Welcome to HSF’s summary of top picks for cyber-related news in the UK, EMEA and US, this time covering both December 2023 and January 2024.
Our short summary and commentary is aimed at giving you the awareness and insights you need, with minimum time investment. Below you will find:
- Developments in regulatory requirements and guidance;
- Wider cyber industry news; and
- Particularly noteworthy (reported) cyber incidents.
New Cybersecurity Governance Code Puts Cyber Risks on Boardroom Agenda
Infosecurity Magazine – 23 January 2024
The UK Government is calling for views on a draft new Code of Practice on cybersecurity governance to assist senior business leaders to better understand what good governance may look like in circumstances where much regulation in outcomes focussed and difficult to interpret into practice. The UK Government’s Department for Science, Innovation and Technology (DSIT) in partnership with industry directors, cyber and governance experts and the National Cyber Security Centre (NCSC) have identified some common fundamental actions and have sought to bring together the critical governance areas that directors need to take ownership of in one place, in a form that is simple to engage with, for organisations of all sizes. The call for views is open until 19 March 2024.
23andMe divides opinion with ‘victim-blaming’ approach following data breach
Business Insider – 04 January 2024
23andMe’s response to their recent data breach affecting 7 million accounts has been controversial in some quarters. The genetic testing company wrote to lawyers representing customers involved in a class action against the company, stating that it believed that hackers had initially been able to access “certain user accounts ” (some c.14,000 accounts) where those users had “negligently” recycled passwords and usernames from other websites, which had been compromised when those websites had been subject to prior security breaches. The attackers had then used a feature of 23andMe to gain access to 7 million accounts. 23andMe has faced a series of lawsuits from customers, and its language in apparently blaming users for the breach has drawn some criticism, with the majority of industry experts opposing the stance adopted and placing responsibility on organisations for breaches that occur within their infrastructure. The media attention surrounding the arguments put forward in public documents highlights the importance of messaging and PR in the context of cyber incidents affecting a large number of individuals.
Netcompany faces €2 million fine following failure to protect user data
Global Data Review – 12 January 2024
The Danish data protection regulator has recommended its largest-ever GDPR fine against Netcompany, an IT service provider, for failing to protect user data on its digital mailbox. As the regulator cannot issue fines, it reported the company to the Danish police, recommending a 15 million kroner (€2 million) fine. The regulator cited that the company’s failure to ensure appropriate security levels or prepare proper impact assessments before developing a new IT solution led to the user data breach. This highlights the importance of secure by design principles and regulators’ continued focus on the entire lifecycle of solutions/products which are capable of leading to personal data breaches.
CJEU clarifies meaning of “non-material damage” in context of data breaches
Court of Justice of the European Union (CJEU) – 14 December 2023
The Court of Justice of the European Union’s (CJEU) has delivered a preliminary ruling that the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage. In response to a referral from the Bulgarian Supreme Administrative Court for clarification on the conditions for awarding compensation for non-material damage where personal data is published on the internet after a cyber attack. In addition, the CJEU stated that the burden of proof to show that the protective measures implemented were appropriate lies with the controller. This will be of concern to many organisations who have suffered a data breach; whilst CJEU decisions are not binding in the UK post-Brexit, such jurisprudence is likely to remain influential.
CJEU rules on conditions under which fines may be imposed under GDPR
Court of Justice of the European Union (CJEU) – 05 December 2023
This CJEU press release unpacks the CJEU’s recent ruling on confirming that a data controller must have committed an infringement “wrongfully” (intentionally or negligently) in order to be fined under the GDPR and that in the context of a fine on an affiliate of a larger group of companies, the maximum fine must be calculated based on the group’s annual turnover. The original case centred around a penalty of 14.5 million euros (U.S. $15.7 million) against Deutsche Wohnen by the Berlin Data Protection Commissioner in 2019 for alleged violations of the GDPR regarding retention of tenant data for longer than necessary.
OpenAI Working With U.S. Military on Cybersecurity Tools
Time – 17 January 2024
OpenAI has amended its usage policies to eliminate specific text related to the usage of its AI technology or large language models for ‘military warfare’. Prior to this, the usage policy specifically disallowed the use of OpenAI models for weapons development, military and warfare. Shortly after, OpenAI announced that it intends to collaborate with the U.S. Defense Department to reduce veteran suicides, indicating a weaking of the company’s stance on working with military organisations, though OpenAI clarified that it its intended collaboration will not involve the development of weapons.
Merck reaches settlement with insurers over $1.4bn NotPetya cyber attack
Reinsurance News – 10 January 2024
The pharmaceutical giant, Merck & Co Inc., has reached an agreement with its insurers over the $1.4 billion in losses Merck alleged it suffered from the NotPetya ransomware cyberattack in 2017. The original insurance claim was make under Merck’s “all risks” coverage. However, as the attack was later attributed to Russian military intelligence, insurers had argued that the losses were barred by a war exclusion in the policy. Merck won at first instance and appellate level in New Jersey before the settlement was reached shortly before a hearing at the New Jersey Supreme Court.
UK Government opens consultation on proposed regulation to improve UK data infrastructure
Gov.UK – 14 December 2023
The UK Government is consulting on a proposed regulation to protect and enhance the security and resilience of UK data infrastructure; focussing on third-party data centre services. Among the proposals are wide ranging and include the introduction of a new regulatory function to implement and enforce the proposed framework; incident reporting requirements to the regulator, customers and other affected parties; registration of relevant data centre providers with the designated regulator; introduction of a duty to comply with a security and resilience baseline and introduction of a standards and assessment framework for compliance. The consultation closes on 22 February 2024.
EU Parliament Committee adopts draft report of Cyber Solidarity Act
European Parliament News – 07 December 2023
The EU Parliament Committee has adopted the EU Cyber Solidarity Act. The legislative proposal seeks to bolster the European Union’s ability to detect, prepare for, and respond to cybersecurity threats and incidents. It also includes proposals to support the development of cybersecurity skills across the EU, and to boost citizens engagement.
NCSC updates cybersecurity guidance for high-risk individuals
National Cyber Security Centre – 07 December 2023
The National Cyber Security Centre (NCSC) has updated its cybersecurity guidance for high-risk individuals (e.g. politically exposed persons) on protecting their accounts and devices. The guidance looks at how and why individuals may be targeted and provides advice, including on the use of two-step verification, social media use and settings and installation of updates.
FDIC releases November enforcement actions
JDSupra – 08 January 2024
This article discusses the Federal Deposit Insurance Corporation’s (FDIC) publication of a list of administrative enforcement actions taken against banks and individuals in November. The FDIC made 12 orders public, including a stipulated order and written agreement with a Tennessee-based bank to resolve alleged violations of the Bank Secrecy Act (BSA) and weaknesses in board and management oversight of its information technology function.
EDPB publishes contribution to European Commission’s report on the application of the GDPR
European Data Protection Board – 15 December 2023
This European Data Protection Board (EDPB) update highlights the EDPB’s contributions to the European Commission report on the application of the GDPR. As part of its contributions, the EDPB states that while the application of the GDPR has been successful, data protection authorities and the EDPB require sufficient resources to continue carrying out their tasks.
Telecommunications Bill 2023 enacted in India
Rashtrapati Bhavan – 26 December 2023
This article looks at the new Telecommunications Bill 2023 enacted in India. The bill grants the Central Government authority to set encryption and other cybersecurity standards for service providers.
NASA Issues New Space Security Best Practices Guide
NASA.gov – 22 December 2023
This article outlines the new Space Security Best Practices Guide issued by NASA to bolster mission cybersecurity efforts for both public sector and private sector space activities. The guide represents a significant milestone in NASA’s commitment to ensuring the longevity and resilience of its space missions and will serve as a resource for enhancing their security and reliability.
For further information, please contact:
Peter Dalton, Partner, Herbert Smith Freehills
peter.dalton@hsf.com