Cyber security laws in the UK do not have to be intimidating. This article aims to provide actionable information on the cyber security laws in the UK for businesses along with what to do if you suffer a breach or a cyber scam.
We consulted with several industry leaders to create this article, more information on them can be found here.
This article was published on the 18th of October 2019, please note that laws and obligations of UK businesses may have changed since then.
Article update log:
- 18th October 2019 – Article Published
Disclaimer: The advice and guidance in this article should not be considered legal advice and you should always consult with your solicitor or legal representation before taking any actions.
Different laws and obligations apply if you are a United States based business.
There is no single overarching ‘cybersecurity law’ in the UK. There are cybersecurity laws that impose legal obligations that apply to all businesses, and there are other cybersecurity laws that apply to businesses within certain industries.
There are no laws in the UK that punish businesses for simply being a victim of a cyber-attacks, but that does not mean that sanctions will be imposed when a business has failed to implement basic measures to safeguard their systems and data from a hacker.
In addition to laws that pertain to all businesses, there are also laws that pertain to particular types of businesses such as those operating in the financial sector.
Data Protection Act 2018 / General Data Protection Regulation
Cybersecurity law, particularly personal data protection law, in the UK is shaped by the Data Protection Act 2018 (DPA), which implemented the EU’s sweeping General Data Protection Regulation (GDPR). Both of these pieces of legislation were designed to modernize how companies process data by expanding the definition of personal information, and by giving users new legal rights over the details they share online.
Complying with the DPA/GDPR essentially boils down to collecting as little data as possible, protecting it with strong security systems, and being transparent about data handling practices so users can fully consent to them.
However, properly implementing these measures may require a complete overhaul of a business’s data processing operations.
Each EU member state has a data protection authority responsible for handing out penalties for noncompliance, which can be in the ballpark of €20 million. In the UK, this is the Information Commissioner’s Office (ICO) — known to be one of the strictest data protection authorities in the EU, as exemplified by the large penalties recently levied against British Airways and Marriott (€210 million and €112 million, respectively).
Regarding the future, the UK government intends to adopt all existing EU legislation into law after Brexit, so GDPR rules will still apply.
Companies have a legal obligation to thoroughly understand the GDPR at all levels — unless they want to pay the price.
The NIS regulations deal more specifically with the security of information services provided by companies involved with what are deemed essential services, such as those in the energy or healthcare sectors.
The rules require appropriate and proportionate steps to be taken to protect data. These are vague standards, but also could be construed as flexible standards.
The National Cyber Security Centre (NCSC) in the UK provides some guidance as to the essential elements of appropriate systems. That guidance can be found here.
Other Laws in the UK
Cybersecurity laws and regulations, industry rules and the common law all effect niche businesses within the UK. For example, businesses in the financial services sector must maintain appropriate systems for managing any operational risks that may arise from inadequacies or failures in its processes and systems. All specific industries must follow the UK cybersecurity laws and regulations that pertain to their business.
What should you do if your business has fallen victim to a data breach?
The first step after a data breach is to notify the Information Commissioner’s Office. According to the guidelines of the EU’s General Data Protection Regulation (GDPR), this must be done within 72 hours.
When reporting the breach, a company must describe how it occurred, the type of data involved, the number of people it affected, the predicted consequences, plus the measures that will be taken to mitigate its effects. If the breach affected any individual’s rights or freedoms, they must also be informed ‘without undue delay’.
The procedure for reporting a breach is the same for companies of all sizes, but large organisations that employ a data protection officer (the person who handles their GDPR paperwork) must also provide this individual’s details as a point of contact.
After that, it is damage control time — the PR hit for a company in the public eye can actually be more damaging than the breach itself.
What should you do if your business has fallen victim to a cyber scam?
The law is significantly different in regard to businesses being victimized by a cyberscam as contrasted with suffering a data breach.
If your business has become a victim of a cyberscam it should be reported to Action Fraud which notifies the National Fraud Intelligence Bureau and will also provide a police crime reference number. www.actionfraud.police.uk
If the fraud has resulted in money being misappropriated from a bank account, you should contact your bank.
You should also consult your insurance carrier to see if your insurance covers the loss. Some claims for fraud perpetrated through the Business Email Compromise which is a very common scam targeting businesses have been disputed by insurers as not being covered by their particular policies.
In the Business Email Compromise, businesses are tricked into by phony emails or phone calls that appear to come from a business official to send money to the scammers under a variety of pretenses, such as to pay a supplier that has changed its bank account into which a payment is to be sent electronically.
The Business Email Compromise can be mitigated by having multiple people having to approve payments and confirmation of requests for payment within a company, particularly when the payment may be in anyway questionable or, in the case of a payment to a company they do business with that is changing where funds are to be sent.
Ransomware is another major problem. It can be reduced by backing up all data in two or more different platforms such as portable hard drives and the cloud. This should be done daily.
After being scammed an internal business investigation should be done to determine where the vulnerability to being scammed occurred and how to correct the vulnerability.
The National Cyber Security Centre has a guide for how to respond to a cyberfraud. ncsc.gov.uk/collection/small-business-guidance–response-and-recovery
What are some steps you can take towards protecting your business from data breaches?
The best advice for companies navigating DPA/GDPR compliance is to focus on training their staff and hiring the right people.
Employees at all levels of the company need to be familiar with the principles of the GDPR, because these affect everything from product design to marketing.
In addition, a data protection officer (DPO) may need to be hired to act as a point of contact inside and outside the organization for all GDPR-related matters. This is a highly skilled job, and not many candidates are qualified.
Privacy by Design
Implementing Privacy by Design (PbD) is the most effective step a company can take to protect its data. This framework mandates that privacy should be the default setting for a company’s operations — understood by staff across departments, and incorporated in product design from the very first stages.
Accounting for human error is also critical. Employees are responsible for up to two thirds of cyber breaches, whether due to system misconfiguration, or falling victim to old fashioned phishing scams. Any company serious about avoiding data breaches should make regular staff training and internal audits a top priority.
Businesses subject to comply with the GDPR are legally required to include a privacy notice on their site to explain how they process user data.
Further Resources and Reading
The industry experts who contributed to this article.
This article was written and edited by Nathaniel Fried with industry knowledge from Simon Fogg (Legal Analyst at Termly), Steven J.J. Weisman (Founder of Scamicide) and David Reischer (CEO/Founder at ProBono.LegalAdvice.com at LegalAdvice.com Corp).
Steven J.J. Weisman
Position: Founder of Scamicide
Steve is a nationally recognized expert in scams, identity theft and cybersecurity as well as a lawyer, college professor and prolific author.
In his informative speeches, articles and books Steve makes difficult subjects such as cybersecurity, scams and identity theft not only understandable, but enjoyable with the humor he brings to these complex issues.
Position: Legal Analyst at Termly
Simon Fogg is a legal analyst and data privacy expert for Termly. He studies the latest news and trends in the data privacy space, then brings compliance solutions to business owners and digital professionals. His focus for the past two years has been tracking the GDPR and its international impacts.
Position: Cyber Security Architect | Security & Technology Leader | Qualified Solicitor | Blog
Commercial, pragmatic, technical, information security leader & polymath. Skilled communicator & public speaker. Risk-focused, practical, intelligible, incisive, friendly.