Co-authors: Joshua Curzon and Edward Le Gassick, trainee solicitors, UK cyber and data risk team.
A summary of the latest cyber and data privacy developments and critical issues for organisations to consider in the United Kingdom, European Union and the United States.
- Facebook in a (€265m) scrape
- Regulatory developments between the EU and US
- Regulatory developments between the UK and US
- The rise of ransomware
- Business email compromise: liability and funds recovery following fraudulent funds diversion
- ICO enforcement action
1. Facebook in a (€265m) scrape
In November 2022, the data protection regulator of Ireland, the Data Protection Commission (DPC) announced a fine of €265 million and several corrective measures against Meta Platforms Ireland Limited – the data controller of Facebook. This fine follows the announcement of a €405 million fine issued to Meta just two months before.
The DPC investigation was triggered by the release of a large dataset of personal data from Facebook being made available on the internet in 2021, allegedly the result of malicious data scraping by cyber attackers.
What is data scraping?
Data scraping is the automated collection of data from a public facing website using either widely available pre-made tools, or custom-made tools which vary widely in complexity. In high volumes, the tool makes automated requests to websites, collects the data and parses (collates) that information for onward use in a format such as a spreadsheet.
The DPC's decision
The DPC found that Meta had failed to comply with Article 25 (1) and (2) of EU GDPR. This Article relates to a concept known as ‘privacy by design’ – in short, the foundational protection of people's information via the importance placed upon data protection during the construction of the technology. Many would argue that it is a little unclear how best to ensure privacy by design (and compliance with Article 25), given that protective measures are not explicitly outlined, unlike within other elements of the GDPR.
Alleviating the risk
There are numerous ways to ensure compliance with Article 25 provisions of the EU (and UK) GDPR. However, in general regulators require organisations to ensure that safeguards and technical preventative measures are ‘baked into’ common practice.
Organisations should consider the scope, circumstance, and purpose of collecting or displaying personal information and ensure appropriate certification. The International Organization for Standardization (ISO) are renowned for its international standards in this respect, and compliance with ISO will likely help demonstrate that genuine consideration has been given to Article 25.
Author: Edward Le Gassick, trainee solicitor, UK cyber and data risk team (email Edward)
2. Regulatory developments between the EU and US
The economic relationship between the European Union and the United States totals almost $7.1 trillion and in large part relies on frictionless data transfers. President Biden has recently signed an executive order ‘Enhancing Safeguards for United States Signals Intelligence’, which is intended to form the final piece of the jigsaw to an EU-US data privacy framework.
The executive order forms part of a wider attempt to secure a European Commission (EC) adequacy decision in the aftermath of its predecessor - the ‘Privacy Shield’, being judged inadequate for personal data transfers from the EU to the US by the Court of Justice of the European Union (CJEU) in its ‘Schrems II’ decision. Recently, the EC provided a draft adequacy decision, suggesting that the Executive Order and wider framework meet the standards required.
However, it seems likely that this attempt at adequacy will be challenged too (like the (‘Privacy Shield’) given that the contents of the executive order – especially in relation to the intelligence services - are changed only slightly from its ill-fated predecessor, with core tenets of Biden’s strategy relying on an analysis of proportionality, which does not comfortably align with the CJEU’s historic approach.
The draft adequacy decision now proceeds to an influential review by the European Data Protection Board (EDPD). Its passage functions as an insightful test of the EC and EDPB’s ability and willingness to adapt to non-member states’ data protection standards. This will be especially tested in respect of state apparatus central to wider policy such as intelligence services. However, it is certainly not advisable to rule out the potential that the decision may hit stumbling blocks under the scrutiny of CJEU, as did the Privacy Shield.
Organisations are not be able to rely upon the draft decision immediately, and given the present stage of the assessment process historically takes up to a year, it is unlikely to be operational any earlier than the latter half of 2023.
Author: Edward Le Gassick, trainee solicitor, UK cyber and data risk team (email Edward)
3. Regulatory developments between the UK and US
Glancing west from Brussels, a unique ‘UK-US Data Access Agreement’ has been agreed by the United States and the UK.
This novel Agreement allows law enforcement agencies to demand electronic data from communication service providers (CSPs). A CSP is broadly defined as encompassing telecommunication companies, email providers, VPN providers, social media and other related mobile and computer applications which facilitate communication in scope of the terms of the Agreement.
In terms of process, CSPs will be issued an Overseas Production Order (OPO) from the alternate jurisdiction (for example, a UK company might receive an order from the FBI ), enclosing a demand for data pertaining to an individual.
Whilst the Agreement is untested at present (as far as we are aware), receipt of such an order by a UK entity raises pressing legal issues given that a response to any order is due within seven days, and failure to comply can result in both the recipient company and its director(s) being found in contempt of court.
An unintended breach of privacy laws is a genuine risk given the lack of any present adequacy agreement concerning the US. Kennedys’ established cyber and data protection footprint means advice on trans-jurisdictional issues such as these is certain to consider a globally informed perspective.
Author: Edward Le Gassick, trainee solicitor, UK cyber and data risk team (email Edward)
4. The rise of ransomware
Data trends
The Information Commissioner's Office (ICO) has released a dataset on reported data security incidents between Q2 2019 and Q2 2022, in which ransomware stands out as one of the biggest trends. The key takeaways from the ICO’s dataset are:
- The number of ransomware incidents between Q2 2019 and Q2 2022 has increased by 339%, and proportionally from 1% to 7% of all incidents.
- An average of 21% of ransomware attacks each year affect more than 1,000 individuals.
Ransomware has rapidly increased from just 8% of all cyber incidents in 2019 to 32% in 2022, a close second to phishing at 35%. The scale of ransomware incidents is also increasing; the proportion of reported ransomware incidents affecting more than 100,000 data subjects has increased from 2% in 2019 to 5.9% in 2022.
Changes to the ICO’s approach
The ICO is accordingly changing its approach and appears to be focusing its resources on large ransomware incidents. The ICO investigated 94% of ransomware incidents affecting more than 100,000 individuals, compared to just 48% of non-ransomware incidents of the same scale.
What does this mean for organisations?
Organisations face greater regulatory risk in respect of increasingly prevalent and large-scale ransomware threats in addition to the reputational and business interruption risks. Those holding large quantities of personal data should be cognisant of the risks of regulatory scrutiny from the early stages of a ransomware or other cyberattack, and should look to mitigate that risk through effective legal advice and a considered regulatory engagement strategy. The recent Interserve decision demonstrates that regulatory engagement can have a tangible and significant impact in reducing the value of a fine imposed by the ICO.
Author: Joshua Curzon, trainee solicitor, UK cyber and data risk team (email Joshua)
5. Business email compromise: liability and funds recovery following fraudulent funds diversion
Background
In September 2018, cybercriminals managed to gain unauthorised access to the email system of the New York-based company Studco Building Systems US, LLC (Studco).
Studco was expecting information about a change of payment details from a supplier, but the cybercriminal intercepted the communication. The cybercriminal sent Studco a ‘spoofed’ email, which appeared as if it had come from the supplier, instructing Studco to make future payments to an account at 1st Advantage Federal Credit Union (1st Advantage). Studco duly made payments for supplies to the fraudulent account at 1st Advantage. The funds were then withdrawn from the bank account in question.
Headline of decision and outcome
Studco was able to recover compensatory and punitive damages (plus fees and costs) from 1st Advantage due to the failure of anti-fraud and anti-money laundering controls at the bank, which had in the US District Court’s view allowed: (i) the creation of the fraudulent account in the first place; (ii) the funds to be paid into that account without fraud being detected; and (iii) the funds to be withdrawn via a series of highly suspicious transactions.
Considerations
Business email compromises can have extremely serious impacts on businesses, including:
- The potential compromise (and theft) of commercially sensitive information.
- Personal data breaches potentially leading to multi-jurisdictional regulatory action and legal claims.
- Significant cost exposure caused by:
- Business interruption
- Fraudulent payment misdirection
- Remediation measures (including expert vendor costs)
- Reputational damage with impacted customers
- Legal claims such as the one comprising the subject matter of this commentary.
Key takeaways
This case highlights several issues concerning business email compromises globally:
Technical and organisational controls aren’t infallible
Cybercriminals are constantly finding new ways to compromise business email accounts despite organisational and technical controls being in place, particularly where proper action is not taken to mitigate emerging risks (for example, bypassing of multi-factor authentication – for more detail see Kennedys’ in-depth article). In this case, the victim had implemented specific training on ‘spoofing’, but it had not been enough to prevent the fraudulent payment diversion.
Processes are only as strong as the weakest link
The victim had processes in place for updating payment information, helping mitigate the risks, but these controls were circumvented by the cybercriminal having access to the victim’s email system.
Recovery can be lengthy and difficult
The victim had to take legal action to recover the funds and the recent decision in 2023 comes almost four and a half years after the incident in late 2018.
Two sides
The victim’s money was stolen, but the misdirection of funds might have meant its supplier didn’t get paid on time either.
Human error
The bank missed opportunities to stop the fraud – the risk of human error cannot be fully eliminated.
Author: Joshua Curzon, trainee solicitor, UK cyber and data risk team (email Joshua)
6. ICO enforcement action
Cybersecurity failings… regulatory fines
In October 2022, Interserve Group received a £4.4 million fine from the Information Commissioner’s Office (ICO) for breaches of the UK GDPR which left the construction company vulnerable to a ransomware attack. The ICO found that Interserve had breached Articles 5(1)(f) and 32 of the UK GDPR, both for failing to implement appropriate security measures and for failing to restore the availability and access to personal data in a timely manner.
The ICO identified seven key security failings, which collectively amounted to a breach of the UK GDPR:
- Unsupported operating systems
- Inadequate end-point protection
- A lack of regular penetration testing
- A lack of cybersecurity training
- Outdated IT protocols
- A deficient initial response to the incident
- Poor management of administrator accounts.
Calculating the fine
The ICO calculated the fine with reference to both mitigating and aggravating factors:
Mitigating factors | Aggravating factors | ||
Value:
|
Interserve:
|
Value:
|
|
Value:
|
Interserve:
|
Value:
|
|
Summary
The key learning is that organisations must be alert to industry best practice, the functioning of their policies and controls (including those policies and controls focused on data protection), and technical measures warranted by their size. Organisations should also be aware of the real value (£600k in this case) of engaging cooperatively with regulators and proactively implementing mitigation and remediation measures.
This is a high-level overview of the Interserve Monetary Penalty Notice. For more analysis, please see Kennedys’ in-depth article.
Author: Joshua Curzon, trainee solicitor, UK cyber and data risk team (email Joshua)
Related item: US Privacy & Breach Litigation Monitor, February 2023