Cybersecurity breach notification requirements
Produced in partnership with Nicola Fulford of Hogan Lovells and Chris Benn of Kemp Little LLP
Cybersecurity breach notification requirements

The following IP guidance note Produced in partnership with Nicola Fulford of Hogan Lovells and Chris Benn of Kemp Little LLP provides comprehensive and up to date legal information covering:

  • Cybersecurity breach notification requirements
  • Cybersecurity and the law
  • EU regulatory framework—security obligations and breach notification requirements
  • UK regulatory framework—security obligations and breach notification requirements
  • Notification consequences and failure to comply
  • What it takes to be cybersecurity breach ready
  • Consequences and practical tips to manage a cyber attack

This Practice Note is intended to provide an overview of the laws and regulations relating to cybersecurity, with a particular focus on:

  1. the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR)

  2. the Network and Information Systems Regulations 2018 (NIS Regulations), SI 2018/506 which implement the provisions of the Network and Information Systems Directive (NIS Directive), Directive (EU) 2016/1148, in the UK

  3. the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003), SI 2003/2426 which implement the provisions of the ePrivacy Directive, Directive 2002/58/EC in the UK and the proposed ePrivacy Regulation on Personal Data in Electronic Communications, and

  4. the Financial Services and Markets Act 2000 (FSMA 2000) and the Financial Conduct Authority (FCA) Handbook

These laws and regulations are discussed in the context of:

  1. the entities that are required to comply with such rules

  2. the security obligations

  3. the notification requirements in the event of a breach, and

  4. the consequences of failing to comply

The Practice Note ends with final guidance on:

  1. what it takes to be cybersecurity breach ready, and

  2. consequences and practical tips to manage a cyber attack

The cybersecurity implications in relation to the separate data protection regimes under the Data Protection Act 2018 (DPA 2018), which relate to the processing of personal data by competent authorities for law enforcement purposes or by the intelligence services, or under the ‘applied GDPR’