From Breach to Defence: Increasing Claims Defensibility after a Cyberattack in the UK

Cyberattacks are an ever-increasing and evolving threat to organizations of all sizes and across sectors.

The Cyber Security Breaches Survey 2024, conducted by the UK Department for Science, Innovation and Technology in partnership with the Home Office in April 2024, reported that “Half of businesses (50%) and around a third of charities (32%) report having experienced any kind of cybersecurity breach or attack in the last 12 months. This accounts for approximately 718,000 businesses and 65,000 registered charities”.

As more and more organizations fall victim to cyberattacks, such that it becomes a case of “when, not if”, there needs to be an increasing focus on not only preventing attacks but also on managing the aftermath effectively. 

One key aspect of this incident response process is claims defensibility and the ability to protect your organization by mitigating the severity of legal and financial liabilities that may arise. These liabilities can continue long after a breach has been resolved, in light of the six-year period from the date a cause of action arises that most data subjects have to formally bring a claim in the UK.

Measured Communication is Key: Transparency, Care and Consistency

When a cyberattack occurs, the affected organization’s instinctive response may well be to apologize publicly for the breach in an effort to take ownership of the situation and start rebuilding trust among impacted data subjects, customer organizations and other stakeholders.  

However, an admission of liability when the facts are still unknown and incomplete is counterproductive. Instead, it is important to focus on factual, measured communication that acknowledges the breach without assigning blame prematurely. When communicating with affected parties — whether employees, clients, or partners — organizations should ensure that all messaging is clear, consistent and devoid of unproven admissions of fault. 

Transparency is also an important part of rebuilding trust, albeit great care needs to be taken with precisely what is said and what is shared, since the factual position in the early days of an incident evolves rapidly. The aim should be to demonstrate responsiveness and a clear commitment to a thorough investigation and remedial action. Providing regular updates on what steps are being taken to mitigate harm is important, and all such communication should be based on sound legal advice.

A centralized communications team is best placed to handle all messaging during and after the breach to ensure consistency and clarity. Internal communication protocols should also be in place to ensure only the authorized team issues public statements.

Staying on the Right Side of the Regulator

In the UK, the Information Commissioner’s Office (ICO) plays a critical role in regulating how organizations handle personal data (including sensitive or “special category” data).  Depending on the sector the affected organization operates within, other regulators may also need to be engaged with.  However, where a breach concerns personal data, organizations will at the very least need to work with the ICO, unless they are satisfied that there is unlikely to be a risk to people’s rights and freedoms.  

When a reportable breach occurs, cooperation with the ICO can make a significant difference to the outcome of claims and penalties. The ICO can impose fines up to the ‘higher maximum’ amount, which is “£17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher” for non-compliance with data protection principles set out in the Data Protection Act 2018 (DPA 2018) and UK General Data Protection Regulation (UK GDPR).

Moreover, sanctions imposed by the ICO are also often made public and can therefore be expected to find their way to claimant law firms who may be representing impacted individuals.  Therefore limiting, or even avoiding, regulatory sanction can be a crucial part of improving your claims defensibility. 

In the event of a breach perpetrated by nation-state actors, clear communication with regulators and law enforcement is especially important. Interaction with the National Cyber Security Centre is also likely to be necessary in such scenarios. 

Cooperating fully with any investigation by regulators — providing timely and accurate information, showing that your organization has followed the proper procedures, and demonstrating a willingness to rectify the situation — can influence how they may view each case. Regulators may be more lenient towards organizations acting responsibly and working to protect individuals affected by the breach.

Notifying your Data Subjects

Under UK GDPR, organizations must notify individuals if their personal data is compromised in a breach that poses a ‘high risk’ to their rights and freedoms. When the obligation to notify arises, it is therefore important to think carefully about precisely how to notify data subjects. Notifications should be clear, concise, sufficiently informative and they should also offer practical guidance on how affected individuals can protect themselves from potential harm.

To reduce the likelihood and severity of claims, organizations should also think carefully about what can be done to protect the interests of data subjects. An organization may want to consider providing additional support to those affected. This could include:

• credit monitoring services to alert individuals if their financial information is misused;
• identity theft protection to help mitigate the risk of fraud; and
• call centre support to answer questions and offer reassurance to those affected.

Such services can demonstrate that an organization is taking proactive steps to protect the interests of data subjects, and they may also help to reassure them, which may in turn reduce claims for damages.

Being able to show that the affected organization has considered the impact on individuals and offered meaningful support can also make claims easier to defend and reduce the value of potential claims.

Avoid Delays But Don’t Rush Decisions

Speed is essential after a cyberattack, especially when it comes to notifying the ICO (without undue delay and within 72 hours, as required under the UK GDPR).  High risk data subjects must also be notified without undue delay. However, rushing to provide incomplete or inaccurate information can be just as damaging as delaying a response. A balanced approach is necessary.

Organizations must act swiftly but also ensure that all facts are properly assessed before making substantive public announcements or filing reports with the regulator.  If this is not possible and some level of communication is necessary, then great care should be taken with precisely what is shared, particularly at the outset of an incident when the fact pattern may still be relatively unknown.  

Delays, particularly in notifying affected parties, can upset data subjects and increase the likelihood of claims based on emotional distress, psychiatric injury or financial loss. On the other hand, rushing into providing incorrect and misleading information could also erode trust and complicate the defence of future claims.

The key is to work with legal and technical experts to quickly assess the situation, get the facts straight, and then act in a timely but careful manner. This approach will help meet legal and regulatory obligations while also avoiding unnecessary legal exposure.

Consider Your Recovery Options

In some cyber incidents, the cause of the breach might have originated from a third party failing — such as a vendor or partner responsible for handling part of the IT infrastructure. If this is the case, identifying and properly documenting the role of third parties involved in maintaining your IT infrastructure (including any third-party security providers) can open up possibilities for cost recovery and mitigating liability. 

It is essential to review contracts with third-party vendors to assess their potential liability in the event of a breach. In particular, contractual indemnity clauses may entitle an organization to transfer the financial burden or seek recovery for damages caused by third-party negligence. If a third-party failure contributed to the breach, this information could also form part of the defence in limiting the severity of claims against an organization.

Cyber Insurance: A Vital Line of Defence

In the UK, a robust cyber insurance policy can be a crucial tool for managing the financial impact of claims following a cyberattack. Cyber insurance can cover legal fees, compensation to affected parties and the costs associated with regulatory investigations.

Policies can, however, vary and they can respond to different risks. When selecting or reviewing a cyber insurance policy, ensure that it covers third-party liability (such as compensation claims from individuals or organizations affected by the breach) and legal and forensic costs (including the costs of investigating the breach and defending against claims).  Some policies may also respond to regulatory fines. 

Even if an organization does not hold cyber insurance, it is still worth checking what policies exist and what they say, since appropriately worded insurance policies that respond to personal injury may still provide some level of cover in respect of claims from data subjects. 

A well-structured insurance policy can significantly reduce the financial strain on an organization post-breach, allowing them to focus on limiting reputational damage and getting back to business-as-usual as soon as possible. Be sure to engage the insurer early in the breach process, not least because late notification may prejudice your cover.

Strategic Response to Limit Claims Severity

When it comes to cyberattacks and data breaches, while prevention and resilience is always the goal, the reality is that many organizations will eventually have to deal with an incident at some stage.

Breaches are becoming ever-more frequent as technology advances, as technology drives core operations and as threat actors become increasingly sophisticated. When a breach occurs, the steps that are taken in the aftermath can determine how severe any resulting claims will be as well as how robustly they can be defended.

By carefully managing communications, co-operating with regulators, providing thoughtful support to data subjects, and acting without undue delay, businesses can significantly reduce the severity of claims. Further, exploring third-party liability and ensuring comprehensive insurance coverage can also provide additional layers of protection, making claims easier to defend.

Ultimately, managing the legal fallout of a cyberattack or data breach requires a calm, measured and strategic approach. With the right level of preparation and with a well-managed response, organizations can limit the financial and reputational impact, even when the worst happens.

[Photo by Conny Schneider on Unsplash]