Catch me if you can

One of the greatest challenges that in-house legal teams confront from a data protection and cyber security perspective is staying up to date with trends and threats that seem to develop at an almost exponential rate. DLA Piper’s data protection and cyber security specialist Ross McKean explains: ‘Life was relatively simple in the early days of GDPR… since then there has been a rapid proliferation of laws, case law and guidance… so a key challenge for in-house lawyers is simply keeping up with all the new laws and legal developments.’

This is reiterated by BCL’s data protection expert Julian Hayes, ‘the sands are shifting all the time, they never stay still’, with in-house lawyers needing to ensure that the latest legal and technical developments are constantly monitored and prepared for. This will undoubtedly necessitate a greater level of internal synergy, with the collaboration between legal, IT and PR teams, as well as the remainder of the organisation, ensuring that staff are practically aware of how to respond in a worst-case scenario.

‘The difficulty for in-house counsel is balancing the tasks that are required on an everyday basis to ensure their business is run properly and lawfully respects an individual’s personal data rights, while on the other hand trying to contemplate the extreme events as well’ – BCL’s Michael Drury summarises the unique predicament faced as in-house counsel grapple with the constantly evolving threats and laws that even seasoned professionals and governments are trying to come to terms with. Hunton Andrews Kurth’s senior data privacy partner, Sarah Pearce, identifies the new UK Data Protection and Digital Information Bill as a key legislative development in coming months, stating: ‘While the proposed changes to the GDPR do not appear to be dramatically different from the EU in substance, there will be some adaptation required by organisations in order to comply’.

This is a development in-house teams will need to pay close attention to, with Pearce also explaining how ‘the impact of the UK-EU adequacy decision on the implementation of the new law will be something to watch out for.’ As the UK government announces plans for a ‘world-leading’ approach to AI, UK organisations should be poised to see more of the British exceptionalism that led to events such as Brexit and could see a divergence from EU GDPR laws, despite the negative effects this could have for cross-border business.

Rising threats

In terms of the scale of damage caused, the threat posed to businesses by cyber attacks continues to rise. With the increasing sophistication of threats such as ransomware attacks, data breaches, and phishing scams, in-house counsel’s ability to maintain an ongoing understanding of the relevant cyber and data protection laws is constantly put to the test. According to the UK government’s Cyber Security Breaches Survey 2022, 39% of UK businesses identified a cyber-attack in the last 12 months. While this number is consistent with that of the previous year (2021), which implies that the threat has not increased with regards to quantity, the survey also concludes that enhanced cyber-security leads to higher identification of attacks, suggesting that less cyber-mature organisations may be underreporting. These attacks pose both a reputational and financial risk to businesses, where even before you consider potential fines from regulators or individual data subject claims, the average estimated cost of all cyber attacks for those organisations which reported a material outcome was £4,200, rising to £19,400 for medium and large businesses.

There is an expectation that cyber attacks will increase in both severity and volume moving through 2023. This includes ‘hack and leak’ attacks, with an advisory report of the National Cyber Security Agency outlining how Russia and Iran-based actors continue to successfully use phishing attacks against UK businesses and individuals. Threats of this kind are likely to result in greater attention on cyber resilience and regulation, with the EU’s Digital Operational Resilience Act coming into force and requiring organisations to undertake IT risk mapping. This emphasis on combating cyber threats is also likely to manifest in a more concerted effort between organisations and states, with the recent global shutdown of Genesis Market demonstrating the benefits of a coordinated international response. Furthermore, as cyber threats increase, so is the likelihood of greater enforcement action taken for breaches of data protection law. While some parties have been critical of the perceived reluctance of the International Commissioner’s Office (ICO) to issue fines, the two largest to date were administered to British Airways and Marriott Hotels for the absence of effective security measures. The ICO reprimand of the Chartered Institute for Securities and Investment in February 2023 indicates the regulator will continue to take a hard-line approach against businesses that fail to adequately prepare for a cyber attack.

Fail to prepare

Hayes provides a piece of advice for in-house lawyers contemplating the challenges of the data protection and cyber security landscape: ‘Plan, plan and plan again.’ He is not the only experienced lawyer expressing this sentiment, with Bird & Bird’s privacy and data protection specialist James Moss exploring the myriad ways that in-house teams can be best equipped to anticipate and respond to a potential attack. He states: ‘In-house legal teams should have a clear plan on what they would do in the result of a cyber attack.’ He then explains, ‘organisations should be able to act clinically… if staff are unclear about what to do or who to call, valuable time can be lost, leading to an uncoordinated or even chaotic response’.

Moss goes on to warn of the potential repercussions of a lack of preemptiveness evidenced by the BA and Marriott cases. ‘It would be clear in the result of any subsequent investigation that the organisation did not sufficiently plan its response.’

But what would such a plan involve? Well, hope for the best and prepare for the worst, with Moss and others breaking down the key considerations for internal counsel. Given the previously mentioned increased likelihood of enforcement action, in-house lawyers should be prepared to deal with a regulator. It has become evident across both UK and EU regulators that fines will be imposed for a lack of compliance, with Hayes summarising the value of transparency when advising: ‘If you know that a breach has occurred and it is highly likely that you will be making a report at some stage, the sooner you do it the better, because it engenders trust between you and the regulator.’

At the heart of any solid plan are well-formulated and logical policies, with Moss recommending that ‘internal incident response policies should be practical, drafted at the appropriate level of detail for the risks identified and kept up to date.’ As well as all staff being genuinely aware of the intricacies of these policies, in-house teams should conduct ‘dummy’ breaches to ensure that procedures are correctly followed. One of the most important of these policies is the organisation’s stance on ransom payments in response to ransomware attacks. In-house lawyers should consider the joint letter by the ICO and NSBC on the legal profession and its role in cyber security, expressing an opinion that ransoms should not be paid. It supports this opinion by explaining that paying ransomware does not protect data or reduce potential penalties, although clarifying that it is not necessarily unlawful to do so.

As the technological threats that businesses face evolve, so do the potential tools that can be used to mitigate against them, with the advances in AI technology providing a prime example. With Italy recently becoming the first western country to block the advanced chatbot ChatGPT over privacy and GDPR concerns, it epitomises the double-edged sword AI presents in relation to confronting cyber threats. Pearce explains more on the intersection between AI and GDPR and cyber security, ‘regulatory focus on AI has increased… we have seen lawmakers in the EU draft an AI regulation and regulators across the EU and UK have issued guidance on how AI should be used in compliance with applicable data protection laws.’ Moss contends that in-house lawyers should evolve with AI and assist in the company-wide implementation of AI technology, such as negotiating favourable data protection and security clauses with vendors.

Additionally, in-house lawyers should avoid being short sighted and must look beyond the initial breach, anticipating the future implications and remediation steps once the incident has been dealt with. As well as regulator investigations and individual data subject claims, these lingering consequences can take many forms, such as data sold on the dark web could be used to commit fraud several months later. Contingency plans will need to be formulated for these risks, with internal counsel considering remediation steps to assist customers whose data has been compromised, as this will also have a significant impact on the business’ reputation.

External support

An important question for in-house lawyers to consider is, in the event of a suspected attack, when and how to engage external counsel? As McKean implores: ‘In an ideal world this question will have been considered well in advance of a cyber attack.’ The significance of this issue is stressed further by Moss, ‘in-house teams should be prepared for and consider immediately engaging external counsel at the very outset… to support with and implement the various key steps that need to be taken.’ In fact, Pearce goes one further and highlights the preemptive usefulness of external counsel prior to an incident occurring, such as undertaking compliance projects for new legislation. ‘With vast experience in conducting such audits and often with expertise across multiple jurisdictions, outside counsel is often best placed to build programmes from scratch or to identify gaps in existing programmes.’

While the in-house team is undoubtedly central and should take the lead in coordinating the response efforts, external firms can be instrumental in practical aspects such as engaging the right response teams and addressing data leakage. If a business experiences a reportable data breach, there are numerous statutory obligations which will need to be examined, including notifying the relevant authority within 72 hours and potentially informing affected individuals about the breach. The resources needed to satisfy these requirements within tight timeframes can place a heavy burden on in-house teams, with external counsel available to help share the weight. As with all crises, the sooner the response, the better the chance of reducing the resulting damage.

The insight provided by external counsel in the critical initial period can be invaluable, especially when it comes to more serious incidents. Ultimately, the challenge is daunting, with McKean believing that ‘privacy teams typically have one of the largest and most complicated remits of any in-house function.’ But those organisations that prepare and practise their response to an attack are the ones far more likely to respond effectively. McKean offers a final piece of encouragement: ‘Practice may not make perfect, but it does train muscle memory and takes some of the pressure and tension out of a real incident’.