There's rarely a quiet week in data protection — and this one was no exception. Below is the most interesting development from the past seven days that caught my eye.
It’s not often that mainstream newspaper articles touch on three of the issues that are front and centre for clients across geographies and sectors, but a recent piece in the Financial Times did just that. The theme: the evolving landscape for cyber-attacks.
1. Don’t underestimate the value of tabletop exercises
The nature and variety of cyber attacks means that practice necessarily cannot make perfect — but it absolutely helps. Indeed, our experience is that companies which conduct data breach tabletop exercises almost always perform better when it comes to the real thing.
Anyone who has lived through even one big breach knows that things can move quickly and unpredictably, and having a plan to follow — one that you’ve been through before, and which considers containment and remediation, regulatory notifications and payments — can be a source of reassurance in what is usually a highly stressful time.
2. The GDPR is not the only breach notification law in town
EU member states have until 17 October to implement the NIS2 Directive, which beefs up the current NIS Directive regime and applies to “essential” and “important” entities across a range of sectors. Besides provisions on cybersecurity risk management, NIS2 requires in-scope entities to notify relevant competent authorities of incidents that have a “significant impact” on services — including an initial notification within 24 hours.
In January 2025, another EU law with breach reporting requirements takes effect: the Digital Operational Resilience Act, or DORA, which applies to financial services firms and certain of their critical suppliers. DORA requires in-scope entities to report “major” incidents to regulatory authorities and, in certain cases, to clients and the public.
The net-net is that incidents may require reporting under more than one law and to more than one supervisory authority. If you haven't updated your breach processes to account for these laws, now is a good time to do so. You may want to fold them into your next tabletop exercises, too.
3. Ransoms: to pay or not to pay
Activity has slowed from its pandemic-level highs, but in its place we’re seeing some interesting trends. The growth of ransomware as a service means bad actors have varying levels of competence. And while some unsophisticated criminals are making unforced errors (e.g., not properly encrypting data), it also makes dealing with them more unpredictable.
The payment of ransoms continues to be hot topic. In the UK, for example, the Labour government’s proposed Cyber Security and Resilience Bill will require in-scope organisations to make regulatory notifications when they have been asked to pay a ransom. The previous government reportedly intended to introduce a licensing regime for ransom payments (i.e., notification before payment), and because there isn't enough information in the briefing notes to the Bill, it’s something to look for when the legislation is tabled.
Subscribe to Ropes & Gray Viewpoints by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.