COVID-19 - cyber security implications

As many of us adjust to working at home, school closures and the myriad of other implications the COVID-19 pandemic is having on everyone’s everyday life, we take time out to consider the implications the pandemic is having for cyber security lawyers.

What issues have we seen so far

Over the last few weeks various threat intelligence sources have reported the proliferation of COVID-19 inspired attacks including:

• Phishing attacks where malicious emails have purported to provide important health advice and/or government guidance, taking advantage of individuals’ understandable desire to obtain more information regarding the disease and latest developments.
• More targeted spear-phishing attacks which have purported to, for example, be communications from colleagues to those working at home.
• Fake websites purporting to provide medical or other virus related advice (such as a fake website copying the well known John Hopkins Coronavirus Resource Centre).

The majority of reported incidents involve the use of malware or social engineering techniques to trick users into downloading ransomware and/or compromising login credentials. The extent to which more sophisticated groups may be exploiting the current turmoil remains to be seen.

Areas of concern

A lot of the initial commentary on COVID-19 suggested that cybercriminals would target health care providers and other critical services including online food delivery services and collaborative working platforms. Whilst this plainly remains an area of concern, we have not seen increase in attacks on these businesses (indeed some hacker groups have made public statements that they will not be targeting healthcare providers).

A more basic area of concern is that the increased move to home working will increase the vulnerability of companies in a number of respects:

• Staff working in an unfamiliar environment may be more vulnerable to manipulation by cybercriminals.
• Processes and controls may be weakened as staff numbers are reduced and working patterns are interrupted.
• Many companies whose staff are forced to work from home will not have the same level of protection, such as firewalls, active threat management and detection, that they would enjoy in the office. The position is likely to be particularly acute for businesses who do not employ virtual private networks.
• The increase in home working also places increased strain on IT departments. In the short term this can lead to delays both in identifying and responding to security breaches. In the longer term it may also degrade organisations resilience to cyber threats if routine tasks such as patching are delayed due to resource issues.

How does this translate to legal risk?

The legal issues arising from data breaches remain the same, namely:

• data protection and other regulatory risk arising from loss of personal data;
• privacy claims brought by data subjects; and
• commercial disputes with customers and/or third-party service providers regarding responsibility for incidents.

The most recent advice from the Information Commissioner’s Office (ICO) recommends:

• The ICO will not (and cannot) change the 72 hour deadline to notify a data breach or the rules on responding to subject access requests. However, they will exercise their discretion not to penalise organisations who can show that they were not able to comply with the guidance for good reason during the pandemic.
• Although organisations may have larger numbers of staff than normal homeworking, that should not result in a relaxation of the security standards that would apply to homeworkers in normal circumstances.
• They have issued additional guidance on the collection and sharing of health related personal data, making it clear that they will take a broad view regarding the sharing of information by public bodies for the purpose of protecting against serious threats to public health.

Overall the message seems to be that, whilst the rules remain the rules, the ICO are prepared to be pragmatic and provide businesses with some latitude, given the current situation. However, businesses should continue to do their utmost to meet standards imposed on them. As ever, the key principle appears to be that the ICO will not penalise businesses which can show they are well managed, have taken appropriate technical and organisational measures before any incident and have acted promptly and responsibly in response to the incident itself. The risk of enforcement will remain significant where an incident raises concerns about the organisations underlying approach to data security or where organisations simply use the COVID 19 situation to justify inadequacies in their procedures or response.

In the meantime, it remains to be seen what the effect of the current pandemic will be on the increasing trend, post Lloyd v Google, for claimant firms to seek to pursue collective privacy actions. Our suspicion it that there will be a temporary drop off in claims during the pandemic but, like the financial markets, we expect a “V shaped recovery” thereafter.