1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
Data protection is not defined as such in the jurisdiction. However, under the General Data Protection Regulation (GDPR), organisations must respect the principles of data protection. The UK Information Commissioner's Office (ICO) states that data protection is about ensuring that people can trust you to use their data fairly and responsibly.
‘Cybercrime' is an umbrella term which covers:
- cyber-dependent crimes – that is, crimes that can be committed only through the use of ICT devices, where the devices are both the tool for committing the crime and the target of the crime (eg, developing and propagating malware for financial gain, hacking to steal, damage, distort or destroy data and/or network or activity); and
- cyber-enabled crimes – that is, traditional crimes which can be increased in scale or reach by the use of computers, computer networks or other forms of ICT (eg, cyber-enabled fraud and data theft).
‘Cybersecurity' refers to the protection of information systems (hardware, software and associated infrastructure), the data thereon and the services they provide from unauthorised access, harm or misuse. This includes harm caused intentionally by the operator of the system, or accidentally as a result of failing to follow security procedure.
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
- The GDPR;
- The Data Protection Act (DPA) 2018;
- The Privacy and Electronic Communications Regulations (EC Directive) 2003 (PECR);
- The Communications Act 2003;
- The Computer Misuse Act 1990, as amended by the Serious Crime Act 2015;
- The Investigatory Power Act 2016;
- The Regulation of Investigatory Powers Act 2000;
- The Official Secrets Act 1989; and
- The Network and Information Systems (NIS) Regulations 2018.
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Some cyber regimes apply only to certain sectors.
The NIS Regulations apply to two groups of organisations:
- ‘operators of essential services' (energy, transport, health, water and digital infrastructure); and
- ‘relevant digital service providers', which:
- provide online search engines, online marketplaces and/or cloud computing services;
- have their head office in the United Kingdom;
- have more than 50 staff; and
- have a turnover of more than €10 million.
Part 4 and Schedule 11 of the DPA 2018 and the Official Secrets Act 1989 address the processing of data for the protection of national security.
Public electronic communications network service providers and public electronic communications service providers must comply with the Communications Act 2003.
In relation to the health sector, Article 9 of the GDPR, Section 10 of Chapter 2 of the DPA 2018 and Part 2, Schedule 3 of the DPA 2018 apply. In addition, the Department of Health and Social Care requires entities with access to National Health Service patient data to complete the self-assessment Data Security and Protection Toolkit, to ensure compliance with their data security requirements.
No distinct legislation for cybersecurity applies to financial services. However, financial services firms must comply with additional security and governance regulations, which can directly or indirectly include cybersecurity provisions. Financial services firms must comply with the Financial Conduct Authority's (FCA) Principles for Business, of which Principle 11 (which requires firms to notify regulators of anything of which it would reasonably expect notice) and Supervision Manual 15.3.1 (which requires firms to notify the FCA of any matter which could affect the firm's reputation or provide adequate services to its customers) refer indirectly to cybersecurity requirements. Senior managers in financial services firms must also comply with Senior Management Arrangements, Systems and Controls Sourcebook (SYSC) requirements, including establishing systems and controls to keep information security systems and IT systems safe (SYSC 13.7).
(b) Certain types of information (personal data, health information, financial information, classified information)?
The processing of personal data is regulated by the GDPR and the DPA 2018. Particularly sensitive personal data (special category data) is subject to more stringent processing requirements than personal data under the GDPR and DPA 2018. Special category data includes data revealing an individual's political opinions, race or ethnic origin, sexual orientation, sex life, religion or philosophical beliefs, biometric data, trade union membership, health or genetics (Article 9 of the GDPR). Personal data relating to criminal convictions and offences is not considered special category data; however, appropriate safeguards must be in place when processing this type of personal data. These are dealt with in Sections 10 and 11 and Schedule 1 of the DPA 2018.
Classified information is regulated by the Official Secrets Act 1989 and Part 4 and Schedule 11 of DPA 2018.
Criminal offence data is regulated by Part 3 of the DPA 2018.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
The GDPR applies extraterritorially in some cases. It applies to data processed outside the European Union if the data processor and/or data controller is established in the European Union (Article 3(1)). The GDPR also applies to data controllers and data processors that are not established in the European Union, but which process data of data subjects who are based in the EU where the processing activities are related to:
- the offering of goods or services to such data subjects in the EU; or
- the monitoring of their behaviour as far as their behaviour takes place in the EU.
The PECR also applies extraterritorially. Public electronics communication service (PECS) providers will also be subject to obligations under the Notification Regulation (611/2013) in respect of their activities as a PECS provider within the United Kingdom, regardless of where their business is based.
The NIS Regulations also apply extraterritorially: operators of essential services in the United Kingdom must comply with the NIS Regulations regardless of where they are based.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
The United Kingdom has signed and ratified the Budapest Convention on Cybercrime, whose main purpose is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international cooperation.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
Both cyber-dependent and cyber-enabled crimes (see question 1.1) can result in fines or prison sentences (or both). Breaches of Section 1 of the Computer Misuse Act 1990 (gaining unauthorised access to a computer) are punishable with a two-year prison sentence and a fine of up to £5000.
Breaches of Section 2 (unauthorised access to a computer in order to commit another offence) or Section 3 (unauthorised modifications of contents of a computer) can result in a prison sentence of up to 10 years and an unlimited fine under the Computer Misuse Act 1990.
Penalties for other cyber-enabled crimes depend on the nature of the crime being enabled, but include a prison sentence and a fine in most circumstances. Offences can be brought under the DPA 2018 if the cybercriminals' acts result in a personal data breach. Breaches of the DPA 2018 are punishable by fines only.
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
The Information Commissioner's Office (ICO) is the supervisory authority responsible for enforcing:
- the General Data Protection Regulation (GDPR);
- the Data Protection Act (DPA) 2018;
- the Privacy and Electronic Communications Regulations (EC Directive) 2003 (PECR); and
- in the case of digital service providers, the Network and Information Systems Regulations (NIS) 2018.
The Information Commissioner's Office (ICO) has powers of entry and to conduct data protection audits. These inspections may be conducted by the ICO or by a third party. The ICO can impose civil and criminal penalties on companies and individuals for breaches of the GDPR or DPA 2018. In addition, the ICO has the following enforcement powers:
- a general duty to investigate complaints from members of the public who believe that an authority has failed to respond correctly to a request for information. If the complaint is not resolved, the ICO may issue a decision notice indicating what needs to be done to put things right;
- to issue information notices requiring companies to provide the ICO with further information in order to assess the security of their network and information systems and the implementation of security policies;
- to issue enforcement notices requiring individuals or companies to take or refrain from taking steps or actions; and
- to impose prosecutions and monetary penalties of up to £20 million or 4% of an undertaking's total worldwide annual turnover.
For breaches of the PECR, the ICO has powers of audit and can grant enforcement notices and fines of up to £500,000. These fines can be issued against the company or its directors.
The NIS Regulations are enforced by a variety of sector-specific regulators. These regulators have the power to issue information notices and enforcement notices, and can fine operators of essential services up to £17 million for breaches of the NIS Regulations.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
Prosecutions under the DPA 2018 must be brought by the ICO; however, private parties can take action under the DPA 2018 with the consent of the data commissioner or the director of public prosecutions. Furthermore, UK law can (at least in theory) allow data subjects to make a claim in the tort of negligence or in the tort of misuse of private information (Lloyd v Google  EWCA Civ 1599). A fundamental requirement for a class action is that the individuals represented in the action all have the ‘same interest'. Particularly, in Lloyd v Google, all individuals suffered the same loss of control over their browser-generated information.
Where employees are processing data on behalf of their employer as a data controller, the employer will be directly responsible for that processing. It is only where an employee ‘goes rogue' and the actions are outside an employer's control that an employer may not be considered either directly or vicariously liable for employees' data breaches (Various Claimants v Morrisons  UKSC 12).
2.3 What defences are available to companies in response to governmental or private enforcement?
Section 2(3) of the Official Secrets Act 1989: It is a defence for a person charged with an offence under this section to prove that, at the time of the alleged offence, he did not know and had no reasonable cause to believe that the information, document or article in question related to defence or that its disclosure would be damaging within the meaning of Section 2(1).
Section 170 of the DPA 2018: It is an offence for a person to knowingly or recklessly:
- obtain or disclose personal data without the consent of the controller;
- procure the disclosure of personal data to another person without the consent of the controller; or
- after obtaining personal data, retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
In this respect, it is a defence to prove that the obtainment, disclosure, procurement or retention of the personal data was:
- necessary for the purposes of preventing or detecting crime;
- required or authorised by an enactment, by a rule of law or by the order of a court or tribunal; or
- justified as being in the public interest.
It is also a defence to prove that the person:
- acted in the reasonable belief that it had a legal right to obtain, disclose, procure or retain the data;
- had the consent of the controller; or
- acted for special purposes with a view to publication of any journalistic, academic, artistic or literary material, and in the reasonable belief that the obtainment, disclosure, procurement or retention of the data was justified as being in the public interest.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
See question 3.2, as most landmark cyber enforcement actions are currently ongoing.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
- The Information Commissioner's Office (ICO) stated its intention to fine British Airways £183.39 million for breaches of General Data Protection Regulation (GDPR) arising from an incident when customers were redirected to a fraudulent site and their data harvested by cyber attackers.
- In 2019, the ICO stated its intention to fine Marriott Hotels £99.2 million under the GDPR for a cyber incident which resulted in a personal data breach.
- Tesco Bank was also fined £16.4 million by the Financial Conduct Authority for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyberattack in 2018.
Cyber-related legislative activity:
- Implementation of the Cyber Attacks (Asset Freezing) Regulations 2019, which has extraterritorial effect.
- EU Cybersecurity Act 2019;
- EU Digital Services Act (consultation ongoing); and
- Automated and Electric Vehicles Act 2018;
- Financial Stability Board Effective Practices for Cyber Incident Response and Recovery, which was sent to G20 Finance Ministers and Central Bank Governors for their virtual meeting on 15 April 2020; and
- White paper on AI.
- Innovate UK investing £4 million in research and development for cybersecurity products;
- The National Cyber Security Centre Cyber Accelerator; and
- Launch of the Centre for Connected and Autonomous Vehicles.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
Although there is no requirement to have a specific cyber incident response plan under UK law, there clearly needs to be a process in order to comply with the data breach notification timeframes and data breaches must be recorded in a register. European Data Protection Board guidance emphasises that organisations have a responsibility to implement incident response plans (Section 5.6.5, National Cyber Security Strategy). There are other industry standards that UK companies often voluntarily agree to, including:
- COBIT 5;
- ISO2700 standards;
- British Standards Institute PAS 555:2013, Cyber Security Risk – Governance and Management – Specification;
- CBEST Intelligence-lead testing framework (financial services); and
- PCIDSS (payments).
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
The United Kingdom supports voluntary assessment and cybersecurity programme certification using its Cyber Essentials scheme.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
There are no specific legal duties for proactive cyber compliance for directors. However, corporate officers and directors must comply with Companies Act directors' duties, and failure to ensure proactive cyber compliance could result in these duties being breached.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
UK public limited companies are subject to general regulations aimed at preventing pricing inaccuracies or market distortions, such as the Market Abuse Regulation. These regulations indirectly require public limited companies to secure their IT systems and, in some circumstances, to disclose details of cyber incidents and threats to the market. The UK Corporate Governance Code also requires a risk review of material financial, operational and compliance controls at least annually, which includes information security policies and procedures. Securities issuers that fail to properly disclose material risks may be liable to compensate investors, under Section 90 of the Financial Services and Markets Act, if the failure affects share prices.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
The UK National Cyber Security Centre (NCSC) set up the Cybersecurity Information Sharing Platform as a joint venture between government and industry which allows companies to exchange cyber threat information.
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
The NCSC defines a ‘cyber incident' as a breach of a system's security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems. in line with the Computer Misuse Act (1990). A personal data breach under the General Data Protection Regulation (GDPR) is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (Article 4(12) of the GDPR).
Certain cyber incidents trigger mandatory reporting requirements. Under the GDPR, these include data breaches, which should be reported to a data controller's supervisory authority (the Information Commissioner's Office (ICO)) without undue delay and within 72 hours of the data controller becoming aware of the breach if the data breach risks serious harm to data subjects (Article 33(1) of the GDPR). Data processors must inform data controllers of a data breach without undue delay. There is an additional requirement to report the incident to data subjects if the data breach could prove a high risk of harm to data subjects' rights and freedoms.
Under Section 105B of the Communications Act 2003, a public electronic network service provider must report cyber incidents to Ofcom, which has a significant impact on the network's operation.
There are some differences in notification requirements under other regulations, such as the Network and Information Systems (NIS) Regulations 2018. Reporting requirements under the NIS Regulations depend on the guidance of the individual regulator. For example, the healthcare sector must follow guidance contained in the Data Security and Protection Toolkit.
Some companies also need to report personal data breaches under the Privacy and Electronic Communications Regulations (EC Directive) 2003 (PECR), including providers of publicly available electronic communication services (eg, internet service providers and telecommunications providers), which have breach notification obligations under PECR and the Notification Regulation (611/2013). These breaches must be reported to the ICO within 24 hours of their discovery.
Companies are also encouraged to consider notifying the NCSC and Action Fraud if there is a major cyber security incident.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
Under the GDPR, organisations must notify the ICO of a personal data breach by filling in a personal data breach notification form, with the only exception being where there is no risk of harm to data subjects' rights and freedoms. It may be unnecessary to make a notification if the data accessed was encrypted and backed up, or was already publicly available. Companies must provide the following information to the ICO:
- a description of the nature of the personal data breach including, where possible, the categories and approximate number of individuals concerned;
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer (if applicable) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, actions taken to mitigate any possible adverse effects (Article 33(3) of the GDPR and Section 67(4) of the Data Protection Act (DPA) 2018).
Companies must notify data subjects of a data breach if there is a high risk to their rights and freedoms (Article 34(1) of the GDPR and Section 68 of the DPA 2018).
5.3 What steps are companies legally required to take in response to cyber incidents?
If the incident involves a personal data breach, companies should consider whether it needs to be reported to the ICO. There are other sector-specific requirements, depending on the type of incident.
Financial services providers must report material cyber incidents to the Financial Conduct Authority (FCA) (Principle 11 of the FCA Handbook). Material incidents are those which result in significant data loss or the availability or control of your IT systems, affect large numbers of customers and affect a large number of customers as a result of unauthorised access to, or malicious software present on, your information and communication systems. Firms have a duty under Supervision Manuel (SUP) 15.3 to report incidents which could have a detrimental impact on the firm's reputation or matters which could affect the firm's ability to continue to provide adequate services to its customers to the FCA immediately upon discovering them (SUP 15.3 11R). Notifications should include information about:
- the circumstances relevant to the breach or offence;
- the identification of the rule or requirement or offence; and
- information about any steps which a firm or other person has taken or intends to take to rectify or remedy the breach or prevent any future potential occurrence.
Firms are also encouraged to share information on the Cybersecurity Information Sharing Platform. Firms which are dual regulated should also report cyber incidents to the Prudential Regulatory Authority. In the case of a data breach, the firm should also consider notifying the ICO and in the case of criminal breaches, the firm should also notify Action Fraud.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
There are no legal duties specific to corporate directors in respect of cyber incident responses. However, corporate directors are indirectly required to comply with industry practice and respond appropriately to a cyber incident, as they could be in breach of their directors' duties, including the duty to promote the success of the company (Section 172 of the Companies Act 2006) and/or their duty to act with reasonable care, skill and diligence (Section 174 of the Companies Act 2006) if they do not act properly with respect to cybersecurity. An individual corporate director may be liable under GDPR (DPA 2018) if the data breach is caused with the consent or connivance of or attributable to neglect of the director.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
In principle, cyber-incident insurance is available in the United Kingdom. Cyber insurance does not protect against cyber incidents, but will provide additional resources after an incident occurs.
There is some uncertainty about whether regulatory fines, including those imposed for breaches of the GDPR, are insurable. Generally speaking, a person cannot enforce insurance against liability for committing a crime; therefore, fines for criminal offences under the DPA 2018 are not insurable. Regarding administrative fines, it is safe to assume that they will not be insurable for reasons of public policy (see Patel v Mizra  UKSC 42). Fines issued by the FCA are not insurable.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
In the European Union, the prevailing trend appears to be to bring in legislation to regulate the use of more sophisticated technologies, including artificial intelligence, crypto assets and quantum computing. Depending on the final outcome of Brexit, the United Kingdom is likely to mirror at least some of these.
New EU regulations include the e-Privacy Regulation, the EU cybersecurity strategy, a legislative framework for data governance (Q4 2020) and a possible Data Act (2021), which could mandate business-to-business data sharing and enhanced data portability rights; these could lead to changes in the EU laws on trade secrets (among other things).
The UK National Cyber Security Strategy is due to be renewed after 2021.
The United Kingdom is working on developing connected and autonomous vehicles, and new legislation such as the Automated and Electric Vehicles Act 2018 has been implemented to support this activity. On the cybersecurity aspects, the International Standards Organisation and the Society of Automotive Engineering are due to release new cybersecurity standards for autonomous vehicles in 2020.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
Companies report that their biggest cyber-related challenges to their businesses are:
- the increasingly large volumes of data that they need to store;
- compliance with cybersecurity regulations;
- ever-evolving cyber threats that are incredibly sophisticated, including those that target Internet of Things devices and artificial intelligence;
- greater public awareness of data privacy;
- vulnerabilities in supply chains; and
- cybersecurity skill gaps.
Such issues can be resolved through:
- increasing awareness of cyber threats and cybersecurity among a company's employees at all levels and creating a culture that values cybersecurity;
- incorporating data protection by design into new systems;
- complying with European Data Portal standards; and
- improving training and recruitment of cyber professionals.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.