From breach to enforcement: critical insights into cyber security and data privacy
Our legal experts welcomed the ICO to our most recent event as we explored the most pressing issues surrounding cyber security and data privacy enforcement. Explore the essential takeaways here.?
1. A patchwork of regulation, with increasing emphasis on management liability
There is a significant quantity of existing, new, and upcoming (global) legislation which governs cyber security (with numerous competent regulators, not just data protection authorities). We recommend adopting a thematic-approach to grappling with overlapping requirements. See our digital regulation timeline for a snapshot of UK and EU legislation.
In the UK, there is increased focus (including from the NCSC, the UK's technical authority for cyber matters) on management's role in reducing cyber threats. In the EU and USA, there has been an increase in shareholder and criminal claims against senior management (including CISOs), and EU legislation, such as DORA and NIS2, specifically imposes personal liability for certain cyber compliance. ?
2. Crisis plans should not be over-engineered
Every crisis is different. The key is to create a crisis framework that gets the right people around the table quickly and enable those people to get the information they need to make sound decisions under pressure. Table-top exercises and crisis documentation need to be simple, accessible, and regularly rehearsed and updated. Focus should be placed on the practical measures that can be taken to save time in the first 72 hours (e.g. simple summaries of where data is located, who controls it, and which regulators are relevant).
3. Get your notification right (and on time)
The ICO seems to be focussing on the content and timing of notifications (including issuing guidance emphasising the need for data subject notifications to be empathetic). Data controllers should make sure that they are submitting notifications in time and prior to details of the incident becoming public. Ensure that you're notifying all relevant regulators (not least given that regulators continue to liaise and cooperate).?
领英推荐
4. A softer cyber insurance market, but wide variations
The cyber insurance market has softened somewhat but we still seeing wide variations in policy cover and the quality of incident response services provided by insurers. It's vital that, before a claim materialises, clients understand what cover they have, how it will respond in the event of an incident and how they will work with insurers to ensure an efficient process and timely payment, rather than leaving it to chance.
5. Due diligence and integration planning
In corporate transactions, consider the business type, seller's liability cap, and insurance coverage during due diligence. Don't assume warranty and indemnity insurance covers everything. Plan for integration to mitigate risks from inherited systems, as poorly integrated bolt-ons deter future buyers.?
Connect with our experts
* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.
** These materials provided for general information purposes only. They are not intended and should not be used as a substitute for taking legal advice. Specific legal advice should be taken before acting on any of the topics covered.