Patching Regulations Development [January, 2023]

This is our fourth edition of the proposed periodic update on regulatory changes in security requirements including patching and liability relating to security breaches.

We appreciate any contribution to this newsletter based on your own research or internal enterprise discussions.

The pdf version of the newsletter can be downloaded here.

EU Developments

• NIS2 Directive Adopted: On the 27th of December 2022 the NIS2 Directive was published in the Official Journal of the European Union. The directive enters into force 20 days after publication, meaning the NIS2 has been in full effect since 16 January 2023. To keep track of the upcoming and current releases in the EU legislative scene (excluding the AI liability regulation and DORA), researcher Phil Lee has created a useful graphic of the expected timeline. source1 and source2

• ECJ Declares Flexibility in Data Breach Litigation Claims: In a ruling on 12 January 2023, the ECJ declared that both the administrative and civil remedies provided in articles 77-79 of the GDPR may be used concurrently and separately from one another. This gives individuals flexibility to choose their method of seeking remediation, meaning they are not limited to relying on a claim lodged with their national DPA, but can also bring a claim to national courts. This re-interpretation by the ECJ is likely to lead to an increase in claims and civil litigation against data breaches. source1, source2

• EU to Announce Regulation on 5G Streamlining: According to newsagent Euractiv, the EU is set to announce a revision of the Broadband Cost Reduction Directive (BCRD). The rumoured proposal (expected publishing date unknown) would set out to facilitate and govern the roll-out of high capacity networks such as 5G. source

• ChatGPT: The Rise and Challenges: The uptake of ChatGPT, a novel OpenAI based chat-generator, has spurred many diverse discussions on its promise and challenges (such as on educational plagiarism). The full extent of its capabilities are still unknown, but numerous cybersecurity and legal risks have already been highlighted. Primarily, ChatGPT makes the construction of malware much more accessible and low-level. This highlights the importance of patching as a tool to reduce the risks of malware attacks through vulnerabilities. ChatGPT will certainly be a topic to watch, and the regulator is likely to comment in the future. source1, source2

US Developments

• US Records High Number of Cybersecurity Lawsuits: US lawsuits over cyberattacks reached a high in 2022, particularly in the sphere of cryptocurrency. Pre-2021 fewer than 10 cases were brought annually, doubling in 2022 to 20 individual and collective claims. The claims fall into 2 main categories: insufficient security measures to protect accounts and indirectly allowing hackers access. Further cases will continue to clarify the duty of care in terms of cybersecurity. source1

UK Developments

• ICO Publishes Names and Details of Data Breaches: The UK’s DPA, the Information Commissioner’s Office (ICO) has started a public register of information on personal data breaches, including the names of breached organisations and the issues involved with the breach. The value of fines imposed by the ICO has also tripled since October 2021, passing 15 million pounds, posing it as one of the most aggressive privacy regulators within Europe. source1

• The Guardian Hit by Ransomware Attack: In December 2022 UK newspaper, the Guardian, was hit by a ransomware attack, leaking a substantial amount of UK-based staff data. This reflects a trend in a 2022 Report by the UK government, stating 2/5 of UK businesses reported cyber security breaches that year. source1, source2

Global & Privacy Developments

• ISO to Publish PbD Standards: The ISO is set to publish a new set of standards on Privacy by Design in February this year. source1

• Meta Fined 395,5 Million for Unlawful Processing:As suggested by the previous newsletter, the EDPB has released their opinion on Meta, fining them 395.5 euro million for the inclusion of consent in their terms of service for behavioural advertising purposes. Certain sources see this as a turn-around in the battle against Surveillance Capitalism, whereas others criticise the fines as being too low. source1, source2, source3, source4,

• Useful Data Protection Tool: CMS has produced a ‘Data Law Navigator’, simplifying the process of searching and understanding the data protection law in different jurisdictions. source