The UK law surrounding the control and management of data and cyber security has been developed in conjunction with other EU states and often at the direction of the EU itself. The future development of the law in this area is, therefore, uncertain following the UK’s recent decision to withdraw from the Union. This is also a very fast developing area and the legislature both in the UK and in the EU generally, is not always able to keep up. For that reason, it is important that organisations take their own steps to ensure that they strengthen their cyber security arrangements and ensure that they have appropriate recover plans and insurance in place to deal with what is now almost the inevitability of a data ‘cyber event’ effecting them.
Data Protection Act 1998
Clearly, one of the biggest exposures in the cyber area is the danger of data breach or the loss of data. English law in this area is based on the Data Protection Act 1998 (“DPA”). The DPA implements the relevant European law contained in EU Directive 95/46/EEC (the “Data Protection Directive”). The DPA applies to ‘personal data’ as defined and not to other information or material. Subject to that caveat, the scope of the DPA is wide.
The DPA applies to entities that hold or process data and are “established” in the UK. This would include organisations which are incorporated in the UK or which have a partnership or an “office, branch or agency” here in the UK. The DPA may also apply if an organisation has a “regular practice” in the UK. “Regular practice” is not a defined term in the Act and so a careful examination of the facts will be required in each case to see if this jurisdictional threshold is triggered.
Even if an organisation is not “established” in the UK, it may still be subject to the DPA if it “…uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.” This will require a consideration of where an organisation stores its data (e.g. where its servers and back-up servers are kept). If the DPA is triggered then the organisation will be under an obligation to appoint a “representative” in the United Kingdom for the purposes of complying with its obligations under the Act.
As noted, the DPA only applies to ‘personal information’ which is defined as:
data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”.
A person or organisation responsible for the processing of personal data is likely to be a ‘Data Controller’ for the purposes of the Act and will have responsibilities for the management and processing of the data in accordance with the principles laid down in the Act.
Compliance with the DPA is enforced by the Information Commissioner’s Office, which has several options if it finds an organisation to be in breach of the Act:
- Monetary penalty notices: Fines of up to £500,000 for serious breaches of the DPA.
- Prosecutions: Including possible prison sentences for deliberately breaching the DPA.
- Undertakings: Organisations have to commit to a particular course of action to improve their compliance and avoid further action from the ICO.
- Enforcement notices: Organisations in breach of legislation are required to take specific steps in order to comply with the law.
- Audit: The ICO has the authority to audit government departments without consent.
As noted, the DPA is the UK’s expression of the EU’s Data Protection Directive and similar laws have been enacted in the other EU jurisdictions to give effect to the Directive in those countries.
General Data Protection Regulation (GDPR)
The current European Data Protection Directive, is, however, in the process of being replaced by the new General Data Protection Regulation (GDPR). This was finally adopted by the Member States of the EU on 25 May 2016 and will be directly applicable in all Member states with the need for implementing national legislation from 25 May 2018. It remains to be seen how its application in the UK will be impacted by the Brexit timetable but it seems likely that some form of legislation along the lines of the GDPR will be adopted here.
The GDPR will be have a significant impact if enacted in the UK, not least because it will increase maximum penalties for mishandling data from the current £500,000 in the UK to a maximum of 4% of global revenue or €20m, whichever is greater. Other changes will include:
- a requirement that data breaches must be reported as soon as possible and, where feasible, no later than 72 hours after discovery of a breach;
- the extension of personal data to location, IP address, RFID identifiers, as well as whole new swathes of medical data, including genetic information;
- the “right to be forgotten” being enshrined in law, allowing people to request search engines to delete links to the data in question.
- the regulation will apply to companies headquartered outside of Europe as long as they have operations in Europe.
- greater rigour around consent to use personal data
- new requirements to carry out Privacy Impact Assessments (PIAs) to ensure that personal data is sufficiently protected and privacy of the individual maintained.
Additionally, responsibility for protecting personal information under GDPR will extend to data processing as well as data controllers
Network and Information Security Directive (NISD)
The Directive is aimed at improving national cybersecurity capabilities to prevent incidents of cyber disruption and, where that is not possible, improving co-operation amongst States and businesses in order to minimise the consequences of a technology breach. This is achieved by not only requiring Member States to:
- a) adopt a national NIS strategy in relation to cybersecurity which will define the strategic objectives, policy and regulatory measures; and
- b) designate a national competent authority for the implementation and enforcement of the Directive (including the setting up of Computer Security Incident Response Teams (CSIRTs) responsible for handling incidents and risks),
but by placing an obligation on all operators of “essential services” (i.e. those businesses deemed to play an important role for society and the economy) to take appropriate security measures to minimise risk of NIS disruptions and, when they do occur, to report incidents to the national authorities. Both the energy sector (electricity and oil and gas) and the transport sector (air, rail, water and road) fall within the Directive’s definition of “essential services”.
The Directive will come into force in August 2016 and Member States will have twenty one months to implement the Directive into their national laws and a further six months more to identify operators of “essential services”. Given the Brexit timetable, therefore, there is a real possibility that the NISD in its current form will not be implemented in the UK.
Notwithstanding the legislative position, Directors of companies and similar organisations will continue to have a responsibility to ensure that reasonable steps are taken to protect the organisation from a cyber event. This may mean a data breach but it may also mean business interruption or even physical loss and damage as a result of a malicious or accidental cyber event which leads to loss to the organisation. Insurance can protect against much of this exposure but not all insurance does so and it is important that directors and officers audit their available cover against the potential risks to ensure that they are adequately covered.