Stricter UK cyber duties on online accounts and data explored

Out-Law News | 02 Sep 2022 | 3:59 pm | 1 min. read

Stricter cybersecurity requirements could be written into UK law to address the risk of criminals gaining unauthorised access to online accounts and user data and trading the information on the internet.

The potential reforms were alluded to in a ‘call for information’ published by the UK Home Office – the first step in what the department is calling a new ‘Cyber Duty to Protect programme’.

The call for information seeks views on “potential government intervention to reduce the burden of cybersecurity from the citizen and encourage organisations to further protect users’ accounts and personal data”.

The Home Office is exploring options for intervention after data published earlier this summer by the Office for National Statistics (ONS) revealed that there had been an estimated 89% increase in computer misuse offences in the year ending March 2022, with an estimated 158% increase in unauthorised access to personal information offences, such as hacking. In total, the ONS said there had been an estimated 1.6 million computer misuse offences in the year ending March 2022.

Priti Patel, UK home secretary, said: “We believe measures may be needed in particular to address the large volume of cyber crimes committed by criminals with a relatively low level of technical sophistication. Accordingly, the Home Office is seeking information to inform the development of proposals to further reduce cyber crime, and the offences facilitated by it.”

“This work will explore measures to reduce the burden on citizens for cyber security, including the application by organisations of secure-by-default principles to protect user accounts and information. It will also examine whether to supplement requirements in data protection legislation to ensure that providers of online services and accounts, as well as processors and holders of UK citizens’ personal data, exercise an appropriate and proportionate degree of responsibility for the protection required of the data and access to it,” it said.

The Home Office’s call for information paper does not contain firm proposals for reform, but views are invited on a range of issues, including where businesses and other stakeholders think responsibility for ensuring better protection of personal data should lie, and on the use of “enhanced authentication solutions”, such as multi-factor or two-factor authentication.

Cyber risk expert Laura Gillespie of Pinsent Masons said: “The GDPR already requires that adequate technical and organisational security measures are put in place to prevent unauthorised access to personal data, with fines and compensation claims potentially following where measures have fallen short.  There is also criminal liability for those who gain unauthorised access to personal data under the GDPR and via the Computer Misuse Act too, under which the Information Commissioner’s Office (ICO) has previously exercised prosecution powers.”

“It is unclear exactly what action the government will take at this stage, but fleshing out new ‘secure-by-default principles’ would reflect the existing trend towards stricter cybersecurity obligations: the ICO has developed specific guidance on ransomware, and there are already cyber-related legislative reforms in the pipeline affecting managed service providers and other suppliers of services of major infrastructure operations, under the proposed reforms to the NIS Regulations,” she said.

“If the government does decide to supplement data protection law requirements, it is possible that it will do so by adding amendments to the Data Protection and Digital Information Bill, which is currently before parliament. Whatever changes it pursues, and regardless of its preferred mechanism for reform, expectations for robust cybersecurity preparedness and controls are increasingly high,” Gillespie said.