International cyber and data privacy insights – July 2023

This article was co-authored by Joshua Curzon and Edward Le Gassick, trainee solicitors, and Jacqueline Baker, Legal Assistant, UK cyber and data risk team.

A summary of the latest cyber and data privacy developments and critical issues for organisations to consider in the United Kingdom, European Union and the United States.

1. Cybercrime affects all businesses – big or small
2. The clock is ‘Tiking’ on children’s personal information
3. Cyber security and intellectual property
4. The ‘zero trust’ approach to cyber security - a growing priority in Europe
5. Business Email Compromise 2.0
6. MFA bypass: the man in the middle
7. Data Protection and Digital Information (No.2) Bill is progressing through UK Parliament

Cybercrime affects all businesses – big or small

A common misconception about cybercrime is that it only affects big organisations. The reality is that cybercrime affects small and medium sized businesses (i.e. SMEs) too, and dealing with a cyber incident can become all-consuming for smaller management teams which might already be stretched.

In an increasingly digital world, the consequences of IT disruption can be far-reaching. If IT systems don’t function, organisations may find themselves partly or fully inoperational, unable to invoice for work done, or unable to pay their staff. Disruption to core business functions can cause reputational damage with potentially serious long-term consequences, even before considering any regulatory or contractual risks.

Without an IT budget on the scale of ’blue-chip’ companies, SMEs must carefully consider the best way to deploy their resources to effectively mitigate the risks of cybercrime.

We have drawn on our experience dealing with over a thousand cyber incidents in recent years to identify three key risks that SMEs should be alert to.

Compromised credentials

Cyber criminals can buy compromised credentials on the dark web for just a few pounds and leverage these to facilitate cyber attacks costing businesses millions. IBM has calculated that the average cost of a data breach in the UK is US$5.05 million – in the US the average data breach costs an astonishing US$9.44 million.

Good password policies and hygiene can mitigate this risk, such as by preventing people from using commonly compromised passwords.

Phishing

The strongest and most resilient cyber defences are only as strong as their weakest link. Cyber criminals can access systems far more easily if you or your employees give them the password. Phishing attacks have become incredibly sophisticated and can be extremely convincing.

One of the most effective ways to counter the risk of phishing attacks is through training people to identify risks and enabling them to protect themselves and the organisation. SMEs should ensure that their training programme grows with their organisation to avoid any gaps in training which regulators may pick up on in the event of an incident.

Misconfiguration

If you’ve invested in an impressive IT security suite, it still needs to be set up correctly to protect your organisation. Simple misconfigurations can result in open back doors into your systems. Additionally, in the growth environment that many SMEs occupy, there may be short term gaps in controls as new systems are brought online and old systems phased out.

Organisations can mitigate this risk by stress testing their systems through “penetration testing”, which identifies vulnerabilities in your systems so they can be fixed before a cyber criminal exploits them. The ICO’s recent Interserve decision shows that penetration testing is now a regulatory expectation for most organisations.

Author: Joshua Curzon, trainee solicitor, UK cyber and data risk team

The clock is ‘Tiking’ on children’s personal information

£12.7 million ICO fine levied

The Information Commissioner’s Office (ICO) has fined TikTok Information Technologies UK Limited and TikTok Inc £12.7 million for breaching a number of principles of the UK GDPR.

The Notice of Intent issued by the ICO in 2022 suggested that TikTok was in line to receive a fine of £27 million. Whilst the ultimate fine has more than halved, it is a clear shot across the bows of any organisation processing the personal data of children.

In summary, TikTok was found to have breached the following elements of UK GDPR:

• Article 5(1) a - Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner.
• Article 8 - Using the personal data of and providing services to those under the age of 13 years old without taking reasonable steps to ensure parental consent.
• Article 12 - Failing to provide information in an easy to understand to way to users about how their data is collected, used, and shared. It The ICO concluded that many users, especially children were unlikely to have been able to make informed choices.
• Article 13 – Failing to provide information to users, including failing to provide the contact details of the Data Protection Officer. 

These breaches largely concerned failures to deploy adequate checks on identifying underage users signing up to the service or providing clear information on how (and what) data was gathered and stored. This highlights that legacy safeguards and terms of service are not sufficient to ensure compliance with data protection legislation as an organisation’s consumer base develops and grows.

The ICO Children’s Code

The TikTok fine sits neatly within a developing landscape of regulators paying significant attention to the protection of data relating to children. The ICO introduced the Children’s Code, a data protection code of practice for online services (such as apps, streaming services, search engines, online marketplaces, and social media sites) likely to be accessed by children. Alongside requirements to thoroughly understand the data collected from children, tighter geolocation restrictions and increased privacy requirements, the code notes that services must create tools to help children understand and exercise their rights.

The first substantive test of the code has recently been launched by campaigner Duncan McCann, who has lodged a complaint with the ICO, accusing YouTube of collecting the viewing data of those under 13 years old. 

Organisations processing children’s data should be aware of the ICO’s Children’s Code and the requirements imposed by it, as well as the penalties which the ICO may levy in defence of children’s rights.

Author: Edward Le Gassick, trainee solicitor, UK cyber and data risk team

Cyber security and intellectual property

The hidden cost of a cyber attack…

Businesses are facing an increasing number of challenges as they attempt to size up their operations on a global scale utilising the digitisation of their assets.

One of the key drivers behind this push is greater importance being placed on “intangible assets”. These “intangible assets”, or more commonly known as Intellectual Property (IP), are the lifeblood of many organisations. The types of IP your business may own can include assets such as trade secrets, trade marks, designs, plans, proprietary knowledge — to name just a few.

IP is the driver for innovation, growth and brand distinction across the market. And yet, despite being vital to a business’s survival, IP is often the last in line for consideration in the wake of a cyber attack, if at all.

Why is IP theft an issue?

Our experience indicates that cyber theft can go on for an extended period of time undetected, and businesses may not even realise their IP is being stolen. Whilst the typical motive for cyber criminals when deploying ransomware is to extort a ransom, many of these attackers are commercially minded, and if their research is done correctly, they will be aware that valuable information such as IP makes it possible to monetise a ransomware attack without even needing to demand payment.

Competitive advantage can be diluted or disappear altogether if significant IP is stolen and sold on the black market. We recently advised on a matter where it was possible that a client’s new design drawings had been stolen as a result of a ransomware attack.

Retailers may be surprised to find their branded products sold across various e-commerce marketplaces where sellers are known for offering counterfeit goods. Whilst there are procedures in place to help protect your rights (e.g. filing takedowns and infringement complaints) once the IP is gone, it can cost a lot to get it back (if this is possible) and keep it out of the public domain.

What can I do to protect my IP?

There are other steps you can take to ensure greater protection of your IP:

1. Identify what IP needs protecting. This will help you understand how best to protect your IP and keep its access contained/ limited to those who need it.
2. Use strong access controls to limit exposure to threats. Multi-Factor Authentication (MFA) is widely recognised as a powerful and cost-efficient way for any business to mitigate the risk of unauthorised access to sensitive data. See more on MFA in our article here.
3. Train employees. According to Verizon’s 2022 Data Breaches Investigations Report, 82% of data breaches involved a human element. Educating employees on what IP is and why it matters will help them safeguard your business’s commercially valuable information.

Author: Jacqueline Baker, legal assistant, UK cyber and data risk team

The ‘zero trust’ approach to cyber security - a growing priority in Europe

Forrester’s recently released trends report has identified that over 66% of European security decision makers were developing a zero trust strategy in 2022. This is a substantial change from 2020, when just 25% of the group identified zero trust as a major priority.

What is zero trust?

The UK’s National Cyber Security Centre (NCSC) defines zero trust as “an approach to system design where inherent trust in the network is removed”. In a zero trust environment, there is a presumption that the network is compromised and every access request is verified in line with an access policy.

In a zero trust environment, organisations dynamically assess the trustworthiness of an access request using context, such as strong authentication, device security, and the value of the data to which the user is requesting access.

What are the advantages of zero trust?

A zero trust environment mitigates the risk of lateral movement by cyber criminals by limiting user access to siloed pools of data. Simply put, if a threat actor gains access to a zero trust network, the aim is to limit their internal access to a small portion of it, and hopefully one without any sensitive data.

We commonly see cyber incidents where a threat actor gains access to a system, perhaps using compromised credentials purchased on the dark web, and uses those credentials to move throughout the victim’s whole network. Multi-Factor Authentication (MFA) does not wholly eliminate the risk of such attacks, as threat actors are increasingly identifying ways to bypass MFA. Zero trust environments can provide an extra layer of protection even if a threat actor successfully compromises a network.

Why is this important for organisations?

The UK GDPR requires organisations to maintain appropriate organisational and technical security measures to protect personal data.

The ICO’s recent enforcement notices (see Kennedys’ analysis of the Interserve decision here) make it clear that the ICO expects these measures to be proportionate to an organisation’s size, resources, and the sensitivity of its personal data, and to have regard for the state of the art and industry best practice.

As zero trust strategies become increasingly common, and in the face of an ever-evolving threat environment, organisations should be mindful that whether measures are appropriate is not a static question.

Author: Joshua Curzon, trainee solicitor, UK cyber and data risk team

Business Email Compromise 2.0

Business Email Compromises (BECs) are among the most common types of cyber attack in the UK. In recent months, we have seen an evolution in the strategies deployed by cyber criminals following unauthorised access to business email accounts.

BEC ‘1.0’

Until recently, cyber criminals would look for immediate ways to monetise their unauthorised access to a mailbox, often by attempting to facilitate the diversion of a payment. Once opportunities for monetary gain are exhausted, the threat actor would typically attempt to jump quickly to another mailbox through an onward phishing attack before being detected. This might be considered a digital form of “smash and grab”.

This approach often results has a relatively short window of compromise, and the cyber criminals’ primary objective is purely financial. Personal data is typically only impacted while the cyber criminals are actively interacting with emails using their remote access.

BEC ‘2.0’

In recent months, we have seen evidence of a change in strategy by some cyber criminals. Instead of the traditional 'smash and grab' approach, cyber criminals are deliberately downloading the content of the mailbox as ammunition for further attacks.

The cyber criminal exploits this data by setting up a 'spoofed' email address very similar to that of the authentic mailbox user. They can then impersonate the authentic user and use the stolen emails as bait to draw engagement and enhance credibility with victims. This significantly extends the window of compromise and increases the regulatory exposure for businesses. Because the cyber criminal has an offline copy of the personal data, containment efforts concerning the original mailbox will be largely ineffective in preventing further criminal exploitation of the data. The victim organisation will also have no visibility on who is being contacted.

What does impersonation look like?

If you were expecting an email from a trusted source, would you spot these subtle domain alterations? What about at the end of a busy week?

Legitimate	Suspicious
Jordan@shopping.com	Jordan@shoƥping.com
Joe@apple.com	Joe@αpple.com
Alex@government.com	Alex@government.co.uk
Sophia@charlesllp.com	Sophia@charlesIIp.com

Risk mitigation

This new form of BEC poses a longer term threat from a data protection perspective. Cyber criminals can continue to leverage stolen personal data for weeks or even months after the point at which a traditional BEC might have been resolved. Organisations must ensure they respond robustly, with expert legal and IT advice, to mitigate potential regulatory and data protection risks.

Click here to read a longer version of this article.

Authors: Edward Le Gassick, trainee solicitor, and Michael Parrack, associate, UK Cyber and Data Risk Team

MFA bypass: the man in the middle

In late 2022, a new Phishing-as-a-Service tool called ‘EvilProxy’ emerged, which can be used to bypass multi-factor authentication (MFA). This tool works by luring victims to a phishing page where threat actors will use a reverse proxy to steal authentication tokens to bypass MFA.

In addition to the growing trend of MFA bypass by sophisticated cyber criminals (find out more here), this indicates a growing trend towards DIY hacking. EvilProxy makes this capability widely available to anyone using the cybercrime marketplace, not just the professionals. EvilProxy is easier to deploy than traditional MFA bypass techniques, and because it is a service, there are ‘how-to’ videos and user-friendly graphical interfaces.

Is MFA redundant?

In short, no. MFA continues to be an effective incident prevention tool, and as we have indicated in previous articles, some cyber insurers will not offer insurance policies to businesses without MFA in place. However, cyber criminals are continuously developing methods to bypass MFA and other IT security measures as part of a global cyber arms race with organisations and businesses.

What can organisations do about this?

The most important thing organisations can do is to remain vigilant and proactively improve their IT security posture in response to emergent threats. Best practice includes implementing upgrades and patches as soon as they become available and having a diverse suite of security measures. Whilst MFA remains a matter of best practice, EvilProxy shows us that MFA can no longer be solely relied upon to hold the fort against cyber threats.

If you have been impacted by any of these issues or wish to know more, please do not hesitate to contact us.

Author: Joshua Curzon, trainee solicitor, UK cyber and data risk team

The Data Protection and Digital Information (No.2) Bill is progressing through UK Parliament

Background

The Data Protection and Digital Information (No.2) Bill was re-introduced to UK Parliament in March 2023 after a period of stagnation arising from changes in the Conservative leadership.

The Bill, once passed, will amend the existing UK data protection regime comprising of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The UK Government’s publicised aim is to create a new pro-growth and pro-innovation data protection framework that reduces perceived burdens associated with data protection on organisations, boosting the economy.

In terms of the Bill’s progress to becoming law, this will not be completed in the current parliamentary term, meaning it will be carried off to the next parliamentary session. This follows a period of consideration of evidence from experts and stakeholders, to which Kennedys were pleased to contribute.

Key points included:

• The potential for some of the proposed provisions, such as the proposal to replace Data Protection Officers with Senior Responsible Individuals, to be viewed as superfluous and to generate unnecessary financial costs given that global companies that operate in the UK and EU will still be required to comply with the EU GDPR.
• Any departure from the present UK GDPR running an appreciable risk to the UK’s data adequacy status with the EU GDPR. A number of MPs have recently warned of the “astronomical cost” to British businesses should data adequacy be lost. We have asked the Government to pay particular attention to the provisions around the reforms to the ICO, data subjects’ information rights, international data transfers and the scope of ‘legitimate interests’ as defined within the Bill, proposed changes which may raise the eyebrows of EU officials.

Next steps

The Bill has completed the Committee Stage, and will proceed onto the Report Stage (a consideration by the whole House of those further amendments examined during the Committee Stage).

The Bill is expected to take a considerable amount of time to progress through Parliament, and any final Bill receiving Royal Assent is likely to have been subject to significant amendment. In the event that an general election is called before the latest possible date of January 2025 and that the current government does not win, the Bill may be significantly amended, or potentially scrapped altogether.

Kennedys have previously provided comment on the progress, content and potential implications of this Bill here and here.

Author: Paula Margolis, corporate affairs lawyer

Related item: International cyber and data privacy insights - February 2023