Cyber Monthly Wrap-up (UK, EMEA and the US) – November 2024

Welcome to HSF’s November wrap up which features our top picks for cyber-related news in the UK, EMEA and US.  

In a world overflowing with individual incidents and long-form analysis, our short articles are aimed at cutting through the noise, pointing you to key developments, providing you with learning points at a glance and signposting you to longer form content. If you would like to find out more, do reach out to one of our international team.  

Facebook Users Affected by Data Breach Eligible for Compensation, German Court Says  

Reuters – 18 November 2024  

Germany's Federal Court of Justice (BGH) has ruled that Facebook users whose data was unlawfully accessed in 2018 and 2019 are entitled to compensation. The court determined that the mere loss of control over personal data online warrants damages, even without specific financial losses. The claims, which relate to a information that was "scraped" by malicious actors through a vulnerability in Facebook’s tools in 2019 and affected 533 million Facebook users from around the world, were previously dismissed by a lower court in Cologne. In one case, a plaintiff sought €1,000 in damages; however, the BGH suggested that approximately €100 would be appropriate without proof of financial loss. Such levels of compensation may not be particularly attractive to litigation funders in future; who often are the driving force behind group claims. Meta has contested the ruling, citing conflicts with recent European Court of Justice decisions. However, this judgment underscores a growing trend of holding tech giants accountable for data protection lapses, marking a shift toward stronger user rights in the digital age.  

EU Cyber Resilience Act Published  

EUR-Lex – 20 November 2024  

The EU’s Cyber Resilience Act (CRA) was published in the Official Journal of the European Union on 20 November 2024 and mandates uniform robust cybersecurity standards across the EU for "products with digital elements". The requirements apply from the very beginning (the design stage), with a broad application encompassing software, hardware, and IoT devices. It imposes lifecycle-wide obligations on manufacturers, importers, and distributors to address vulnerabilities against unauthorized access and breaches from the design stage onwards.  

All products with digital elements must meet the cybersecurity requirements outlined in Annex I Part 1, assessed on a product-by-product basis; manufacturers must comply with vulnerability handling requirements specified in Annex I Part 2. Importantly, the act enforces penalties for non-compliance, with fines up to €15 million or 2.5% of global annual turnover from the preceding year, whichever is higher.  

Stakeholders must act promptly to align processes with CRA requirements, given the limited transition timelines which are as follows: On 10 December 2024, the CRA will enter into force and by 11 September 2026, manufacturers must be in a position to fulfil their reporting obligations. By 11 December 2027, the CRA will become fully applicable to all entities within scope.  

A Fifth of UK Enterprises “Not Sure” If NIS2 Applies  

Infosecurity Magazine – 21 November 2024  

The NIS2 Directive became effective from 17 October 2024 and aims to enhance cybersecurity across key sectors, imposing stringent cybersecurity and incident reporting requirements. Despite the UK’s departure from the EU, the extra-territorial applicability of the requirements of NIS 2 appear to be a source of confusion according to a recent study by cybersecurity consultancy Green Raven which found that 22% of senior cybersecurity leaders in UK organizations with over 1000 employees are uncertain whether the NIS 2 applies to their businesses. Additionally, 10% of respondents aware of its applicability admitted non-compliance as of the implementation deadline. This is a concerning finding given the significant fines that can be levied under NIS 2 (up to €10 million or 2% of global annual revenue).  

ENISA Publishes Draft Implementation Guidance on NIS 2 Implementing Regulation   

ENISA – 7 November 2024  

The European Union Agency for Cybersecurity (ENISA) has released a draft guidance to assist certain entities in complying with the cybersecurity measures outlined in the NIS 2 Directive and Commission Implementing Regulation (EU) 2024/2690 (the “Implementing Regulation”). The Implementing Regulation sets down requirements that are more prescriptive than NIS 2 in respect of DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers. This guidance offers practical advice, tips, examples of evidence, and tables to assist in-scope entities with assessing and implementing such requirements. 

Currently open for public consultation, ENISA’s draft invites feedback to ensure it aligns with industry needs and remains practical for organizations facing compliance challenges. Feedback can be submitted online here by 9 December 2024.  

Open Rights Group Publicly Urges ICO to Revise Public Sector Enforcement Approach  

ORG – 14 November 2024  

The Open Rights Group (ORG), a UK-based organisation that aims to preserve digital rights, has called on the UK Information Commissioner's Office (ICO) to reconsider its lenient enforcement strategy towards public sector data protection violations in its latest Alternative ICO Annual Report.  

In June 2022, the ICO announced a two-year trial to reduce fines for public sector data breaches, opting instead for reprimands and enforcement notices, due to concerns that fines on public bodies often penalize service users by diverting funds from essential services.  

ORG argues that the lack of penalties in the public sector undermines accountability and fails to incentivize proper data protection measures by allowing poor practices to persist with minimal consequences which stands in contrast to the ICO's treatment of private sector entities, which face more regular enforcement action.  

Blue Yonder Ransomware Attack Breaks Systems At UK Retailers  

Computer Weekly – 26 November 2024  

A ransomware attack on Blue Yonder, a supply chain software provider based in the US, continues to cause knock-on impacts to the systems of major UK retailers. The incident underscores the continued vulnerability of interconnected supply chains, where a single supplier's compromise can impact multiple organisations within the same industry. The ripple effects emphasised the need to prioritise third-party management within risk frameworks—an issue that has been talked about in the wake of other supply chain attacks over a number of years. Organisations cannot predict every third-party failure, but fostering a culture of preparedness through simulations and drills that mimic third-party incidents can build staff readiness and reduce operational downtime during actual events. Given the complexity of SaaS networks in particular, proactive coordination and robust IR planning are essential to ensure business continuity and mitigate disruptions.  

New EU Commission to Unveil Healthcare Cybersecurity Plan in First 100 Days  

Infosecurity Magazine – 27 November 2024  

The newly-approved European Commission is set to introduce an action plan to bolster cybersecurity in hospitals and healthcare providers within the first 100 days of its new term, commencing 1 December 2024 with the aim of enhancing the healthcare sector's resilience against cyber-attacks, addressing the increasing targeting of hospitals and the sector's diverse nature. ENISA reported that the healthcare sector experiences the highest costs from data breaches, averaging €8.4 million per incident, compared to €4.4m across all sectors. The forthcoming action plan is expected to provide best practices and measures for stakeholders, including government agencies, hospitals, healthcare providers, and patients, to strengthen cybersecurity defences. During her first term, EU Commission President, Ursula von der Leyen, focused on establishing NIS2, CRA, DORA and the AI Act, the new Commission’s efforts are threfore slated to be focussed on the implementation of such existing regulations.