Cybersecurity and the UK legal landscape

As businesses continue to digitise their assets and operations, the need to continually assess IT infrastructure and the technical measures in place to safeguard key information assets and data becomes ever more important. Implementing leading-edge cybersecurity measures to meet the evolving threats is essential, but this alone is not enough to ensure compliance with the cybersecurity laws.

Overview

Implementing a cybersecurity programme that adequately protects against would-be attackers and ensures compliance with applicable laws is one of the key challenges faced by businesses operating in the UK. This is made more complex as there is no single overarching "cybersecurity law" in the UK. There are laws imposing cybersecurity obligations that apply to all businesses, and laws that apply to businesses falling within specific sectors and satisfying specific criteria.

Where the law in the UK does impose cybersecurity obligations, businesses are generally afforded freedom and discretion concerning their approach to compliance. This flexibility is essential as the threats posed by would-be attackers are continuously, and rapidly evolving. Businesses are relatively static targets and this dynamic favours would-be attackers. Businesses  must therefore deploy their limited resources in a manner that ensures the defence techniques and tools used continue to be adequate and protect against the greatest identified threats and known vulnerabilities. The measures must also be suitable for each business, taking into account its own circumstances, the risk level, the state of the art and cost of implementation.

Although the law does not punish businesses for simply falling victim to cyber-attacks, sanctions will be imposed when a business has failed to implement measures to safeguard systems and data from would-be attackers and for inadequate responses to attacks. 

This article primarily focuses on the most recent legislative measures applicable to businesses in the UK, namely the General Data Protection Regulation ("GDPR") and the Network and Information Security Regulations 2018 (the "NIS Regulations"). Other laws and regulations that may be relevant include the Computer Misuse Act 1990, Communications Act 2003, Privacy and Electronic Communications (EC Directive) Regulations 2003, the FCA Handbook, the PRA Rulebook, and the common law tort of misuse of private information.

GDPR Obligations

The processing of "personal data" in the European Economic Area ("EEA") is governed by the General Data Protection Regulation ("GDPR"). In the UK, businesses must also comply with the Data Protection Act 2018 (the "2018 Act") which gives effect to the GDPR.  The introduction of the GDPR and the 2018 Act materially altered the risk landscape for all entities involved in the processing of personal data. Both the GDPR and the 2018 Act require businesses to implement security measures to safeguard the personal data that they process.

The GDPR and the 2018 Act require that businesses keep personal data secure and only permit third parties access to the personal data subject to sufficient guarantees regarding the security of the processing services. Businesses must implement measures that are both technical (e.g., firewalls, anti-virus programs, perimeter scanning tools) and organisational (e.g., policies and procedures that must be followed by personnel regarding cybersecurity) to safeguard personal data. Businesses are required to protect against unauthorised or unlawful use of the personal data and against, loss, destruction and damage of the same.

Businesses must take account of a number of factors when determining what security measures to implement. Factors such as: (i) the state of the art; (ii) the cost of implementation; (iii) the nature, purposes, scope and context of the processing of the personal data; and (iv) the risks to individuals associated with the processing, must be considered. Clearly, the more sensitive the personal data that is being processed (e.g., health data), the more robust the associated security measures should be.

The UK Information Commissioner's Office (the "ICO") also provides some specific recommendations for businesses regarding other factors that should be considered when determining what security measure to implement. The ICO recommends considering factors such as the nature and extent of a business's premises and computer systems, the number of staff and the extent of their access to personal data, and any personal data held or used by a data processor acting on the business's behalf.

Failing to implement appropriate security measures to safeguard personal data can result in enforcement action, including the imposition of significant fines (up to the greater of €20 million or 4% of annual global turnover). Enforcement action can be taken even in the absence of cyber-attack or data breach.

NIS Regulations Obligations

Whereas the GDPR is concerned with the security of personal data, the NIS Regulations are concerned with the security of information systems. The NIS Regulations impose cybersecurity-related obligations on operators of "essential services" (such as businesses in the energy, transport and/or health sector) established in the European Union (the "EU") and "digital service providers" (such as cloud service providers and providers of online marketplaces) that offer services to individuals within the UK.

Businesses subject to the NIS Regulations are required to implement appropriate and proportionate measures to manage risks posed to network and information systems and to prevent, and minimise the impact of, incidents affecting the security of the network and information systems.   

As with the obligations in the GDPR and 2018 Act, businesses subject to the obligations in the NIS Regulations have freedom to determine what measures are appropriate and proportionate. In order to satisfy this obligation, an organisation must understand the risks posed to its network and information systems

Businesses subject to the NIS Regulations should be familiar with the work of the National Cyber Security Centre ("NCSC") in the UK and the guidance it publishes with respect to complying with the NIS Regulations. The NCSC also oversees the "cyber essentials" certification scheme. This is a government-backed and industry supported scheme that provides self-assessment certification to help organisations protect themselves against common cyber-attacks and aids compliance with the NIS Regulations. It includes a security questionnaire and external vulnerability testing to assist businesses in assessing their cybersecurity.  

A failure to meet the requirements of the NIS Regulations can result in enforcement action, including the imposition of significant fines up to a maximum of £17 million.

Other Legal Requirements and Considerations

In addition to the GDPR, the 2018 Act and the NIS Regulations, businesses operating in the UK may be subject to other laws, regulations, industry rules and the common law. For example, businesses providing electronic communications networks and services have specific obligations to implement technical and organisational measures to appropriately manage risks to the network and services, to prevent or minimise the impact of security incidents on end-users and to protect data in transmission.

Similarly, businesses in the financial services sector must establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems.

Also, foreign businesses in the UK will also have to consider the requirements of the law in their own jurisdiction.

In the US for instance, although there is no national cybersecurity law the Federal Trade Commission functions as the de facto U.S. consumer data security federal regulator and requires that companies protect consumer personal data through "reasonable" security with consideration given to the company's processes, the volume and sensitivity of information the company holds, the size and complexity of the company's operations, and the cost of the tools that are available to address vulnerabilities. A number of industries are separately regulated as well, including health care providers, which must maintain protected healthcare information pursuant to exacting standards the violation of which may include substantial fines as well as criminal imprisonment. The electric power industry, by way of further example, must conform to critical infrastructure protection reliability standards that cover over 150 cybersecurity measures overseen by the not-for-profit North American Electric Reliability Corporation under the supervision of the Federal Energy Regulatory Commission. Financial institutions are among the most heavily regulated entities, at both the federal and state levels, and similarly are required to protect customer personal information against reasonably foreseeable threats to security. New York State's Department of Financial Services (NYDFS) made news in 2017 when its cybersecurity requirements for financial services companies went into effect. Financial firms that fall under the NYDFS regulation are subject to a host of minimum security standards to protect nonpublic information (including, but not limited to, personal data) and information systems, with requirements that range from mandatory risk assessments, written cybersecurity policies, third party service provider risk management controls, and annual self-certifications from senior leadership or the board.

Maintaining customer confidence also requires businesses to communicate effectively with customers regarding the security measures in place and, in the event of a cyber-attack, how customer data is being protected against misuse. Poor communication with customers in the event of a cyber-attack can be seriously damaging to the customer relationship and mismanagement of an incident could cause irreparable damage to customer and market confidence in the business.

Practical Steps

Businesses subject to the GDPR, NIS Regulations and/or other laws requiring the implementation of cybersecurity measures, can take the following steps as part of their efforts to comply with the requirements to keep data and information systems secure:

1. Keep software up to date.
2. Passwords should use a passphrase which includes a combination of lowercase, uppercase, letters, numbers and symbols. Default passwords should never be used.
3. Use full disc encryption and/or file encryption to secure data.
4. Implement "least privileged access" to ensure users of IT systems only have the access privileges that they need to do their job.
5. Establish an incident response and disaster recovery process. This is crucial as the GDPR and NIS Regulations require notification of qualifying incidents without undue delay and, where feasible, no later than 72 hours after a business becomes aware of it.
6. All information received by, or sent from, a business should be scanned for malicious content.
7. Identify a secure standard configuration for all existing and future IT equipment used by the business.
8. Maintain an inventory of all IT equipment and software.
9. Restrict the use of removable media such as USB drives, CDs, DVDs and secure digital cards, and protect any data stored on such media to prevent data being lost and malware from being installed.
10. Use a firewall to secure internet connections.
11. Consider the use of Artificial Intelligence to support the cybersecurity defence strategy (e.g., endpoint detection and response tools that use machine learning to better identify malicious files and activities).
12. Conduct regular security audits and reviews (e.g., vulnerability scans and penetration testing). 
13. If employees are permitted to connect to the network using their own devices, ensure only authorised access to company documents is allowed.
14. Implement remote wipe policies, procedures and passcode locks.
15. Ensure policies address business processes (such as email, web browsing, removable media and personally owned devices) that are vulnerable to cyber-attacks. Audit implementation of policies to ensure these have been enacted correctly.
16. Provide regular training for employees so that they understand cyber-threats and recognise data breaches.
17. Monitor use of all equipment and IT systems, collect activity logs, and ensure that the capability exists to identify any unauthorised or malicious activity.
18. Consider requiring personnel responsible for cybersecurity to be accredited by a recognised industry body (e.g., CIPT).
19. Consider working towards certification from a recognised industry body in respect of the implemented IT security measures (e.g., ISO 27001).
20. Continually re-assess and re-evaluate the cyber-threat landscape and likely attack vectors to ensure that the business is deploying resources in an efficient and effective manner.

Impact on Businesses

Businesses must adopt a multi-faceted and risk-based approach to cybersecurity. The implementation of comprehensive cybersecurity mechanisms, policies and procedures is a crucial part of a business's overall strategy for cybersecurity compliance and for protecting key IT systems and information assets. Testing implemented measures regularly to assess their effectiveness as well as upgrading and enhancing them from time to time to remain current with wider technical developments is key.

Legal compliance requires the implementation of robust cybersecurity measures. Maintaining customer confidence requires businesses to continually adapt and react quickly as attack vectors change and new vulnerabilities are identified. Understanding the evolving nature of the threats they face, the weaknesses in their systems and identifying high-value information assets will enable businesses to deploy a strategy that offers the best protection.

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP