31 March 2017 by

Cyber Security – Know the legal position

The continuous onslaught by hackers to obtain information or assets that are held electronically, it seems, is never ending.  This current unwanted trend affects everyone (individuals and organisations) from spam email with the classic “click here” link to the targeted sophisticated cyber attacks.

Most individuals and organisations are aware of the basic cyber security measures and most (if not all) will have these in place. However, if that dreaded day ever comes when you are made aware of a cyber security breach, it is very important that you are aware of your legal rights.

The law relating to cyber security issues is very broad, so we will only cover some of the issues  relating to the organisations and individuals who have been the victim of an attack.  The phrase “cyber security” generally means protection of information and assets held electronically and also the IT (information technology) network behind it.

Organisations

If an organisation is the subject of a cyber security attack this may result in:

  • Liability by the company holding the data to the individuals whose personal information has been unlawfully accessed.  The company may have to pay compensation for any damage or loss suffered or even for any distress caused by the hackers unlawful actions in obtaining, using and/or revealing the individual’s personal information;
  • Prosecution by regulatory authorities such as the Information Commissioner’s Office (ICO), if it is found that the organisation has failed to comply with its legal obligations such as ensuring that the information it stores and IT networks are secure.  For organisations regulated by the Financial Conduct Authority, the relevant organisation will need to consider whether notification is appropriate;
  • Reputational damage as many organisations (especially larger ones) will be required to inform their clients and customers.  Also the relevant regulator may name the organisation as part of its investigations.  This will obviously lead to reputational damage in the organisation’s market from the subsequent adverse publicity.

Individuals

As a UK individual there are a number of laws designed to hold companies that legitimately store your data liable if they fail to protect it from cyber attack.  These include:

  • Communications Act 2003 which provides that public electronic communications networks and services (e.g. BT, Sky, Virgin etc) must take technical and organisational measures appropriate to manage the risks to the security of their networks and services.  Breaches of security must be reported to Ofcom.
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003 puts further obligations on public electronic communications services.  They must (i) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes, (ii) protect personal data stored or transmitted against accidental or unlawful loss or alteration as well as unauthorised access or disclosure and (iii) the security of this data must have regard to the current state of technology and any developments whilst balancing this against costs of implementation.  The ICO regulate these matters.
  • The Data Protection Act 1998 is a relatively well known Act that directly and indirectly imposes cyber security obligations on all organisations that collect or process personal data.  As a general rule the term personal data relates to  the data of identified or identifiable living individuals including employees, clients, customers and contacts.
  • The Official Secrets Act creates various offences which primarily apply to servants of the Crown and UK government contractors.  The offences criminalise the disclosure of information which is damaging to the armed forces, security or intelligence services (or their work) or endangers the lives of British citizens abroad or is damaging to the UK’s interests abroad.

It is also worth noting that as cyber security is global e.g. data may be stored in other countries, and as such, international laws may also apply.

This raft of laws is designed to ensure your data is protected by those who hold it.  While in some cases compensation can be payable if a breach occurs, the main reason behind the legislation is to ensure that companies continue to strive to remain one step ahead of the hackers and protect our data.  As recent events have shown this is not always the case.

If you have any questions on legal issues relating to technology or cyber security, please contact one of our solicitors in the Corporate and Commercial team here.

23 March 2017 by

Do not waste court time by repeating previously failed arguments in bankruptcy proceedings

A recent Court of Appeal decision confirms a long established legal principle preventing a party to a legal action from […]

24 March 2017 by

Supreme Court Sides with Animal Charities over Daughter of Deceased

It’s the judgment Charities, writers of Wills and beneficiaries have all been waiting for, the UK Supreme Court has ruled […]

Signup To Our Weekly e-News

"*" indicates required fields

We’ll never share your details with any third party in line with our privacy policy.