Welcome to Matheson's latest Data Protection, Technology & Cyber Bulletin which features recent cybercrime trends to watch out for, tips in relation to cyber-attacks and social engineering attacks and an update on data protection breach fines and penalties. In this issue, Matheson's dedicated team of experts also outline the risk management and reporting requirements for security incidents under the NIS Directive which is due to be revised.
They also focus on the implications of recent significant judgements around what constitutes special category data under the GDPR and consider recent trends in the area of data subjects' right to compensation for distress arising from a privacy breach. Outlined below is a summary of the key insights included in this bulletin.
Cyber Attacks: Trends to Watch For
Very recently, double and even triple extortion are the crimes of choice. Double extortion is where cyber criminals exfiltrate a victim's data in addition to encrypting it. Triple extortion goes a step further and involves criminals approaching a victim's customers or suppliers and demanding a ransom by issuing data leak threats.
Cyber-crime is experiencing a golden era and it's not just remote working or digital transformation that is to blame. Cyber-criminals can inflict large scale damage on companies without ever setting foot in them. Cyber-crime is a business and the safe haven problem for criminals is a key challenge.
Understanding who your key stakeholders are, knowing what data your business holds and where it is stored, ensuring key roles and responsibilities are mapped out and liaising with external advisors are key to achieving robust cyber resilience.
Spike in Social Engineering Cyber-Attacks
We are receiving a noticeable increase in requests for advice on the legal implications of social engineering attacks. This type of cyber-crime arises where criminals extract information users to compromise vulnerable access points to networks. Social engineering commonly occurs through text messages and email so the human error risk factor is exceptionally high.
Typically we see criminals target usernames, passwords and even multi factor authentication to gain unlawful access to systems. Cyber criminals also leverage online harvesting resources to build a picture of vulnerabilities. Medium to smaller companies appear to be particularly vulnerable due to the interconnectedness of third party suppliers.
Data Breach Fines and Penalties Update
A clear trend which has started to emerge is the increased willingness of data protection regulators to impose fines for the unlawful surveillance by employers of their employees. These fines heighten the importance of HR Departments considering data protection laws prior to implementing any form of employee monitoring, whether that be CCTV within the workplace; email monitoring; biometric verification for keeping track of attendance, or productivity monitoring software.
CJEU Expands Scope of "Special Category Data"
The Court of Justice of the European Union ("CJEU") has adopted a broad interpretation of what constitutes special category data under the GDPR. The CJEU ruled that the processing of any personal data that are "liable indirectly to reveal sensitive information concerning a natural person", (i.e. any information that may reveal a person's racial or ethnic origin, religious or philosophical beliefs, political views, trade union membership, health status or sexual orientation) constitutes "special category data" under the GDPR. This can only be processed where the controller has a lawful basis under Articles 6 and 9 of the GDPR.
Whilst the practical implications of this judgment are potentially significant, we await further clarity from the Data Protection Commission and/or the EDPB on the precise parameters of the judgment.
Is Mere Worry Enough? “Non-Material Loss” claims for breach of data rights under the GDPR
After the introduction of GDPR, individuals (or groups of individuals) would be allowed by law to claim damages for “non-material loss” arising from breaches of their data rights. The term “non-material loss” essentially means non-economic loss, i.e. pain and suffering, inconvenience and anxiety which might arise from a data rights breach, as opposed to any kind of financial damage.
Now, more than four years later, we are awaiting judgments in a number of cases which have been referred to the CJEU by Member State courts, which have the potential to significantly curtail the operation of the new regime for non-material loss claims before it has ever really taken off in Ireland. Two recent and much-publicised English decisions have already restricted the scope for claims of this kind in the UK to those where there is more than a de minimis level of pain and suffering. An opinion of the Advocate General, delivered on 6 October 2022 in one of the cases awaiting judgment before the CJEU, suggests that the CJEU may follow suit.
Legal certainty ahead for EU-US data transfers?
On Friday 7 October 2022, President Biden issued an Executive Order on "Enhancing Safeguards for United States Signals Intelligence Activities". The new Executive Order aims to address the legal uncertainty surrounding EU-US data transfers following the invalidation of the EU-US Privacy Shield by the CJEU in Schrems II.
The Executive Order introduces new binding safeguards aimed at addressing the CJEU's findings in Schrems II, in particular by: (i) limiting US intelligence authorities' access to data to what is necessary and proportionate to protect national security, and (ii) establishing a new independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to data by US intelligence authorities. The Executive Order requires US intelligence agencies to review their policies and procedures to implement these new safeguards.
For further information please contact any member of Matheson's Data Protection, Technology & Cyber team or your usual Matheson contact.