Cybersecurity, threats and risk management

The importance of implementing cybersecurity measures has been highlighted in recent years by high profile security failures involving the internet, the technology, and the services which support and make use of it. Against this backdrop, cybersecurity is of growing significance both to businesses and individuals. Organisations should be aware of their existing measures and, in the words of the UK government, ‘accept responsibility for their cybersecurity and ensure that they have the appropriate controls and systems in place to deter and deal with breaches if they do occur’.

The effect of convergence in a digital world has further operated to bring issues involving cybersecurity to a diverse range of industries and legal practice areas. This is reflected in a patchwork of current and proposed regulation to combat information security threats and manage data use together with a growing appreciation of the need for standards and a harmonisation of practice and regulation.

For a list of the key bodies or organisations that operate to combat the threat of cybercrime, see Practice Note: Cybercrime who's who.

For information on cybersecurity regulation in other jurisdictions, see:

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

Italian Supervisory Authority fines Luka Inc. for EU GDPR breaches relating to AI chatbot

The European Data Protection Board (EDPB) has published details regarding the Italian Supervisory Authority’s decision to impose an administrative fine on Luka Inc. for infringements relating to the processing of personal data in connection with its generative AI chatbot, Replika. The Italian Supervisory Authority initiated the investigation following press reports and preliminary fact-finding, which revealed that Luka Inc. had not established a valid legal basis for processing data, provided an inadequate privacy policy, and failed to implement adequate age verification mechanisms prior to 2 February 2023. Technical assessments confirmed ongoing deficiencies in the age verification system currently in use. Consequently, the Italian Supervisory Authority has imposed a fine of €5m for breaches of several Regulation (EU) 2016/679 (General Data Protection Regulation (EU GDPR)) provisions and issued a compliance order requiring Luka Inc. to rectify its data processing operations. The authority has also reserved the right to assess the lawfulness of the company’s processing activities across the entire lifecycle of the underlying AI system in a separate proceeding.

Information Law weekly highlights—22 May 2025

Welcome to this week’s edition of the Information Law weekly highlights: a hand-picked summary of news analysis, updates and new content related to laws governing the use and dissemination of information and personal data. Each week these highlights focus on developments in key topics such as data protection, ePrivacy, cybersecurity, breach of confidence, misuse of private information, and defamation.

Gender identity and the right to rectification of personal data (VP v Országos Idegenrendészeti Főigazgatóság)

EU Law analysis: The Court of Justice has held that personal data relating to gender identity on the public registers of a Member State must be subject to the right to rectification under Article 16 of the General Data Protection Regulation, Regulation 2016/679 (EU GDPR). Rectification may require production of relevant and sufficient evidence reasonably required to establish the inaccuracy, which may include medical certificates. However, a Member State may not make the exercise of the right of rectification conditional on evidence of gender reassignment surgery. Further, any restrictions on Article 16 rights in this regard must also comply with Article 23 of the EU GDPR and must be established by legislative measures and not by administrative practice. Importantly, the Court of Justice looked at data accuracy within the broader context of fundamental rights, especially the rights to personal integrity and privacy. In doing so, it expanded protections for transgender people by referring to gender identity, rather than relying on the traditional focus on gender reassignment. Written by Gaelyn Fuhrmann, Legal Director at Wiggin LLP.