Following on from our alert in relation to technology, data privacy, cybersecurity and IP legal developments to look out for in 2023, this update outlines some of the potential developments and trends in the UK cyber incident response landscape for 2023.
Increased litigation risk for cyber breach victims - the Information Commissioner's Office begins naming and shaming data breach victims
At some point in summer 20221, the UK Information Commissioner's Office (the "ICO") quietly began publishing the names of organisations who have notified them of a data breach or cyber incident. Historically, the ICO would keep such notifications confidential in an effort to promote prompt and transparent notifications from such companies.
However, since as early as 2019, the ICO have publicly committed to an open and transparent approach to its work and in particular in relation to the organisations which it regulates and the data breaches suffered by such organisations. This shift was further emphasised in a November 2022 speech by the Information Commissioner himself, John Edwards, and the move towards the publication of breach data appears to be related to this commitment to an open and transparent approach. It is unclear why the ICO have only moved to implement such an approach now, however.
In his speech, Mr Edwards sought to redirect the emphasis of the ICO's enforcement activity away from the use of fines and private reprimands (for those breaches those deemed to be the most serious in nature) as the ICO's primary method of enforcement towards one in which all reprimands in relation to cyber breaches would be made public, subject to there not being a good reason not to publish such reprimand.
This approach, Mr Edwards argued, is necessary not just because it is in line in with the ICO's commitment to open and transparent regulation but also to act, in and of itself, as a form of enforcement and/or deterrent by way of public 'naming and shaming'. In relation to public authorities in particular, Mr Edwards argued that fines alone were not enough as such fines simply passed between government authorities and ultimately into the consolidated account at the Treasury and thereby did not act as an effective deterrent.
In relation to private organisations, the levels of fines seen to date (although at times significant) may not, in the view of the ICO, act as sufficient deterrent. In introducing the publication of data breach reprimands, the ICO therefore hopes to introduce deterrent through making such organisations publicly accountable for their failures in relation to the data breach in question.
What data does the ICO publish?
The details in relation to breach and cyber incidents are now published in three datasets relating to the following, and are available in relation to incidents from Q4 2021 onwards:
- Cyber investigations – this data set provides the name and sector of any organisation who has reported a cyber-related data breach and which were deemed sufficiently serious to merit further investigation by the ICO;
- Non-cyber investigations – as above but for non-cyber related incidents; and
- Self-reported data breach incidents - provides the name for any organisation that has reported a data breach (cyber or non-cyber) whereby the ICO determined no further action was required.
The datasets published by ICO are high-level and do not contain detailed information beyond the name of the victim, the categorisation of the incident and the outcome of the ICO information. Detailed information in relation to the nature, extent or method of attack or of the nature of the affected data is not included in any public ICO datasets.
What does this mean for litigation risk?
The success of such measures in meeting the ICO's stated aims (i.e. deterring poor behaviour or encouraging good practices in relation to cybersecurity) remains to be seen. However, the effect on organisations named in the data published by the ICO may have a profound effect on the litigation risk landscape for such companies.
In particular, it is likely that claimant law firms may begin monitoring ICO publications for the details of such data breaches and, depending on the nature of the breach, the organisation in question and the potential pool of claimants, may look to bring collective actions. It is likely that 'repeat offender' organisations will be the particular target of such claimant law firms, given the fact that repeated incidents are likely to increase the viability and/or quantum of potential claims. Similarly, individuals who are customers, employees or other potential data subjects of victim organisations may make data subject access requests or bring their own individual actions against such companies.
In addition to the development of a robust incident response plan in case of a cyber incident, companies should be aware that any report made to the ICO may now become public information. Victim organisations should therefore consider engaging outside legal counsel at the earliest possible stage of any incident in order that the increased litigation risk arising from the potential ICO publication of the fact of the incident can be considered alongside the other legal and business factors arising in the course of any incident.
Cyber-risk and insurability – companies facing increased premiums and cyber-related requirements from insurance providers
In the wake of an increase in the frequency and severity of cyber-related incidents, several insurers have warned of the risk that cyber incidents could become uninsurable, particularly in the case of ransomware attacks and for organisations whose cyber architecture relates to or is connected to critical national infrastructure.
This increased risk is being reflected in significantly increased premiums and, in many cases, increasing cyber insurance exclusions related to certain types of software or known vulnerabilities. Lloyd's of London forecast in December 2022 that the global cyber insurance market is likely to grow from US$12 billion in annual premiums today to over US$60 billion in the next five to 10 years. Similarly, Lloyd's announced in September 2022 that all standalone cyber policies would have an exemption for state-backed cyber-attacks.
Companies are likely to face increased pressure from insurance providers to develop and demonstrate a documented strategy to mitigate their cyber threat in order to ensure that they are able to renew or enter into cyber-related insurance policies, without facing unacceptably high premiums. Such measures are likely to include a detailed consideration of IT-related measures in addition to a cyber response plan developed and tested in conjunction with external counsel, where appropriate.
Ransomware attacks continue to proliferate – the preservation of evidence in anticipation of litigation during cyber incident response
The first high-profile UK ransomware-related cyber incident of the year occurred just 12 days into 2023. The attack on Royal Mail on 12 January 2023 which, according to reports was carried out by an affiliate of the LockBit ransomware group2. The incident led to Royal Mail suspending international shipping services for five days and is thought to have had a significant indirect impact on UK-based businesses that rely on international orders.
The cyber incident at Royal Mail comes just weeks after The Guardian suffered a similar ransomware incident, impacting all areas of its IT infrastructure and forcing staff to work from home until at least the end of February 2023. There have also been several other high profile cyberattacks in the opening weeks of 2023.
These are just the attacks that are made public. As explored in our November 2022 update, such attacks are likely to continue to increase in frequency and scale, and companies should therefore be prepared, both in relation to increasing cybersecurity measures by way of defence against such attacks, and in relation to its cyber incident response should the worst happen. A study by Gartner in 2022, predicted that by the end of 2023, modern data privacy law will cover 75% of the world's population. Given the increased applicability and scope of such legislation, the possibility of cyber incident related litigation has only increased.
The litigation risk arising out of such cyber incidents is potentially significant, and organisations that are impacted by such attacks should be mindful in particular of the importance of preserving evidence in relation to such attacks. The preservation of evidence has a two-fold benefit: i) to obtain a full incident overview and to establish a basis for threat containment and/or eradication, and ii) to fulfil the evidentiary requirements for possible litigation at a later date. The latter consideration is often neglected during the development of a cyber incident response plan and should be carefully considered at the outset of any response. Similarly, whilst a resumption of normal operations is always a priority, care should be taken to avoid the inadvertent destruction of evidence during the rebuild or remediation phases of an incident.
The applicability and scope of whether a litigation-related duty to preserve evidence arises is highly dependent on the facts of the individual incident in question, and includes complicated considerations of the applicable legal framework arising out of the jurisdictions involved in the incident. Organisations should, in conjunction with external counsel, adopt a risk-based approach to the preservation of evidence which in any event should involve steps to preserve key information in relation to any incident including (but not limited to) metadata, a forensic image of the affected systems, security logs and other relevant incident-related data.
The UK Ransomware Enquiry – potential for significant regulatory changes in relation to cyber incident response for UK companies
In the UK, there are a number of cyber-related regulatory changes recently implemented or in the works. In particular, the UK Ransomware Enquiry was launched by the Joint Committee on the National Security Strategy in October 2022 (the "Enquiry"), in conjunction with UK National Cyber Security Centre ("NCSC"). The Enquiry closed for written evidence on 16 December 2022. The purpose of the Enquiry is to explore the increasing trend of ransomware attacks and the impact on organisations in the UK. It is primarily aimed at understanding the threat posed by ransomware attacks, the impact on victims, and the measures organisations can take to prevent or respond to these attacks.
It is difficult to predict the exact outcome of the Enquiry, as it is still ongoing and the findings have not yet been released. However, the NCSC is likely to make recommendations for improving the security of organisations in the UK in the face of increasing ransomware attacks. Some potential outcomes of the Enquiry may include:
- New guidelines and best practices for preventing and responding to ransomware attacks;
- Recommendations for improving the security of critical infrastructure and government systems;
- Increased collaboration between government agencies, law enforcement, and the private sector to combat ransomware attacks; and
- New legislation or regulations to improve the security of products and services and to hold companies accountable for security incidents.
Ultimately, the outcome of the Enquiry is expected to assist organisations in the UK better understand the threat posed by ransomware attacks and take steps to improve their security posture. Mayer Brown will issue a further update in relation to the findings of the Enquiry after the committee has published its findings but companies should be aware that the changes arising out of the Enquiry, and the actions required by in-scope companies, could be significant.
A number of other significant technology, data privacy, cybersecurity and IP legal developments are also expected in 2023 and are explored in detail in our January 2023 update, Looking Ahead – Technology, Data Privacy, Cybersecurity and IP developments in 2023.
Next steps for organisations
Organisations should take steps now to ensure they have a robust cyber incident response plan in place, developed in conjunction with external legal counsel. Such a plan should be thoroughly tested and periodically updated to ensure it captures and responds to changes in best practice (including any new applicable government guidance) as well as developments in the organisational or technological infrastructure of the organisation. The plan should be developed by reference to the relevant cyber insurance policy, ensuring that any specific policy requirements or exclusions are considered and the incident response plan developed accordingly.The developments outlined above also highlight the importance of taking advice as early as possible in the event that your organisation becomes a victim of a cyberattack. Whilst the datasets now published by the ICO do not contain sensitive information in relation to an attack itself, the public nature of the reporting adds an extra layer of complexity to the breach notification process and to dealings with the ICO more generally in the aftermath of such a breach. Organisations should therefore consider retaining suitably experienced external legal counsel as soon as possible in order to coordinate interactions with regulators such as the ICO and advise on the breach notification threshold and process.
1 The ICO made no public announcement about the introduction of cyber breach victim lists but data from archived webpages suggests they were introduced at some point in July or August 2022.
2 See: 'LockBit ransomware gang claims Royal Mail cyberattack' https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-royal-mail-cyberattack/