Welcome to HSF’s July wrap up which features our top picks for cyber-related news in the UK, EMEA and US.
In a world overflowing with individual incidents and long-form analysis, our short articles are aimed at cutting through the noise, pointing you to key developments, providing you with learning points at a glance and signposting you to longer form content. If you would like to find out more, do reach out to one of our international team.
US Supreme Court – June 28 2024
The US Supreme Court (SCOTUS) has recently issued a decision that significantly changes the longstanding position on legislative interpretation which could have wide ramifications in enforcement and litigation involving interpretation of cybersecurity regulations (as well as others). Before the recent decision of Loper Bright Enterprises v. Raimondo, lower courts had to defer to expert regulatory agencies in cases requiring interpretation of congressional intent under the so-called Chevron doctrine. However, courts may no longer defer to an agency interpretation when judging if agencies have acted within their statutory authority which may make regulatory enforcement less clear and more contentious. In an era where new cybersecurity regulations are rapidly evolving and often require enforcement in order to cause industry-wide behaviour change, having to rely on reactive and slow courts-driven processes may hamper the drive towards cybersecurity improvements.
Courts' growing impatience with exaggerated data breach claims - Farley v Equiniti
Judiciary.uk – 11 July 2024
The High Court has again indicated that there needs to be a misuse of the data which overcomes a threshold of seriousness in order for a claim to be pursued and that individuals are not afforded a 'right to compensation without proof of material damage or distress'.
Following a claim brought against a police pensions administrator, who erroneously posted pension details to former addresses of pension holders, the high court confirmed that whilst regulatory infringements can be committed by the data controller or processor for putting data "at risk", the court observed that this did not amount to a misuse of private information (often pleaded in order for ATE premiums to be recoverable), or provide a sufficient basis for a claim to be brought for a breach of data protection legislation.
Claimant firms have found it increasingly difficult in recent years to bring "exaggerated" claims. Nevertheless, this does not remove the need for organisations to prepare well by having in place "appropriate" technical and organisational measures (including incident-response policies and drilling these using simulation workshops).
Preventing accidentally disclosed information being published - Jones Nickolds Limited v Ian Pearce
Legal Futures – 15 July 2024
In a reminder that swift action and adducing evidence of true intent following a personal data breach can be crucial, the High Court has extended an interim non-disclosure injunction despite the respondent seeking to raise a public interest argument in favour of being allowed to disclose the information that was sent to him erroneously. A law firm representing the defendant's wife in acrimonious divorce proceedings accidentally sent the defendant information relating to "AA", a different client of the firm. The defendant sought to rely on an potential link between AA and the "Panama Papers scandal". Whilst observing that this was a matter of fact for the main trial, the judge noted that the reporting of the firm, by the defendant to the Solicitor's Regulation Authority in respect of the divorce proceedings (with no action being taken by the SRA) appeared to indicate that the defendant's true motivations were to embarrass or cause difficulties for the law firm and, in particular, for the solicitors at the firm that were representing his ex-wife; rather than acting solely in the public interest (an argument which was likely to be defeated at trial).
UK Cyber Bill teases mandatory ransomware reporting
Computer Weekly – 17 July 2024
Following the King's Speech, the UK's new government has pledged to bring forward a Cyber Security and Resilience Bill. The new legislation will be focused on strengthening the UK's cyber defences and ensuring the continuity and protection of digital services, with compulsory ransomware reporting being a key feature. This is in response to the rapid increase in ransomware in recent years and existing cyber laws, which the government has said reflect law inherited from the European Union, needing an urgent update to keep pace. Read more in our blog post here.
Nasa’s science mission spacecraft are at risk from hackers, but a new law could help protect them
The Conversation – 23 July 2024
In a response to the increasing threats of cyber-attacks on Nasa missions and a recent Government Accountability Office (GAO) report exposed alarming vulnerabilities in Nasa’s current cybersecurity practices, US Congressmen Maxwell Frost and Don Beyer have proposed the Spacecraft Cybersecurity Act. The legislation, if passed, would mandate the US space agency Nasa to overhaul the way it procures and builds its spacecraft.
SEC's lawsuit against SolarWinds thrown out
The Register – 18 July 2024
SolarWinds has come out on top following Judge Engelmayer's rejection of the SEC's claims that they downplayed the scope and severity of the 2019-2020 “unburst” malware attack. The Judge's opinion stated that the claims did 'not plausibly plead actionable deficiencies in the company's reporting of the cybersecurity hack' and impermissibly relied on 'hindsight and speculation'.
European Commission's new proposals on cyber measures under NIS2 open for comment
Europa.eu – 25 July 2024
Following the European Commission's new proposals on cybersecurity measures under the second Network and Information Security (NIS2) Directive, businesses in the digital industry had until 25 July 2024 to comment on the draft act. The NIS2 Directive strengthens cybersecurity risk-management measures and streamlines incident-reporting obligations for a large number of operators across the EU and the act is meant to facilitate that as well as specify cases when an incident must be considered significant. The Commission will now consider these comments before adopting a position in the third quarter of 2024; the comments (overwhelmingly from individual businesses and business associations) are accessible here.
CISA director: US is 'not afraid' to shout about Big Tech's security failings
The Register – 1 July 2024
Jen Easterly, Cybersecurity and Infrastructure Security Agency (CISA) director has said the US Cybersecurity Safety Review Board (CSRB) "is not afraid to say when something is amiss". This is in response to questions about the future of private sector collaboration following the board's scathing report on Microsoft. The 34-page report illustrated various security failings at Microsoft that allowed their attack in March to occur, including an inadequate security culture and failure to publicly 'fess up to the core issue at the heart of the exfiltration for months'.
NCA’s Operation Morpheus targets illicit Cobalt Strike use
ComputerWeekly.com – 3 July 2024
In a series of enforcement actions titled 'Operation Morpheus', the UK's National Crime Agency (NCA) together with the FBI and agencies from the EU, Canada and Australia, has gone against users of the Cobalt Strike penetration testing tool who were exploiting it to enable cyber-criminal activity. Over the years, Cobalt Strike has become the go-to-tool for cyber criminals seeking to build a cyber attack.
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.