11 December 2017
Network Information Security Directive
NISD, or the Cybersecurity Directive, should be implemented into Member State legislation by 9 May 2018.
The Cybersecurity Directive is relevant to you if you are an Essential Service provider or if you are a Digital Service Provider i.e. an online marketplace, an online search engine or a cloud services provider. This is a minimum harmonisation Directive. That means, not only that Member States have to produce implementing legislation, but also that they have discretion to go above and beyond what the Directive says. We are, therefore, looking (to a certain extent) at fragmented implementation across the EU although multi-jurisdictional companies can take comfort from the fact that they will be regulated in the place of their “main establishment”.
The UK government has confirmed that it will be implementing and published a consultation in September, but is yet to publish implementing legislation.
ENISA published useful guidelines for digital service providers (DSPs) to help them determine when to report security incidents under NISD.
The guidelines cover:
- identifying types of incidents to be reported;
- definitions and clarifications on parameters and thresholds;
- defining substantial incidents;
- description of the incident reporting process and the stakeholders involved;
- cross border sharing of incidents; and
- identification of DSPs
They also deal with the issue of overlap reporting requirements between NISD and the General Data Protection Regulation (GDPR). ENISA confirms that there are situations in which there would be reporting requirements under both NISD and the GDPR. However, NISD focuses on reporting of “any incident affecting the availability, authenticity, integrity or confidentiality of data stored, transmitted or processed by a [DSP] through network and information systems which has a substantial impact on the provision of the digital service offered”, whereas the GDPR deals with reporting personal data breaches. This means that a breach may trigger GDPR breach notification provisions without triggering NISD reporting requirements. It is less likely to work the other way around as most breaches which cover the confidentiality of the service offered and underlying data, will include personal data. The consideration will be whether the data beach is serious enough to trigger breach reporting under the GDPR.
There have been a number of extremely high profile breaches reported this year (although many took place before 2017) with Equifax, and, most recently, Uber among those hitting the headlines. It was also a big year for ransomware attacks, which included the NotPetya, WannaCry and Locky ransomware incidents. Many breaches could have been avoided simply by using patches to update software. New security and breach reporting obligations coming in 2018. Read more about what to expect here.
In an interesting recent development on data breaches, supermarket chain Morrisons, was found by the High Court to be vicariously liable for the actions of one of its former employees who leaked the personal data of thousands of employees. A class action was brought by 5,518 employees with ten lead claimants. In the first ever group litigation data breach case to be heard by the UK courts, the main issue to be decided was whether the data controller Morrisons, was either directly or vicariously liable for the actions of its employee. It was held that while Morrisons was not implicated in the misuse of the data, and, therefore, not directly liable, it was, nonetheless, liable to compensate all the claimants in the group on the basis of the application of common law vicarious liability principles. This was despite the fact that the misuse was held to have taken place with the express purpose of damaging Morrisons. It is worth noting that Morrisons was given the right to appeal the decision but the claimants were not given the right to appeal the dismissal of the direct liability claim.
This decision confirms that data controllers are in the liability frame even when they have done everything possible to prevent a data breach (such as carrying out thorough vetting of employees, and using suitable security) and could have far-reaching consequences. This is less because the law has changed than because this is the first occasion on which a class action relating to data breaches has come before the courts, so we may see an opening of the floodgates. The decision is not specific to current UK data protection law as it is based on common law liability principles.