Cyber_Bytes Issue 70

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

RPC Cyber App: Breach Counsel at Your Fingertips

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPC Cyber can be downloaded for free from the Apple Store or Google Play Store.

NCSC publishes its Annual Review

The NCSC has published its Annual Review which looks back at key cyber developments and observations between September 2023 and August 2024. Some of the NCSC's key findings are:

• Many nation-state threat actors and cyber criminals are using AI to increase the volume and heighten the impact of cyber-attacks.

• More recently, a greater proportion of threat actors are choosing not to encrypt systems and simply to threaten publication of sensitive data.

• The NCSC Incident Management (IM) team received 1,957 reports of cyber-attacks between the relevant period (down from 2,005 reports the previous year). 317 of 1,957 incidents were ransomware-related. 430 of the total incidents required support from the IM team (last year this was 371). 89 incidents were also described as nationally significant with 12 of them being at the "top end of the scale".

• The sectors reporting the highest levels of ransomware activity were academia, manufacturing, IT, legal, charities and construction.

• The NCSC believes organisations from all sectors are widely underestimating the severity of cyber threats in the UK.

• Global ransomware payments in 2023 topped $1 billion.

• There is a widening gap between the increasingly complex threats and collective defensive capabilities in the UK.

• The NCSC is pioneering research in the secure development of AI technologies.

To mark the release of this Annual Review, NCSC CEO, Dr Richard Horne, gave a speech.  He noted that the threat landscape is diversifying at speed and that talking about being resilient is not enough, rather existing guidance must be put into practice across the board to bolster defences.

Click here to read the NCSC's Annual Review and click here to read Dr Richard Horne's full speech.

Court of Appeal dismisses mass misuse of private information representative claim

In Prismall v Google UK Ltd and DeepMind Technologies Ltd [2023] EWHC 1169, Mr Prismall (the Claimant) had brought a representative action against Google and its artificial intelligence company, DeepMind Technologies (together, the Respondents). The Claimant alleged that the Respondents misused data belonging to 1.6m NHS patients (the proposed class members) by obtaining data from the Royal Free London NHS and using it to create a mobile app called 'Streams' which was used to help individuals detect kidney issues.

On 13 May 2023, the High Court dismissed the claim stating there was no prospect of establishing that the data relating to 1.6m class members could have been misused, and that such proceedings should not be allowed to proceed on an opt-out basis. The Claimant obtained permission to appeal.

On 11 December 2024, the Court of Appeal (CoA) handed down its judgment (Neutral citation: [2024] EWCA Civ 1516) following a hearing in October 2024. The CoA upheld the High Court's decision and dismissed the appeal. The CoA stated that a representative class claim for misuse of private information is always going to be very difficult because relevant circumstances will affect whether there is a reasonable expectation of privacy, which will affect whether the representative class have the same interest.  In this situation, showing that all members of the representative class have exactly the same interest in the claim is likely to be challenging.

This judgment highlights the difficulties in bringing data misuse claims on a class basis in the UK and may serve as a deterrent for representatives looking to bring such claims.

Click here to see the CoA's judgment and click here to access the High Court's judgment.

EDPB's statement calls for coherence of legislation with the GDPR

On 3 December 2024, the European Data Protection Board (EDPB) adopted a statement (Statement 6/2024) on the European Commission's second report on the applicability of the GDPR (COM (2024) 357)).

Whilst the EDPB's statement acknowledges that the GDPR has improved individuals' control over their own data and established high data protection standards through the EU, it notes there are outstanding challenges. More specifically, the EDPB notes that further clarity and coherence is needed between the GDPR and other EU statutory instruments such as the Artificial Intelligence Act, Digital Markets Act (DMA), and broader EU Data Strategy. It also indicates that further cooperation is needed between DPAs and other regulatory bodies.

The EDPB referred to some of its ongoing initiatives such as producing guidance to assist with understanding various EU statutory instruments and establishing cooperation mechanisms with other sectoral regulators. It also highlighted the need for additional financial and human resources to help DPAs and the EDPB deal with increasingly complex challenges and additional competences. The EDPB has encouraged reports from the European Commission and the Fundamental Rights Agency.

Click here to read the press release and statement from the EDPB.

EU's Cyber Resilience Act comes into force

On 10 December 2024, the EU's Cyber Resilience Act (CRA) has come into force.  Whilst most of the Act's obligations will not be applicable until three years from now, it marks a significant advance towards protecting products from cyber threats. The CRA applies to 'products with digital elements' (PDEs) which can range from Internet of Things (IOTs), computer components and even software. The CRA applies to manufacturers, distributors, and importers of PDEs.

Manufacturers are under the highest level of scrutiny as it is their responsibility to ensure that the PDE meets essential cybersecurity and vulnerability handling requirements, and to make notifications if there are severe PDE incidents.  Failure to comply with the CRA obligations can result in a fine of up to EUR 15 million or up to 2.5% of worldwide turnover.  Non-compliant products can also get banned, withdrawn or recalled from the EU. The provisions of the CRA will apply from 11 December 2027, with certain articles coming into force in 2026.

Click here to read our full article which contains further analysis and commentary on the CRA.

Nuclear Decommissioning Authority launches cyber facility

The Nuclear Decommissioning Authority (NDA) is responsible for cleaning the UK's earliest nuclear sites and is made up of four key competencies: Sellafield; Nuclear Restoration Services; Nuclear Waste Services; and Nuclear Transport Solutions. The NDA has recently announced its establishment of a specialised cyber facility, the Group Cyberspace Collaboration Centre (GCCC).  The facility will seek to collaborate with nuclear operators and the wider supply chain to work on technologies such as AI and robotics whilst enhancing collective ability to defend against cyber threats. The GCCC is a wholly owned subsidiary of the NDA.

Earlier this year, another of the NDA's subsidiaries which is responsible for managing the Sellafield site, Sellafield Ltd, was fined £332,500. This came from Sellafield Ltd's failures to meet standards, procedures and arrangements as set out in in its approved cyber security plan and breaches of the Nuclear Industries Security Regulations 2003, which occurred over a course of four years.

Click here to read more from Nuclear Engineering International on the establishment of the GCCC and click here to read regarding Sellafield's fine.