliance are part of the modern-day cost of doing business. In the same way that businesses are required to comply with anti-corruption standards and labour rights, data protection is now firmly another spoke to the wheel of operating in the any market, including in Asia. 

This article provides just a short summary of recent changes in a handful of Asian jurisdictions. The laws in many Asian jurisdictions continue to change regularly. 

As data protection regimes continue to change, with more onerous data protection obligations, it will become important for multi-national corporations to keep abreast of key developments or to face the risk of significant financial penalties (and perhaps more costly reputational damage). 

We will continue to follow the legislative developments and provide further updates on key changes in the future.

RPC frequently advises its clients on all aspects of data privacy and cyber security matters – please do get in touch with us if you would like to discuss how we can help.

The Claimants issued proceedings against TalkTalk following data breaches in 2014 and 2015, alleging that their personal data was obtained from TalkTalk's IT systems by unknown criminal third parties and then used for fraudulent purposes. They claimed compensation for breach of statutory duty under the Data Protection Act 1998 and damages for the tort of misuse of private information.

The judgment followed the ruling in Warren v DSG Retail Limited, which held that claims were not viable in negligence or misuse of private information where the defendant had not committed any voluntary action leading to the loss of confidentiality in the data.

The Claimants attempted to distinguish Smith from Warren by framing TalkTalk's conduct as positive acts rather than a series of failures. But, as Saini J put it, this argument constituted "a negligence action masquerading as a claim for misuse of private information." Ultimately, it was held that the misuse of private information occurred as a result of the actions of a criminal third party and not TalkTalk.

Nevertheless, in a more concerning development, Saini J dismissed the "unconfirmed breaches" strike out application. Certain Claimants could not determine if they were affected by the 2014 or 2015 breaches or some other breach. However, it was held to be a permissible deduction that, if the personal information used by the scammers was not obtained in the 2014 or 2015 breaches, the trigger may have been some other unlawful accessing of TalkTalk's systems. Even though disclosure could be complex and cumbersome, Saini J refused to strike out the claim.

This decision is a welcome re-iteration of Warren as it relates to misuse of private information. However, it does also show as willingness by the Court to show leniency in data protection pleadings where the Claimants can only infer the occurrence of a breach.

Click here to read the High Court judgment from Bailii.

ICO funding update: Fine income retention agreement

The ICO has announced they will now be able to retain up to £7.5 million per financial year of funds raised through civil monetary policy notices. When issuing a civil monetary policy notice, the ICO will be able to use funds to cover pre-agreed, specific and externally audited litigation costs.

The justification for the agreement has been said to be the increasing quantity and complexity of claims within the digital age. The additional funding will allow the ICO to maintain the technical and legal capacity needed to deal with ongoing and future matters. This change has been agreed to by the Department for Culture, Media and Sports and HM Treasury.

The ICO will be subject to auditing by the National Audit Office each year to ensure that these funds are only recovered where appropriate, and the ICO will report fines and associated costs in its Annual Report and to HM Treasury.

The ICO have called this measure an "appropriate and proportionate regulatory action" and the new funding could help the ICO turn its attention to bigger fish rather than the five-figure PECR fines which have characterised much of its enforcement activity in recent times.

Click here to read the full article as published by the ICO.

Right of access extends to identification of specific recipients to whom personal data are disclosed (AG's opinion)

In RW v Österreichische Post AG, it was determined that a data subject's right of access to information extends to the identification of any recipients of their personal data.

RW made a subject access request to the Österreichische Post (OP), Austria's main postal service, to identify which third parties had received data pertaining to RW from OP. OP provided descriptions of categories of recipients, as well as general information about data sharing, but did not identify specific parties.

Advocate General Pitruzzella (AG) noted that the wording of Article 15(1)(c), GDPR afforded a right to "recipients or categories" and that it was not for the data controller to decide which details to provide the data subject with. Further, Recital 63 of the GDPR provides that data subjects "have the right to know and obtain communication […] with regard to […] the recipients of the personal data".

OP was not in a position to limit RW's right of access to information with respect to their personal data and therefore should have provided specific identification upon request. RW had the right to ensure the lawful use and receipt of its data and to be aware of the ways in which it was being processed.

This ruling clarifies the type of information that data subjects will be entitled to receive from data controllers upon the lodging of a data subject access request. This is an important decision which clarifies data controllers' obligations towards data subjects when similar requests are made.

Click here to read the full opinion of Advocate Pitruzzella from InfoCuria.

People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices

The National Security Agency (NSA), Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency (CISA) have co-authorised a Cybersecurity Advisory detailing how state-sponsored actors of the People's Republic of China (PRC) have engaged in the worldwide targeting of telecommunications companies and network service providers.

PRC cyber actors are known to have participated in the exploitation of publicly identified vulnerabilities. These allow actors to gain access to victims' accounts through publicly available exploit codes. These actors have also been observed to adapt their tactics by monitoring network defenders to continue their systems exploitations undetected.

Known vulnerabilities are exploited through the employing of open-source tools, such as specific software frameworks, to uncover access to small office / home office routers. The actors then leverage these exploitations to identify critical infrastructures, gaining user passwords and access to administrative accounts.

Organisations are encouraged to take mitigating actions such as updating and patching systems/ products, using multi factor authentication, strict password requirements and robust logging and review of network access.

Click here to read the full article published by the Cybersecurity & Infrastructure Security Agency.

Qatar bolsters cyber security in preparation for World Cup

As Qatar prepares to host the 2022 FIFA World Cup, experts are anticipating cyber security issues to arise as a result of wider infrastructure and digital demands. From ticketing to hotels and restaurants, there will be an influx of foreign personal and financial data. Hackers will be hoping to gain the benefit of this data through fake bookings and phishing attempts.

As this is the first event of its kind taking place in Qatar, many have doubts regarding the state's capacity for cyber security defence. Qatar is being faced with a highly concentrated challenge in handling an estimated total of 1.5 million visitors. Interpol hosted cyber security experts on 25 March to analyse potential threats the event would create as part of the wider 'Project Stadia', the Qatar funded security programme.

Qatar will also partner with Morocco, which will be sending a team of cyber security experts to assist with Qatar's existing defences, such as the National Cyber Security Agency (established in 2021). To date, the agency has trained 25,000 employees in aspects of information security and has expressed interest in partnering with global organisations.

Click here to read the full article published by ComputerWeekly.com.

How Cyber Criminals Target Cryptocurrency

The nature of cryptocurrency lends itself to targeting by cyber criminals. Its inherent anonymity and lack of centralised regulation makes cryptocurrency a practical target and medium of exchange.

Researchers have observed a variety of threats, such as traditional fraud targeting individuals and organisations to facilitate storage and transfer of cryptocurrency. The total reported value of cryptocurrency lost due to cybercrime was reported to be around $14 billion in 2021.

Phishing campaigns that target or utilise cryptocurrency can be broken down into three main categories:

• Credential Harvesting – This is typically a URL sent to the potential victim leading to a false landing page, designed to imitate a popular website. This prompts the user to input log-in information or recovery phrases ultimately giving the cyber actor access to their account.
• Cryptocurrency Transfer Solicitation – This is a popular and more traditional form of cybercrime where the threat actor attempts to extort funds from the victim through social engineering. For example, the actor may claim to have sensitive data, pretend to be a business or claim to be collecting for charity. Cryptocurrency is commonly used as the means of transferring these funds due to its anonymity.
• Specific Targeting of Cryptocurrency Data – Malware that targets user data (such as passwords or financial information) has been adapted to target and monitor cryptocurrency activity. These typically fall under the malware family of 'infostealers' that log user inputs, take screenshots and search data for sensitive files.

As an industry of growing interest, it is important to be well-informed of the threats arising from social engineering, exploitation and malware.

Click here to read the full article published by Proofpoint.

• failing to use the information of people in the UK in a way that is fair and transparent;
• failing to have a lawful reason for collecting people’s information;
• failing to have a process in place to stop the data being retained indefinitely;
• failing to meet relevant data protection standards;
• asking for additional personal information, including photos, when asked by members of the public if they are on their database, potentially acting as a disincentive to individuals who wish to object to their data being collected and used.

The ICO also issued an enforcement notice which ordered Clearview to refrain from using the personal data of UK residents that is publicly available on the web and to erase any existing data from its systems. 

Click here to read the ICO's article.

DCMS publishes new research on cyber security issues in use of internet-connected devices by businesses

The Department for Digital, Culture, Media & Sport (DCMS) has published research on cybersecurity in internet-connected devices used by businesses and organisations, with this forming part of the NCSC's £2.6 billion strategy to protect and promote the UK online. 

The DCMS has released two publications on cyber security issues in internet-connected devices used by businesses: "Literature Review on Connected Devices within Enterprise Networks" (here), as well as "Enterprise Connected Devices: Procurement, Usage and Management Among UK Businesses" (here).

These publications have revealed that, despite significant concerns from IT professionals about device security, enterprise connected devices are being deployed and relied on by a large number of organisations. A large volume of connected device deployments are unsanctioned. This is particularly noteworthy when considered alongside the fact that businesses reported a broad range of connected devices used within organisational networks, with numbers ranging from 6,000 to 50,000 devices. 

The scale of the risk faced by business is amplified by the vulnerabilities which are found regularly in enterprise connected devices, with organisations lacking clarity on how to protect themselves against these exposures. Potentially vulnerable devices can provide a route for hostile actors to attack enterprise systems. 

The DCMS also published research from the NCSC on the threat of enterprise connected devices (here). The NCSC has published industry principles that manufactures can use to identify which security mitigations should be included in their products.

Click here to see the DCMS press release.

NCSC significantly expands services to protect UK from record number of online scams

The NCSC's Active Cyber Defence Programme (ACD) has successfully removed a record number of online scams from the internet last year. This rise is reflective of the expansion of the NCSC's services to take down malicious online content, rather than an increase in scams overall.

The most common scams included fake celebrity endorsement scams and bogus extortion emails, as well as NHS vaccines and vaccine passports. The NCSC removed in excess of 1,400 NHS-themed phishing campaigns last year, an 11-fold increase on 2020. 

Other key highlights from the fifth year of ACD’s operations include:

• More than 1.2 million domains linked with the Android malware Flubot (a malicious app) were blocked – this malware was distributed to the public posing as ‘missed delivery’ messages;
• 33 million events were flagged on the networks of several organisations as part of the NCSC's Early Warning service, indicating something potentially malicious or vulnerable was on their systems;
• 10,000 users around the world have used the Exercise in a Box toolkit – a service which helps organisations practise their response to a cyber incident.

Click here to read the NCSC press release.