On Friday 12th May, a large-scale cyber attack hit thousands of computers around the globe, including NHS IT systems, causing havoc in health services across the UK. The attack used ransomware which encrypts a user's files and demands payment to restore access.
This cyber attack raises a range of questions for affected organisations, not just around the technical security of IT systems but the legal implications too.
Once systems stability has been restored, organisations affected will need to respond to the fallout and, even those not affected this time will want to take preventative action to protect their systems, customers and other stakeholders from the consequences of future attacks.
Managing the immediate legal issues
- Breach Investigation and Reporting to the Information Commissioners Office (ICO) - Organisations will need to understand how to manage any data breaches and ensure they report to the ICO where appropriate. Reporting breaches early, and including detail around the measures and systems that are in place to avoid similar future breaches, should help organisations to mitigate or avoid regulatory enforcement action as far as possible. Some NHS Trusts may need help preparing a report.
- Liabilities and claims - Organisations may need to take advice around any liability/claims arising from the cyber breach including potential claims against the organisation by service users, providers and third party contractors. This includes looking at the contractual position with external/outsourced IT/virus protection providers and providing notification to insurers (if there is cyber cover in place) in order that any losses can be recovered.
Protecting against future attacks
- Systems – organisations should look at undertaking a review of what can be done to minimise the risks in future including reviewing their system protection, back-up capabilities etc
- Training – making sure staff have adequate training to respond effectively in the event of an attack, including crisis management training and even testing the level of preparedness through mock cyber-attack simulations.
Bevan Brittan has multi-disciplinary teams who can help advise around the various IT, Information Law, Governance/Investigatory, Regulatory and Reputational Management aspects of a cyber attack. If you want to understand more, please contact Adam Kendall.