UK and US governments enter criminal data sharing deal

What happened

• A UK-US bilateral data access agreement, which permits law enforcement access to data held by telecoms providers through a court application, will come into effect on 3rd October 2022, according to the Home Office, after it was initially signed in 2019.
• The agreement will permit the US Department of Justice to request information directly from UK telecoms providers, where it is necessary for the investigation, prosecution, or prevention of a serious crime, including terrorism.
• This is a significant change from the current position, in which the US must request assistance from the UK through the Home Office, who subsequently designate a suitable public authority e.g. a local police force, to request the necessary information from the UK telecoms providers on their behalf.
• There are no restrictions on the US targeting UK nationals as long as they are not located in the UK at the time, in contrast to the restrictions on the UK targeting people in the US, which prohibit the UK from targeting US citizens. Telecoms providers with services that can be accessed from outside the UK, are therefore in scope to receive requests.
• Examples of the types of service providers potentially in scope include:
  • Hosting/storage services
  • Website operators
  • VPN services
  • Email and other messaging services

Why it matters

• The future relationship between the EU and the UK depends on the continued free flow of personal data. The European Data Protection Board (EDPB) had previously raised concerns as to whether the UK’s data-sharing agreement with the US includes sufficient safeguards to comply with EU standards, particularly in view of the Schrems II judgement which ruled that US laws do not satisfy EU requirements.
• The concerns of the EDPB in relation to the Agreement which will now shortly be in force, coupled with the UK Government’s proposed post-Brexit data protection reforms which Xcina Consulting have covered in previous blog posts here and here, mean that the UK’s adequacy decision could be at risk.
• It’s important to note that the agreement only requires the UK Government to remove obstacles that would have previously prevented a UK telecoms provider from responding to a legitimate request from the US; it does not compel providers to disclose information in response to a request.
• Organisations should already have clear processes in place for handling law enforcement requests, including the requirement to verify the legitimacy of requests and assess on a case-by-case basis whether disclosure is legally justified and proportionate under the circumstances.
• UK providers in receipt of a request from the US under the agreement must still assess the implications of complying with a request from the perspective of data protection legislation, ensuring an appropriate lawful basis is identified and any reliance on an exemption under the Data Protection Act 2018 to disclose information is justified and documented.
• Organisations should ensure that staff in public-facing roles, or those who deal with requests from law enforcement, are made aware of the upcoming agreement, so that any requests received are identified and handled appropriately.

What happened

• According to an IBM Security report released this month, the average cost of a data breach increased to an all-time high of $4.4 million this year. This represents a 2.6 percent increase from a year ago and a 13 percent increase since 2020.
• 550 organisations worldwide that experienced data breaches between March 2021 and March 2022 served as the basis for the annual report.
• The report considered both immediate costs, such as those associated with investigating and containing breaches and, in some cases, paying ransoms, as well as longer-term expenses, including regulatory fines and loss of sales caused by reputational damage.
• On average, those polled claimed they accrued just under half of the costs related to a given breach more than a year after it occurred.
• Many of the highest-cost breaches analysed in the IBM study involved critical infrastructure within the financial services, industrial, technology, energy, transportation, communication, healthcare, education and public-sector industries.

Why it matters

• With an average cost of just over $5 million, the UK was one of the top five countries for the highest average cost of a data breach.
• The survey indicated that organisations with an incident response team and that routinely test their incident response plan saved an average of $2.66 million.
• Despite best efforts, data-breach incidents are never entirely avoidable, but the report is a crucial reminder of the necessity of putting systems in place to quickly identify and address breaches when they do happen, minimising the damage to the business and to data subjects.
• The report also identified that ransomware attacks accounted for 11% of the data breaches examined, up from 7.8%% in 2021, highlighting the need for organisations develop comprehensive and defensive security postures to guard against such attacks.
• Nearly 5% of the breaches were caused by credentials that were lost or compromised, and another 16% were caused by phishing scams.
• It’s not too late to join Xcina Consulting’s breakfast seminar on combatting cyber security threats, with Marcus Willett CB OBE – the former Deputy Head of GCHQ. Senior technology executives will also be among our panellists who will take your questions and discuss:
• What are the biggest cybersecurity threats and challenges right now for your organisation
• Budget vs Risk – how to maintain a mature information security and compliance posture
• Are your information security and business priorities in alignment?
• Does your organisation know how to respond in a cyber security emergency?
• The event, which takes place in London on Thursday 25 August, is an exciting opportunity to network and tap into the knowledge of cyber security industry experts. Places are strictly limited, please follow the link Information Security Event Summary & Registration to register.