Data Security Roundup

Commercial Technology and Data Lawyer and Arbor co-founder Ed Rea summarises recent developments, trends and hot topics relating to Data Security in the following Tech law roundup.

DCMS publishes annual Cyber Security Breaches Survey for 2021

The UK’s Department for Digital, Culture, Media & Sport (DCMS) recently published its annual Cyber Security Breaches Survey for 2021. The DCMS report suggests that as a result of the coronavirus pandemic, the cyber risk to organisations have increased significantly increased with 40% of businesses reporting that they experienced cybersecurity breaches or attacks in the last 12 months. The report also suggests that fewer organisations are taking the recommended cybersecurity measures and calls for greater action by businesses and charities in this area. Some key takeaway points include recommendations for organisations to:

• Carry out regular cyber security risk audits and assessments
• Consider testing staff in relation to cyber security risk, such as through mock phishing exercises
• Reviewing cyber security risks posed by suppliers
• Obtaining cyber security insurance.

Organisations should also review and update their cyber security policies that cover home working, the use of personal devices for work and the use of smart (i.e. network-connected) devices in workplaces, the latter of which highlights a potential new area of cyber risk for organisations to address.

A full copy of the survey can be found at: Cyber Security Breaches Survey 2021 – GOV.UK (www.gov.uk)

The UK Government has recently published the Telecoms (Security) Bill as an amendment to the current Communications Act (2003).

This Bill comes in response to a rapid escalation in the cyber threat landscape, with relentless and sophisticated attacks targeting the country’s critical national infrastructure and to address concerns around the deployment of Huawei equipment across critical national telecommunications infrastructure. The legislation is aimed at compelling telecommunications providers to better manage security risks within their supply chain and enhance the security and resilience of national infrastructure. The new regulations will require all telecommunications providers to demonstrate to Ofcom that they have maximised the cyber protection and resilience of their networks and optimised their security procedures. This will ultimately require telecommunications providers to:

• Understand and manage supply chain risk – Telecommunications providers delivering services to UK subscribers will now need to identify, document, report and respond to the threats posed by high-risk vendors to ensure the security of all software and hardware deployed in their estate across the entire system development life cycle (SDLC).
• Develop and sustain service resilience – Telecommunications providers will also need to ensure that critical aspects of their service are not reliant on international connectivity as part of their business continuity plan. To address this issue, telecommunications providers need to understand their current architectural deployment and which components need to re-deployed in order to support these business continuity requirements.

Telecommunications providers who are audited by Ofcom may be issued with enforcement penalties of up to 10% of a provider’s turnover or £100,000 per day for non-compliance. Telecoms vendors are also affected by the Bill as telecommunications providers are likely flow down responsibilities as part of the service they are procuring.  As both Houses of Parliament have agreed on the text of the bill it now awaits the final stage of Royal Assent before becoming and an Act of Parliament (law).

Ed Rea is a Commercial Technology and Data lawyer and co-founder of Arbor Law. Ed can be contacted at ed.rea@arbor.law