On Friday 12th May, a large-scale cyber attack hit thousands of computers around the globe, including NHS IT systems, causing havoc in health services across the UK. The attack used ransomware which encrypts a user's files and demands payment to restore access.

This cyber attack raises a range of questions for affected organisations, not just around the technical security of IT systems but the legal implications too.

Once systems stability has been restored, organisations affected will need to respond to the fallout and, even those not affected this time will want to take preventative action to protect their systems, customers and other stakeholders from the consequences of future attacks.

Managing the immediate legal issues

  • Breach Investigation and Reporting to the Information Commissioners Office (ICO) - Organisations will need to understand how to manage any data breaches and ensure they report to the ICO where appropriate. Reporting breaches early, and including detail around the measures and systems that are in place to avoid similar future breaches, should help organisations to mitigate or avoid regulatory enforcement action as far as possible. Some NHS Trusts may need help preparing a report.
  • Liabilities and claims - Organisations may need to take advice around any liability/claims arising from the cyber breach including potential claims against the organisation by service users, providers and third party contractors. This includes looking at the contractual position with external/outsourced IT/virus protection providers and providing notification to insurers (if there is cyber cover in place) in order that any losses can be recovered.  

Protecting against future attacks

  • Systems – organisations should look at undertaking a review of what can be done to minimise the risks in future including reviewing their system protection, back-up capabilities etc
  • Training – making sure staff have adequate training to respond effectively in the event of an attack, including crisis management training and even testing the level of preparedness through mock cyber-attack simulations. 

Bevan Brittan has multi-disciplinary teams who can help advise around the various IT, Information Law, Governance/Investigatory, Regulatory and Reputational Management aspects of a cyber attack. If you want to understand more, please contact Adam Kendall

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.