Cyber and Data Risk

From cyber security for remote working to privacy-related mass litigation, we offer our international experts’ predictions on the opportunities and challenges that the cyber and data risk market may face in the coming year and beyond.

Cyber and Data Risk predictions
#1 A UK and US perspective: with the balance of any workforce now ‘remote’, increasing demands for remote accessibility and reliance on cloud service providers will trip up those companies that do not adapt cyber security to the new normal

While businesses have been quick to adapt to remote working in the wake of the COVID-19 pandemic, not all IT departments have had the chance to secure business-critical systems for the new reality of the virtual workplace. The majority of modern day cyber threats exploit vulnerabilities in the Remote Desktop protocols and servers supporting the running of office communication software. Such previously unknown, so-called ‘zero day’ vulnerabilities are discovered on a daily basis by cyber criminals and it is imperative for all information security professionals to review patching and security measures surrounding newly activated remote access. In the US, growing reliance on cloud service providers under COVID-19 is making it more difficult to determine whether an occurrence is an insurable failure of the insured’s computer system or an uninsurable infrastructure failure. Unless the insurance market begins to adjust to this new reality, carriers may find themselves on the wrong end of future US court judgments.

#2 Widening rights, rising quantum and evolving litigation funding will see data claims rise around the world

The first signs of a real privacy-related mass litigation wave in the United Kingdom started in 2020 and the current climate suggests group and individual privacy claims are here to stay. 2021 may prove a very busy year for businesses defending such actions. Claimant solicitors are adept at exploiting the targeted advertising potential of social media to recruit new clients, with client onboarding even using automated chat bots. The Privacy Pre-Action Protocol in England and Wales introduced in late 2019 is still relatively claimant friendly and, with legal costs often exceeding the sums at issue by many multiples, defendants will continue to offer settlements regardless of the merits, thereby fuelling further claims.

#3 Schrems judgment and Brexit will drive data localisation

The recent decision by the Court of Justice of the European Union (CJEU) in Schrems II, which invalidated the adequacy status of the EU-US privacy shield, spiked a wave of uncertainty across the privacy departments of businesses whose operations rely on EU-US data transfers. While the CJEU did not invalidate the alternative mechanism of standard contractual clauses, it imposed onerous obligations on companies processing data outside the EU who are relying on them. This has resulted in onerous guidance from the European Data Protection Board as to the due diligence and supplemental measures that must occur when transferring personal data overseas. The end of the UK’s post-Brexit transition period and the present lack of clarity as to whether the country will be afforded adequacy status by the EU only adds to the uncertainty for British and foreign organisations wishing to transfer data to or from the UK. A seemingly easy solution is the relocation of data centres to other EU member states, but such data localisation practices can be costly.

#4 Companies need to consider the data protection rules around the use of AI

From Uber to the UK Government’s attempt to introduce predictive grading to replace the cancelled A-Level exams, the use of Artificial Intelligence (AI) has proved controversial. Companies wishing to utilise possibilities presented by AI should be aware of the range of risks involved in the use of technologies processing personal data in opaque ways with complex algorithms. The issue certainly caught the interest of the UK Information Commissioner’s Office (ICO) which recently launched detailed guidance explaining how data protection principles apply to AI projects. The ICO’s guidance raises specific awareness around automated decision-making and issues of transparency and sends a message to organisations that the use of AI is now on the regulator’s priority list.

#5 An Australian perspective: Australian Government will boost cyber security for infrastructure and businesses

Cyber resilience will continue to be a priority for Australia, as outlined in the Government’s 2020 Cyber Security Strategy. The strategy includes A$1.67bn pledged over the next decade to enhance cyber-security capabilities across government, businesses and the community through programmes and regulatory reforms. These are aimed at protecting Australia’s critical IT infrastructure and systems of national significance, and building cyber security support and standards for businesses, with tailored support for SMEs. Data extortion will remain a major problem, particularly as the size of ransoms are increasing significantly. The Office of the Australian Information Commissioner (OAIC) has become increasingly proactive over ransomware incidents. The OAIC is expected to take more action against companies for not adequately securing personal information in 2021.  This will force companies to reconsider how they secure key customer data and intellectual property.

#6 A New Zealand perspective: New Zealand’s new Privacy Act 2020 will see privacy breaches taken seriously

New Zealand’s long-awaited Privacy Act 2020 took effect on 1 December 2020. The headline reform, the introduction of mandatory notifications for privacy breaches, will impose new obligations on insureds that suffer cyber or data incidents. The Act also introduces a raft of other changes, including increased powers for the Office of the Privacy Commissioner to compel compliance, new cross-border disclosure controls, and various criminal penalties. While not having the significant fining powers of other jurisdictions, the new Act suggests New Zealand will see a more active Privacy Commissioner, increased compliance costs following data breaches and greater market appetite for insurance.

Back to top
Legalign Global Logo