UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP
The UK GDPR applies to the security of “per - sonal data” (ie, any information relating to an identified or identifiable individual who can be identified – directly or indirectly – by reference to an identifier such as a name, an identifica - tion number, location data or an online identi - fier). As such, only those cybersecurity incidents impacting personal data will be regulated by the UK GDPR (see also 6.1 Cybersecurity and Data Protection ). The UK GDPR requires organisa - tions to maintain “appropriate” technical and organisational security measures and to comply with certain notification obligations when “per - sonal data breaches” occur. The DPA also allows for criminal prosecutions to be brought for cer - tain cybersecurity-related breaches. Secondly, the NIS Regulations currently apply to two categories of key infrastructure opera - tors – namely, “operators of essential services” (OESs) and “relevant digital service providers” (RDSPs). Like the UK GDPR, the NIS Regula - tions require organisations that are subject to them to implement certain cybersecurity meas - ures and to report certain cybersecurity inci - dents that affect such organisations. On 17 July 2024, the UK government announced the Cybersecurity and Resilience Bill (the “CS&R Bill”), which would expand the remit of the NIS Regulations to protect more digital services and supply chains. Please see 2.1 Scope of Criti- cal Infrastructure Cybersecurity Regulation for additional information on the proposed updates to the NIS Regulations via the CS&R Bill. Thirdly, the Product Security and Telecommuni - cations Infrastructure Act 2022 (the “PSTI Act”), which came into force on 29 April 2024, requires manufacturers, importers and distributors of UK consumer-connected products to meet certain cybersecurity standards. This includes more stringent security requirements (eg, default
password requirements and minimum support periods for providing security updates) and requirements to investigate any compliance failures and take remediation action, as well as notify relevant authorities and other third par - ties about such compliance failures (see 4.2 Key Obligations Under Legislation ). Fourthly, the Computer Misuse Act 1990 (CMA) is the UK’s primary legislation with regard to criminalising unauthorised access to comput - ers and other IT systems. It contains a number of cybersecurity-related offences. A key offence under the CMA (Section 1) is where a defendant obtains “unauthorised access” to a computer – ie, the defendant causes a computer “to perform any function with intent to secure access to any program or data held in any computer” or “to enable such access to be secured” where such access is “unauthorised” and this is known to the defendant at the relevant time. Fifthly, the Privacy and Electronic Communi - cations (EC Directive) Regulations 2003 (the “PECR”), the EU Notification Regulations 611/2013 (the “Notification Regulation”), and the Communications Act 2003 (the “CA 2003”) con - tain cybersecurity obligations applicable primar - ily to electronic communications networks and service operations (such as telecommunications systems operators). There are also sector-specific laws that contain cybersecurity obligations – for example, Finan - cial Conduct Authority (FCA) rules (applicable to FCA-regulated firms), the Payment Services Regulations 2017 (PSRs) (which transposed the Second EU Payment Services Directive into Eng - lish law and apply to payment service providers), and the Official Secrets Act 1989 (OSA) (which is applicable to certain official government infor - mation). Similarly, the Investigatory Powers Act
322 CHAMBERS.COM
Powered by FlippingBook