Cyber_Bytes - Issue 75

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

New App - RPCCyber_ 

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPCCyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPCCyber_ can be downloaded for free from the Apple Store or Google Play Store.

Data (Use and Access) Act 2025 comes into force

The much-anticipated Data (Use and Access) Act 2025 (the Act) received Royal Assent on 19 June 2025. The Act is broad, and it includes provisions to enable the growth of digital verification services, new Smart Data schemes like Open Banking and a new National Underground Asset Register. Designed to streamline compliance and support innovation, the Act updates core provisions of the UK GDPR, Data Protection Act 2018, and PECR.

The Act's main provisions relate to:

• Automated Decision-Making
• Subject Access Requests
• Children’s Data Protection
• Scientific Research and Broad Consent
• Recognised Legitimate Interests
• International Data Transfers
• Internal Complaint Handling
• Cookies and PECR Enforcement
• Law Enforcement and Intelligence Processing

One of the Act's most notable changes is to rules around automated decision-making (ADM) about individuals which produce legal or similarly significant effects. The previous restrictions on solely automated decisions under Article 22, UK GDPR has been updated. Under the new rules, these decisions are permitted in some circumstances, provided that appropriate safeguards are in place.

The Act has also made significant changes to the legitimate interests basis for processing personal data, implementing a new lawful basis for data processing where it is necessary and connected to a "recognised legitimate interest". Such interests include defence, emergency response, crime and security. This makes it easier for organisations to make a case that data has been processed based on a legitimate interest ground.

You can read Government's summary of the changes to UK’s data protection and privacy legislation in the Data (Use and Access) Act 2025 here.

AI risks leaving UK businesses exposed to liability

In a recent interview by Law 360, Richard Breavington – partner in the Cyber and Data Privacy team at RPC – commented on the legal risks potentially faced by businesses when implementing and relying upon AI agents.  Speaking about the risk of liability for losses caused to clients as a result of malfunctioning AI-based agents provided by third parties, Richard was quoted as saying:

"You've got this position where, actually, it's not your fault, necessarily, you're relying on a bit of new software that's cutting edge… But, if there's a problem, you're going to end up with liability and…unable to completely recoup that liability."

In addition to commenting on the potential for recovering from AI agent providers in respect of liability to third parties, the article also considers some of the potential challenges around insuring those liabilities under traditional lines of insurance.

The net result of these considerations is that businesses could face potential liabilities that are both difficult to recover in full from the party responsible and also not straightforward to insure.  "I don't think this is something that has been fully recognised" is the concluding quote.

Click here to read the article on Law 360.

US Cyber premiums drop

For the first time since records began in 2015, U.S. cyber insurance premiums declined in 2024. According to Insurance Business America, direct written premiums dropped by 2.3% in 2024, falling just below $7.1 billion. This marks a significant moment in the evolution of the cyber insurance sector, indicating the market is entering a new, more mature phase. Importantly, the decline in premium volume does not reflect a diminished demand for cyber coverage.

This mirrors the trends seen in the UK, particularly in relation to premiums for larger companies. Having experienced a significant spike in premiums in 2020, they are now frequently seeing rates remain the same or reduced at renewal. In fact, in the first quarter of 2025, prices dropped 7% on primary layer insurance in the UK, which makes taking out cover more accessible for small and medium sized businesses.

However, as recent attacks in retail demonstrate, decreased premiums are not a sign of a reducing demand or necessity for cyber insurance. Data suggests that ransomware claims were up by one-third in the first quarter of 2025 compared to the fourth quarter of 2024. Moreover, organisations of all sizes can be vulnerable to ransomware and social engineering attacks, so it is as important as ever to hedge appropriately against these risks by investigating the need for cyber insurance. Or, if already in place, considering the scope of coverage that their policy offers.

You can read more from Insurance Business here and from Marsh here.

Judgment Alert: Raine v JD Wetherspoon Plc [2025] EWHC 1593 (KB)

The High Court has recently clarified legal principles surrounding the misuse of private information, breach of confidence and data protection.

The case arose from an incident in which the Claimant, a former employee of JD Wetherspoon Plc (Wetherspoon), was targeted by her abusive ex-partner. Posing as a police officer, he successfully obtained the Claimant’s mother’s mobile phone number from pub staff, who disclosed the information in breach of the company’s own confidentiality policies. The number had been stored in a locked personnel file marked "Strictly Private and Confidential". This deception led to further harassment, exacerbating the Claimant’s pre-existing psychological conditions.

Bright J rejected Wetherspoon's argument that the Claimant's mother's mobile phone number did not constitute the Claimant's information or that she had no reasonable expectation of privacy in it. The judge dismissed JD Wetherspoon’s appeals in full, upholding the initial rulings for the Claimant's arguments of misuse of private information and breach of confidence. The High Court also found that the previous judge was wrong to reject the Claimant's Data Protection Act 2018 (DPA 2018) and UK General Data Protection Regulation (UK GDPR) claims. The court held that disclosure of information can constitute "processing" even if the disclosure is oral.

The Court upheld £4,500 in damages and a full recovery of the claimant's legal success fee for the exacerbation of the Claimant's existing psychological conditions.

Click here to read the judgment.

UK Government Responds to New Measures to Target Ransomware Attacks

The UK Government has released its response to the contributions received during its public consultation on its proposed ransomware legislation.

There were three proposals on which the Government requested insight:

(i) a ban on ransomware payments for all public sector bodies and operators of critical national infrastructure;

(ii) a ransomware payment prevention regime; and

(iii) a mandatory incident reporting regime.

There was widespread support for both the targeted ransomware ban, and the mandatory incident reporting regime with the two proposals garnering approval from almost 72% and 63% of participants respectively.

Despite the strong support for both proposals, commentators had concerns over about the scope and implementation of these proposals. Respondents emphasised that the success of these proposals would turn on the availability of sector-specific accessible guidance to support implementation and to reduce the administrative burden on SMEs. They also requested clarity over the inclusion of supply chains within the targeted ban and the inclusion of individuals within the reporting regime.

In contrast, the wider ransomware payment prevent regime received a mixed response with only 47% of respondents in favour.

The primary concern was that it would redirect and concentrate ransomware attacks to those outside of the regime, rather than reducing the number of attacks. There was also doubt about the Government's claims that the regime would enable law enforcement to intervene and investigate ransomware threats.

The Government has confirmed that it will continue to work with industry to refine its proposals and resolve concerns over the proposals' scope and implementation.

You can read the Government's consultation outcome here.