Exclusive Q&A on Cyber Security with Simon Morrissey

Who are the main regulators and what are the key legislations that apply to the cybersecurity in your jurisdiction?
 
In addition to the Information Commissioner’s Office (the “ICO”), which is the general regulator of cybersecurity in relation to personal data, the UK regulators responsible for cybersecurity in regulated sectors or industries such as the Financial Conduct Authority (the “FCA”) for the financial industry and the Solicitors Regulation Authority (the “SRA”) for Solicitors also have responsibility for regulating cybersecurity issues. All three regulators have enforcement powers to impose fines independently of each other.
 
Currently the key legislation for cybersecurity in relation to personal data is the Data Protection Act 1998. In addition to the Data Protection Act the following legislation also contain provisions that are relevant to cybersecurity including:

• Computer Misuse Act 1990
• Privacy and Electronic Communications (EC Directive) Regulations 2003; and
• Communications Act 2003
 
Have there been any recent regulatory changes or interesting developments?
 
One key change is the recent passing of the EU General Data Protection Regulation which is due to be implemented in May 2018. The GDPR contains several regulatory developments that touch upon cybersecurity. For the first time data processors will have direct compliance obligations to comply with certain aspects of the GDPR, particularly in the area of data security and data breach reporting to their data controller client. In addition all data controllers will now be subject to data breach reporting obligations and they will also be required to implement appropriate technical and organisational measures to ensure the security of personal data by design and by default.
 
In addition, Europe is proposing the Network and Information Security Directive which is expected to be adopted during 2016 after which member states will be required to implement the Directive into local law. The Directive is designed to impose security obligations on the providers of essential services (such as energy, the health sector and transport) and digital service providers (such as providers of cloud computing and search engines).
 
Have you witnessed any particular trends in cyber threats?
 
One current trend seems to be a delay between a network vulnerability being created or identified by a hacker and the subsequent exploitation of that vulnerability by the hacker. We have advised a number of clients where this situation has arisen and appears to be quite common where cyber-breaches in a company’s systems are undertaken by ex-employees or the company’s suppliers.
 
Hackers are also exploiting their ability to access large amounts of publically available data by combining this publically available data with data obtained during a cyber-breach. This enables the hacker to create a more detailed set of data regarding some or all of the individuals who were affected by the breach.
 
Which industries are at highest risk for threats to their cyber security?
 
Whilst the financial services sector is a high risk industry it is also an industry which is generally experienced in addressing cybersecurity through the deployment of robust organisational and technical security measures. Therefore, whilst the potential reward for a hacker from a successful cyber-attack in the financial services sector is high, the prospects of a successful attack are low when compared to other industries. For this reason hackers are now targeting more vulnerable industries that still provide access to valuable data such as credit card information. These include the computer games industry (as evidenced by the PlayStation Network hack in 2014) and the IoT industry (as evidenced by the Vtech hack in November 2015).
 
How is technological innovation – such as drones, wearable devices, cognitive thinking and the Internet of Things – altering the cybersecurity landscape?
 
IoT is a good example of technological innovation that has created an attractive target for hackers. Both manufacturers and customers of such technology have historically failed to appreciate the security vulnerabilities that exist with connected technology. At the same time many devices enable the user to upload and store data valuable to a hacker and this combination has provided the incentive for hackers to exploit the security vulnerabilities of IoT. One recent example was the Vtech children’s toy hack where over 500,000 accounts were compromised.
 
Technological innovation in the form of IoT and cloud based data storage solutions has also significantly increased the risk of a cyber-breach incident not only due to the number of access points to data, and therefore the number of potential security vulnerabilities that could be exploited by a hacker, but also due to the sheer scale of the data collected both in quantitative terms and qualitative terms.
 
In an ideal world what would you like to see implemented or changed?
 
Cybersecurity is already highly regulated so I am sceptical about the need for further legislation, especially when seen in the context of the current UK and European trend for outcomes based legislation. The UK already has a comprehensive framework of legislation to address cybersecurity and there is more legislation on the way in the form of the Network and Information Security Directive. However, what does need to be addressed is a lack of public awareness about the security vulnerabilities of new technology and services, especially in the realm of IoT. This could be addressed by educational initiatives at both a governmental level but also at an industry level.
 
Simon Morrissey heads Lewis Silkin's Data and Privacy Legal Practice Group. Prior to qualifying as a solicitor, Simon worked in industry as an electronic engineer. When he is not in the office, Simon can usually be found on the ski slopes or nearby water or on two wheels cycling up inclines and then coasting down the other side.
Simon advises clients on all aspects of data protection, but has developed a particular specialism advising on the privacy aspects of marketing and advertising. This includes advising on data profiling and analytics and online behavioural advertising. His general data protection practice encompasses advice on complex intra company and overseas transfers, the appointment of data processors, dealing with data breaches, negotiating with data protection authorities and developing strategies for the commercial exploitation of data.