Cyber

Written by Elizabeth Zang

Key developments in 2025

A key trend we have witnessed in 2025 has been the rise in cyber incidents which have a significant  supply chain impact.  According to Cyble, cyber-attacks with supply chain implications have averaged 26 a month since April 2025, twice the rate between early Feb 2024 and March 2025.

Supply chain incidents have been ticking up the agenda for a number of years now but, this year, they have been particularly well-publicised with a number of high-profile incidents including those suffered by M&S, Co-op and Jaguar Land Rover.

Supply chain attacks are highly disruptive, impacting many organisations throughout the supply chain.  They can be difficult for organisations to protect against because even if an organisation has adequate security standards and is not subject to a cyber incident directly, they can still be affected by security issues that may exist elsewhere in the supply chain. In this situation, the incident could create potential notification obligations and litigation implications relating to an incident of which the organisation has incomplete knowledge and control. 

However, businesses need to rely on outsourced providers for a wide range of company functions, from payroll services housing employees' financial information to CRM systems hosting client data.  The key will be balancing the commercial opportunity that comes supply chains against the risks.  These risks can to some extent be managed through appropriate due diligence checks, not just on internal security, but also on the security of suppliers.  In addition, contractual arrangements should include obligations on the supplier to ensure any sub-suppliers also maintain appropriate technical and organisational security measures.  Supply contracts should also contain appropriate obligations to notify and keep updated in the event of breach – good lines of communication from the supplier can be critical in circumstances where an organisation may be required to notify the ICO, their clients and/or affected data subjects. 

What to look out for in 2026

In 2026, we expect to see an uptick in data subject litigation claims being brought against organisations following cyber incidents and other data breaches. 

Such cases have been recently aided by the Court of Appeal judgment in Farley[1].

In this case, the administrator for the Sussex Police pension scheme sent an annual benefit statement to scheme members. This contained personal data including date of birth, national insurance number, police service, salary details and accrued and forecast pension benefits. More than 750 annual benefit statements were posted to out-of-date residential addresses. Each claimant complained of being caused “anxiety, alarm, distress and embarrassment”. It was argued that the claimants should receive “compensation for moral and/or non-material damage”.

The Court of Appeal concluded that, whilst losses would need to be “well-founded” and based on more than a “purely hypothetical risk”, there is no requirement for distress - a successful claim can be made in respect of “annoyance or irritation caused by fear of third party misuse”.  In addition, it concluded that there is no minimum threshold of seriousness for a successful data subject claim under the UK GDPR.

This is potentially significant for the data subject litigation landscape.  Since 2021, Lloyd v Google[2] had set the bar for data subject litigation claims under the UK GDPR, appearing to establish that compensation is unavailable unless a minimum level of seriousness had been met.  Farley appears to effectively over-rule this and to put in place a potentially lower the bar for a valid claim, which could encourage data subject claimants (and claimant law firms) to become more active.