Why cyber incident response is going global

Out-Law Analysis | 26 Oct 2020 | 10:11 am | 3 min. read

Organisations that operate across multiple jurisdictions should take the time to understand the regulatory requirements they would be subject to in the event of a data security incident, in light of the global cyber risk they face and recent moves by policy makers across the world to bolster data security requirements.

The need for multinational organisations to familiarise themselves with their regulatory obligations around the world is further reflected by the results of analysis conducted by the cyber team at international professional services firm Pinsent Masons which found that 30% of the cyber-related matters the team worked on in the past year involved at least two jurisdictions.

The GDPR

Data security obligations have been enshrined in a range of data protection legislation and sector-based regulations for years, but in recent times law makers and regulators have moved to stiffen the requirements businesses must meet around data security to reflect the move businesses have made to meet growing customer demand for digital services and the increased and evolving cyber risk.

Perhaps the most significant development has been the implementation of the General Data Protection Regulation (GDPR).

The extra-territorial effect of the GDPR makes it relevant to businesses that may not think of themselves as subject to it. Guidance published by the European Data Protection Board (EDPB) in January 2020 confirmed that whether or not a business is subject to the GDPR depends on whether a particular processing activity it engages in falls within the scope of the Regulation. It means that organisations which either have offices or some form of "establishment" in the EEA, or which target sales of goods or services to individuals in the EEA or track the activities of individuals in the EEA can nevertheless be subject to the GDPR.

The territorial scope of the GDPR matters because of the tough new rules it introduced. Not only did the GDPR bolster expectations of the way organisations provide for the security of the personal data they collect, use and store, it introduced for the first time in EU legislation a general duty to notify personal data breaches to data protection authorities and data subjects, in certain circumstances, within 72 hours of such a breach being identified. Businesses in some sectors of the EU economy, such as telecoms and banking, already faced data breach notification requirements under earlier legislation.

In the context of cyber incidents, the EDPB's guidance makes organisations' assessment of whether or not the GDPR applies a nuanced one, with a particular focus upon the processing activities relevant to the incident. To carry out this assessment in the typical tight timescales following an incident can be particularly challenging for organisations and requires expert advice – 25% of instructions to our European cyber teams involve the provision of advice to non-EEA entities as to whether or not the GDPR applies.

In positive news for businesses, further guidance has been promised by the EDPB in relation to the 'one stop shop' mechanism that applies under the GDPR. This is the system that enables organisations to engage with just one data protection authority in respect of incidents or other matters that have a cross-border impact, instead of potentially tens of different authorities within the EU as was previously the case.

Our experience, as the EDPB's own reported findings support, is that the way the one stop shop mechanism operates could be improved, so further clarification of the procedural steps and harmonisation of the approach taken by data protection authorities across the EU would be welcome.

Other legal frameworks

The GDPR has been used as a model by other countries around the world that have moved to update, or introduce entirely new, data protection legislation. Brazil, Thailand and Panama are among the countries that have adopted new legislation that aligns closely to the GDPR.

Davey Stuart

Stuart Davey

Senior Associate

It is incumbent on businesses operating across jurisdictions to familiarise themselves with their regulatory requirements and prepare effective, tested incident response plans

Mandatory data breach reporting is increasingly being favoured by policy makers. Just this month it was announced that changes to data protection rules in Singapore are planned, which would introduce mandatory breach reporting and allow for fines of up to 10%  of annual turnover. In Hong Kong, a discussion paper issued in January 2020 indicated general support for the introduction of a mandatory breach notification mechanism, though legislative change is likely to be some years away.

Potential reform to data protection law in the UK could follow the end of the Brexit transition period, as hinted at in the UK government's recent national data strategy paper, but in the short-term at least a 'UK GDPR' will apply, as the legislation is set to be retained in UK domestic law from 1 January 2021.

However, even though the UK GDPR will mirror the obligations in the GDPR, organisations which operate in both the UK and across the EEA will still effectively be subject to two regimes and therefore will have to adapt to supervision by both the ICO and a lead supervisory authority in the EEA. This means that from the end of transition period, those organisations may be exposed to two separate enforcement regimes, including two sets of penalties, in respect of incidents which breach both UK and EU data protection laws.

With the legal frameworks across the world set to change further around data security and breach reporting, and as cyber risk continues to evolve and pose a threat, it is incumbent on businesses operating across jurisdictions to familiarise themselves with their regulatory requirements and prepare effective, tested incident response plans.