Share
Ransomware activity predicted to rise
Despite the significant downturn in ransomware attacks following the take-down of the Lockbit gang, one of the world’s most sophisticated and successful ransomware groups, ransomware incidents have started to rise during the second half of 2024, as criminal gangs recover from disruptions such as law enforcement actions. Some sources report that the second quarter of 2024 saw a 36% increase on the number of attacks claimed by ransomware actors in the first quarter.
Consultation on the cybersecurity of AI in the UK
Kennedys has responded to this consultation, addressing the cybersecurity of AI in light of the increasingly complex cybersecurity landscape facing organisations in the UK.
The consultation sought views on a two-part intervention, which includes a voluntary Code of Practice on AI cyber security, which will form a new global standard.
ICO’s “Learning from the mistakes of others” report
In May 2024, the ICO published its “Learning from the mistakes of others” report, highlighting the year-on-year increase in cyber attacks over the last 10 years. The report also highlights the exponential rise in security incidents over that period and the increasingly diverse range of attacks undertaken by threat actors. The ICO’s own trend data shows that there was a 33% increase in cyber incidents in 2023 (3,285) over those reported in 2022.
By showing how breaches can occur, the ICO intends to educate organisations by (i) understanding what common security control failures led to breaches; and (ii) the steps that should be put in place to ensure that such controls operate effectively and minimise the risk of companies experiencing their own breach.
The ICO’s review demonstrates the increasing frequency and complexity of such attacks, and the critical need for organisations to continue to document and test any plans for incident response, business continuity and disaster recovery.
CrowdStrike global IT outage
On 19 July 2024, a global IT outage originating from cybersecurity firm, CrowdStrike, caused major disruption across many industries across the globe. Insurers have predicted that the incident will cost US Fortune 500 companies US$5.4bn, with banking, major airlines and healthcare companies expected to suffer the most losses.
The EU Artificial Intelligence (AI) Act
The EU AI Act came into force on 2 August 2024. Businesses that fall within scope of the Act will be required to comply with its obligations subject to a phased implementation timeline:
- The provision prohibiting AI systems with an unacceptable risk will come into force on 2 February 2025
- The governance rules and obligations for General Purpose AI will apply from 2 August 2025.
- This will be followed by the application of the entire Act to AI systems by 2 August 2026
- The obligations in relation to high-risk AI systems and for all risk-categories will come into force on 2 August 2027.
We have identified the AI Act as a key update in the Product liability and Life sciences sections.
Update on AI regulation in the UK
The Artificial Intelligence (Regulation) Bill, introduced as a Private Members’ Bill by Lord Holmes of Richmond in the House of Lords on 22 November 2023, was dropped following the dissolution of Parliament on 30 May 2024.
Although the King’s Speech did not include an AI bill, it stated that that the new government “will seek to establish appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”. The Prime Minister has also pledged to “harness the power of artificial intelligence as we look to strengthen safety frameworks”.
Businesses can therefore expect the government to consult on future legislative proposals in the months ahead. In the meantime, the previous government’s flexible, principles-based approach to AI regulation will continue to apply.
Do data breach claims require authorisation from Ireland’s Injuries Resolution Board?
Ireland’s highest court, the Supreme Court, is set to consider whether it is necessary to get an authorisation from Ireland’s Injuries Resolution Board (formerly PIAB) prior to issuing a claim under data protection legislation for damages for distress and anxiety caused by a data breach.
Recent years have seen an increase in claims for non-material or emotional damages arising from data breaches. The High Court decision in Dillon v Irish Life Assurance [11.04.24] suggests that these claims require authorisation from the Injuries Resolution Board, even if brought under the Data Protection Act 2018. Permission to appeal was granted at the end of July, and the Supreme Court appeal date is awaited.
New government bills
- The Digital Information and Smart Data Bill
Smart Data and Digital Verification Services - The Cyber Security and Resilience Bill
Case developments
Push payment fraud: High Court considers banks' retrieval duty
CCP Graduate School Ltd v National Westminster Bank Plc ]
The decision, which could lead to a ‘retrieval duty’ on banks where funds are diverted, is the latest to outline the duty of banks to challenge potentially fraudulent payments (often referred to as the 'Quincecare Duty').
As those with experience handling the fallout from cybercrime know all too well, cybercriminals are adept operators who quickly move funds beyond the recovery capabilities of the payor and payee banks (usually to third-party, offshore, or cryptocurrency accounts). As it is unlikely that any reasonable steps in a 'retrieval duty' would extend to tracing funds, even if a duty is confirmed, it is unclear whether it would materially improve the prospects of recovering diverted funds.
Public sector
United Kingdom