< Back

Share |

Cybersecurity and data breaches – the direction of travel

2018 was a big year for data breaches and cybersecurity, at least in terms of legal obligations. Looking forward to 2019, some of our predictions are relatively obvious, others hopefully a little more thought provoking.

December 2018

This year, the GDPR (sorry, we had to say it) and the Data Protection Act 2018 have, in practice, substantially changed the landscape for data breach investigation and notification, and potential penalties. We have also seen the two biggest fines for pre-GDPR breaches, at the maximum (£500,000) previously permitted. Equifax, one of the recipients, was found to have breached five of the eight data protections principles, which by any standards is quite an achievement.

Someone will be made an example of

We do expect to see the first significant fines under GDPR/DPA2018, with British Airways being an obvious candidate bearing in mind the volume of card data live-scraped from their website, and early indications as to how the attack took place. There is still obviously very limited information in the public domain. We expect that in 2019 there will be the first multi-million pound fine following a data breach, although we certainly don't expect this to be commonplace. The ICO's approach has changed, but in our view should be characterised as "speak a bit louder and carry a big stick. But don't hit people with it too often."

We also expect, as more breaches are notified and investigated and result in Monetary Penalty Notices (otherwise known as fines), to see more appeals of MPNs following data breaches. Historically these have been rare, but given the potential impact of determinations by the ICO on class actions, the risk profile of MPNs will change substantially.

Class actions are coming

This brings us on to the issue of class actions. Within days of the British Airways breach, a US class action law firm had sent a letter of claim to BA demanding damages of £475 million, ie £1,250 for each data subject impacted in the first breach. At the time of writing, it doesn't look as though a claim has been issued, so we expect that negotiations are ongoing between the parties. As more breaches enter the public domain, and certain litigation funders are actively looking to fund data breach class actions, we expect this to become the new normal. Jurisprudence on class actions before the English courts remains relatively undeveloped, and given the potential value of claims we expect to see a rash of applications as defendants try to break up classes early in litigation. For funded claims, breaking up a class will diminish the potential recoveries, which will make proceedings less attractive to funders. If we're really lucky, we might see someone try to make sense of the class action mechanism in GDPR under English law. Good luck to them; most claims before the English courts will likely use the representative action or group litigation mechanisms under CPR19.

Speaking of class actions, some of you will no doubt have been feeling little pangs of loneliness now that the wave of SMS messages about PPI claims seems to have died down somewhat. Never fear, spam SMS inviting you to claim damages if you were impacted by the breach will no doubt be coming soon. Many of those SMS messages will, of course, be sent in breach of PECR.

Cyberliabilty insurance will become more sophisticated

As we see more breaches, we think we'll start seeing disputes over the scope of cover under cyberliability insurance policies. The market is still immature in the UK and there aren't really any standard terms, with the result that many policies contain wide exclusions or provide cover which is very narrow (although that may, of course, be what the insured bought). Moreover, unfortunately, we've seen some actions recommended by insurer breach management services which have worsened the insured's position. As the risks associated with breaches increase, we expect to see some coverage disputes, particularly as in our view businesses haven't always fully understood the cover that they have bought (or the exclusions to it). Eventually, we expect to see common practice and some standard terms developing across the cyberliability insurance market, but in our view that is still many years away.  

Minimum security standards as standard?

As more penalties are handed down by regulators, we expect to see some standardised minimum security standards (as far as the regulator is concerned) start to develop. As more breaches are reported under the GDPR and DPA18, the ICO will consider a greater level of regulatory action. This means we will have a greater body of authority from the regulator as to what it considers to be unacceptable security practice. However, care needs to be taken (on both sides) as to how this is interpreted in practice. The reality is that although there are issues which are never acceptable as good practice (such as still using MD5 for encryption), a substantial number of security practices will fall into a grey area which is dependent on the facts of the particular breach, the resources and capability of the data controller or processor, and their overall security stance. Care will need to be taken when interpreting the wider impact of regulatory decisions.

Phishing stocks are far from exhausted

One easy prediction is that phishing attacks will still have depressingly high success rates. As an example, we have seen a number of significant attacks by crime groups who have accessed client systems, exfiltrated significant volumes of data, then ransomed the company, threatening the release of commercially sensitive or confidential data unless millions of pounds worth of Bitcoin are paid to the attackers. There is a significant amount that can be done in terms of injunctions against such attackers, which are then used to block their 'route to market' (for example, obtaining a court order to require websites on which the stolen data is published to take the data down). Training on spotting phishing emails, easy methods by which staff can pass potential phishing emails to IT for checking, and technical solutions that check all links which employees click on in emails, are essential to minimise risk.

In October, we launched TW:Detect, a product aimed at assisting e-commerce clients in identifying potential compromises of their websites. The product was developed as a result of a series of attacks this year which have successfully accessed full credit card information as orders were being placed. If you would like more information, please contact Paul Glass.

If you have any questions on this article please contact us.

Data cables
Paul Glass

Paul makes his top five predictions for the world of cybersecurity in 2019.

"The ICO's approach has changed, but in our view should be characterised as: "speak a bit louder and carry a big stick. But don't hit people with it too often."