With the significant rise in data breaches and cyber incidents in past few years, organisations are becoming increasingly aware of the risks that cyber attacks pose to their business and cybersecurity threats are now a board-level issue. Sophos’ recent State of Ransomware Report 2023 indicated that around 44% of UK businesses’ surveyed had suffered a ransomware attack in the previous year, with the average recovery costs (excluding any ransom payment) being around £1.1 million.

However, despite this increased awareness, when sophisticated cyber-attacks do occur organisations often focus their immediate attention on instructing third party IT providers to remedy and rectify the breach, rather than approaching their lawyers to assist them with ensuring that they comply with their legal obligations in respect of any data breach.

At Burges Salmon we've worked with carefully-selected partners from across the cybersecurity industry to assemble a world-class team of experts who can address any issues arising from a data breach or cybersecurity attack, including in relation to digital forensics support, and we have extensive experience of crisis management advice in the immediate aftermath of a data breach or ongoing cyber incident.

This article examines the legal obligations that organisations should be considering when a cyber attack occurs, as well as the importance of obtaining legal advice on these issues at the earliest stages of an attack (and ideally as part of a well-planned and rehearsed cybersecurity readiness program that is in place prior to any data security incident and ready to action if an organisation is subjected to a cyberattack).

Key Considerations

Clearly the key concern for organisations upon suffering a cyber attack is the restoration of their systems and the recovery of any data lost. To that extent, unless organisations do have internal teams who can deal with an attack, it is critical for them to already have an arrangement in place with a third-party IT provider or instruct them as soon as possible upon discovery of an attack.

However, organisations should also ensure that in conjunction with their immediate IT response, they contact their lawyers to assist with ensuring compliance with their immediate obligations, such as:

• the compliance obligations associated with paying any ransom to the attackers;
• the obligation to notify regulators, such as notifying the ICO within 72 hours where any personal data is involved in the attack;
• any contractual obligations to notify their insurers of the attack;
• the obligation to notify data subjects of the attack where there is a high likelihood of a risk to their rights and freedoms;
• any contractual obligation to notify third party suppliers or customers of the attack.

Our cybersecurity team can advise on the requirements and key considerations in submitting these notifications, which is particularly important given the consequences associated with the failure to make appropriate notifications. For example, a failure to notify any insurer within the required timeframe will often result in any coverage for cyber insurance being invalidated. Similarly, any failure to notify third party suppliers or customers may result in a breach of contract, entitling those third parties to terminate any agreement and potentially claim damages as a result.

The advantage of instructing lawyers as part of the immediate response in the aftermath of a data breach is that they can consider all the above issues from the outset and scan the horizon for any issues in the breach response strategy that may create problems or complications for the organisation in the future and once the immediate impact of the breach has been resolved. These issues might include any claims brought by individuals or customers as a result of the cyberattack or any claims the organisations may wish to bring against third parties who may have some responsibility for the breach, such as a third-party IT provider who has failed to diligently protect against a cyberattack.

Most importantly, instructing lawyers at the outset of an attack means that the organisation can benefit from the legal privilege that communication between clients and their lawyers is afforded. In particular, where a third-party IT provider is being instructed to investigate the root cause of an attack, having lawyers instruct the provider on the organisation’s behalf will mean that any report produced may be subject to legal privilege, allowing the organisation to retain control over this information and who this is disclosed to, which is of significant benefit to the organisation should any claims be brought against them as a result of the attack, or indeed should they wish to bring any claim themselves against any third party who may be responsible for it.

Key takeaways and implications

Ultimately, organisations response to any cyber attack should ensure that it prioritises its legal obligations in respect of a breach alongside its cyber response. Ensuring that lawyers are on hand at the earliest stages of the breach will allow organisations to ensure they remain compliant with their legal, contractual and regulatory obligations throughout the breach response process.

Burges Salmon’s cybersecurity team is highly equipped to advise on any cybersecurity issues, including all of the matters listed above. We have significant expertise in advising organisations across a range of sectors and jurisdictions in responding to complex and business-critical data breaches they have suffered, and are well-versed in the provision of crisis management advice in relation to the discovery of a live and ongoing data breach. We have assembled a team of carefully-selected expert third parties (including digital forensics providers) who we can instruct and co-ordinate on our clients’ behalf in order to remediate and address any issues arising from a data breach or cybersecurity event.

If you have any questions or would otherwise like to discuss any issue raised in this article, please contact David Varney or a member of Burges Salmon's cybersecurity team.