The Interplay of Data Protection and Cybersecurity Issues related to Covid-19 in the UK, by Audrey Guinchard

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com

Defining Cybersecurity

Cybersecurity is defined in computer science as the ability to maintain three key elements often abbreviated as CIA: C – for confidentiality (no unauthorised access), I – for integrity (no unauthorised deletion or addition of data) and A – for availability (data and networks always accessible). Formulated by the US military in the seventies, the CIA triad was quickly adopted beyond the US borders. In law, it found its way first in the Council of Europe Convention on cybercrime n.185 as a heading to its cybercrime offences; then in the GDPR, the Network and Information Systems Directive 2016/1148/EU (NIS Directive) and the UK Network and Information Systems Regulations 2018 (NIS Regulations) implementing the Directive.

Legislative background

Cybersecurity is a complex field, with no comprehensive single legislation applicable. In the UK, the dominant legislations are the data protection laws – the EU GDPR and UK Data Protection Act 2018-, and the UK NIS Regulations 2018. Both legal frameworks establish a duty to ensure security and an obligation to notify the competent authority of security breaches within a short timeframe. Their scopes are however different in that the NIS Regulations 2018 are applicable independently of personal data being processed and only to those operating essential services. The health sector being an operator of essential services (OES), its security obligations fall under both legal frameworks. For the NHS, these came in force at a time where lessons from the 2017 Wannacry ransomware attack were still being learned. The attack affected at least 80 of the 236 trusts across England, due to the NHS’s poor security practices (no update of operating systems), and led to a multiagency response, having involved the Department of Health, NHS England, NHS Digital, NHS Improvement, the National Cyber Security Centre, the National Crime Agency and a number of other agencies (National Audit Office’s 2018 report).

Depending on the circumstances, other UK legislations are equally relevant and will define liability for cybersecurity breaches: the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 implementing the EC Directive of the same name, the UK Computer Misuse Act 1990 (which revisions aim to implement the Directive 2013/40/EU on attacks against information systems and the Convention on cybercrime n.185), the UK Fraud Act 2006, the Companies Act 2006 (section 174 director’s due diligence duty), and the common law tort of misuse of private information.

GDPR provisions on cybersecurity

Article 5(1)(f) GDPR imposes a duty to ensure the security of the processing and related data and Article 25 GDPR requires security by design and by default. Breach of these requirements can bring civil liability under Article 82 GDPR, a rare example being the current appeal before the UK Supreme Court by the big UK food retailer Morrisons against such liability under the previous UK Data Protection Act 1998 (DPA 1998) which implemented the Directive 1995/46/EC. Monetary fines under Article 83 GDPR represents a significant change for the UK: the maximum fine is now up to 4% of the total worldwide annual turnover of the preceding financial year, compared to £500,000 under the UK DPA 1998 as amended in 2008. Although the ICO has been criticised for poor enforcement of the GDPR, it has been particularly active when it comes to cybersecurity breaches,, imposing a number of important fines to big companies, small SMEs and charities alike. How the pandemic will impact this strategy is difficult to know since the ICO indicated organisations are still required to report data breaches within 72 hours, while it explained it will adapt its response according to the impact the pandemic has on organisations.

Cybersecurity in practice

Achieving 100% cybersecurity is anyway an impossibility: ‘software security is essentially relative’ and multiple factors are at play. How these factors interact is best summarised by considering them as drivers of one of two contradictory forces. On the one hand, some will be directed at improving standards and creating a resilient environment, for example: the UK 2016-2021 National Cybersecurity Strategy; the creation in 2016 of the National Cyber Security Centre (NCSC); the UK Cyber essentials scheme to boost organisations’ security practices; and the enforcement of security obligations under the GDPR by the ICO as seen above.

On the other hand, some factors are best seen as unwitting drivers of poor security: the well-known ‘penetrate first, patch later’ motto of a significant part of the software industry, best translated as ‘insecurity by design’, in direct violation of Article 25 GDPR; poor security habits of users, with weak passwords and use of out-of-date software and operating systems (the above Wannacry attack against the NHS is an excellent example); and the fact that humans can fall foul of scams and phishing attacks which, if successful, will bypass even the best cybersecurity measures put in place.

Cybersecurity under Covid-19

What the Covid-19 pandemic has so far revealed is that the last three factors seem to be the driving force behind the attacks suffered in the UK and outside the UK. Security expects already noted the trend of rising scams in mid-March 2020, around the same time that hackers allegedly promised not to use ransomware against the healthcare sector. By 5 May 2020, jointly with the US, the NCSC confirmed the rise of scams targeting workers at the NHS, the universities involved in the Coronavirus response (mainly Oxford University developing a vaccine), and the pharmaceutical companies. The origins of the attacks have not been specified. The NCSC also denounced scams targeting the general public. While reflecting the pandemic context, the modus operandi is hardly new, criminals impersonating a number of organisations (real or false) to defraud customers. The more sophisticated attacks the NCSC denounced exploit vulnerabilities, i.e. security gaps existing in software, with the particular targeting of virtual private networks (VPNs) which are often required by employers for their employees to access their online workplace environment. To combat the threat, the NCSC launched its ‘cyber aware’ campaign on 21 April 2020, thus confirming the agency leading role in addressing cybersecurity threats in the UK. A number of sectorial agencies, such as the Law Society for solicitors, the Charities Commission, and the Chartered Trading Standards Institute, have also issued warnings. So far, the scale of the losses induced by fraud has been evaluated at more than £5 millions on 5 June 2020. In that sense, the pandemic confirms that humans remain the weakest link in cybersecurity.

Audrey Guinchard Senior Lecturer in Law (University of Essex, United Kingdom). Her current research is at the intersection of cybercrime, data protection and cybersecurity. She explores how new technologies affect criminal law, especially the classic concepts of time, space, the structure of the offence and criminal liability. She has been actively involved in the project of Reforming the Computer Misuse Act 1990 as promoted and coordinated by the Criminal Law Reform Network (CRLNN), following her 2018 article proposing a public interest defence to the cybercrime legislation. She also works on data protection issues, her latest paper (in collaboration with Dr Subhajit Basu) having focused on DeepMind, now absorbed by Google Health UK.