Cybersecurity, threats and risk management

The importance of implementing cybersecurity measures has been highlighted in recent years by high profile security failures involving the internet, the technology, and the services which support and make use of it. Against this backdrop, cybersecurity is of growing significance both to businesses and individuals. Organisations should be aware of their existing measures and, in the words of the UK government, ‘accept responsibility for their cybersecurity and ensure that they have the appropriate controls and systems in place to deter and deal with breaches if they do occur’.

The effect of convergence in a digital world has further operated to bring issues involving cybersecurity to a diverse range of industries and legal practice areas. This is reflected in a patchwork of current and proposed regulation to combat information security threats and manage data use together with a growing appreciation of the need for standards and a harmonisation of practice and regulation.

For a list of the key bodies or organisations that operate to combat the threat of cybercrime, see Practice Note: Cybercrime who's who.

For information on cybersecurity regulation in other jurisdictions, see:

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

Automated decision-making and DSARs: right to access means a right to explainability (CK v Magistrat Der Stadt Wiendun & Bradstreet Austria GMBH)

Information Law analysis: The Court of Justice provided several clarifications around the scope of data subject access requests (DSARs) in the context of automated decision-making. The court held the determining factor for whether information constitutes ‘meaningful information about the logic involved’ under Article 15(1)(h) of the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) is whether the information enables the data subject to understand the logic involved in automated decision-making involving their personal data. The court also held disclosure by controllers should be underpinned by the principles of transparency, which requires information to be clear, accessible and intelligible, both in terms of content and form, from the perspective of data subjects. In the context of automated decision-making this doesn’t necessarily mean providing the exact algorithm, if it doesn’t help the data subject’s understanding of the ‘how’. The court confirmed DSARs do not mandate the disclosure of trade secrets, but this can only be decided by the relevant supervisory authority or competent court, after assessing all relevant information provided to them by a controller. The protection of trade secrets cannot be used as a blanket excuse by businesses to withhold certain information from individuals making a request under Article 15(1)(h) of the EU GDPR. Written by Marija Nonkovic, associate at Kemp IT Law LLP.

NCSC releases new principles for privileged access workstation implementation

The National Cyber Security Centre (NCSC) has published new principles for implementing privileged access workstations (PAWs). The principles provide organisations with guidance on establishing restricted workstations for accessing high-risk systems. The guidance emphasises that PAWs should be implemented as part of broader security controls, with focus on establishing trust through auditable systems and validated controls. The principles aim to help organisations protect against privilege escalation and reduce vulnerability to cyber attacks through administrative interfaces.

Information Law weekly highlights—27 March 2025

Welcome to this week’s edition of the Information Law weekly highlights: a hand-picked summary of news analysis, updates and new content related to laws governing the use and dissemination of information and personal data. Each week these highlights focus on developments in key topics such as data protection, ePrivacy, cybersecurity, breach of confidence, misuse of private information, and defamation.

ICO fines NHS software provider £3m for data protection breaches

The Information Commissioner's Office (ICO) has fined Advanced Computer Software Group Ltd £3.07m following a 2022 ransomware attack that compromised personal data of 79,404 individuals, including National Health Service patients. The breach occurred due to inadequate security measures at Advanced's healthcare subsidiary, specifically incomplete multi-factor authentication coverage. Advanced agreed to a voluntary settlement, reduced from an initial £6.09m fine, after demonstrating cooperation with authorities including the National Cyber Security Centre and National Crime Agency.

View Information Law by content type :

News