12 December 2018

Radar - April 2020 – 6 of 5 Insights

Radar - December 2018: Cybersecurity

  • QUICK READ

It has also been a big year in cybersecurity, not only due to the introduction of new legislation, but also because of the continuing focus on high profile breaches.

NISD

The EU's Network Information Systems Directive is designed to sit alongside the GDPR and brought in cybersecurity and breach reporting requirements for Digital Service Providers (an online marketplace, an online search engine or a cloud services provider) and Operators of Essential Services. The Directive is implemented in the UK by the Network Information Systems Regulations 2018, which came into force on 10 May 2018.

We could use more guidance on who exactly is caught by the Regulations as some businesses do not fit neatly into the sparse definitions. In the meantime, you can read about the requirements if you are caught, here.

The Cybersecurity Act

The Commission published a draft Regulation (known as the Cybersecurity Act) to reform the European Network and Information Security Agency (ENISA), giving it a permanent mandate and increased resources; and to introduce a voluntary European security certification framework for ICT products and services. The certificates would confirm compliance and would be recognised in all Member States, making it easier for businesses to trade in the internal market. The draft Regulation is currently in the trilogue stage.

Data breaches

It seems that every week brings another high profile data breach. The ICO has seen a vast increase in the reporting of data breaches, partly because of over-reporting due to a lack of understanding of GDPR obligations. There can, however, be no doubt that many businesses remain vulnerable to attack or to inadvertent data breaches. BA, Dixons, Uber, Facebook, Equifax and the Marriott Group are just some of the names to have hit the headlines this year due to newly discovered breaches, or to fines incurred for earlier breaches. So far, we are yet to see fines issued for data breaches under the GDPR but this will doubtless change next year.

Businesses are also getting used to the idea that they may face class actions in relation to data breaches. In November, we reported on the Court of Appeal decision, upholding the High Court's finding that Morrisons was vicariously liable for the actions of a rogue employee. This was under common law principles rather than as a result of changes to data protection law but as more breaches enter the public domain and certain litigation funders are actively looking to fund data breach class actions, we expect this to become the new normal.

In this series

Technology, media & communications

Maintaining supply chains during the COVID-19 outbreak

15 April 2020

by Multiple authors

Technology, media & communications

UK Gambling Commission focuses on safety

20 April 2020

by Debbie Heywood

Technology, media & communications

Consumer protection during COVID-19

15 April 2020

by Debbie Heywood, Anjali Chandarana

Technology, media & communications

UK's Digital Services Tax now applies

20 April 2020

by Debbie Heywood

Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.

Subscribe
Subscribe

Related Insights

Server room corridor
Technology, media & communications

EC publishes Q&As on new Standard Contractual Clauses

20 June 2022

by Debbie Heywood

Click here to find out more
Lights on network server
Technology, media & communications

EC Data Governance Act will apply from 24 September 2023

20 June 2022

by Debbie Heywood

Click here to find out more
Cloud-Computing-Servers
Data protection & cyber

Incoming EU data and digital legislation

There's a lot going on in the data and digital space in terms of incoming EU legislation. Here is a summary of key proposals which will impact the use of data (personal and non-personal) and likely timelines, as at 10 May 2022.

17 May 2022

by Victoria Hordern and Christopher Jeffery

Click here to find out more