Cyberattack risks are a growing concern for UK businesses, especially when a breach results in the loss of personal or confidential data.
The consequences extend far beyond temporary disruption – you could face customer claims, breach of contract disputes, regulatory fines under the GDPR or the Data Protection Act 2018, and lasting reputational harm. Smaller and newer companies are particularly vulnerable, often lacking the technical resilience and legal safeguards that larger firms possess.
If you're unsure how to identify, minimise or manage these risks effectively, our data protection solicitors can provide tailored legal advice to help you strengthen your organisation’s defences and stay compliant.
Jump to:
- How a cyber attack exposes your business
- Common cyber attack types
- Assessing and managing cyber risk
- Business continuity and legal risk
- Employee mistakes and liability
- Data breach reporting and the ICO
- Cyber attacks and contract liabilities
- Regulatory fines and legal fallout
- Cyber insurance and legal protection
- Reducing legal risk after a breach
- Expert help to manage cyber fallout
How a cyber attack exposes your business
A cyber attack on your business that exposes personal or confidential data can lead to a range of serious consequences. These may include financial loss from stolen funds or operational downtime, legal claims from customers where your privacy obligations have not been met, or breach of contract claims if you fail to comply with data protection requirements. You may also face regulatory penalties under the UK GDPR, the Data Protection Act 2018, and the Data Use and Access Act 2025, which introduces new obligations regarding data governance, access rights, and cross-sector data sharing. While some compliance processes have been streamlined, the duty to report material breaches and ensure robust cybersecurity measures remains critical. In addition to financial and legal consequences, your business may suffer reputational damage if customers lose trust in your ability to safeguard their information.
Common cyber attack types
The National Crime Agency lists the following as the most common cyber threats:
- Hacking – This is a method to obtain unauthorised access to data. This can include gaining access to people’s social media and email accounts. Hackers are a force of nature that can bring down rival competitors, and, depending on the extent of the hack, also cause significant reputational damage, which can affect profitability and the potential survival of an organisation. One example of a major hack was when a British man was arrested for hacking into Twitter accounts belonging to former President Barack Obama and other prominent celebrities. The hacking was for financial gain of more than $100,000 worth of bitcoin. It appears that whilst financial gain is a nuisance, it’s still regarded as better than an attack that’s motivated by chaos and destruction.
- Phishing – This is a form of social engineering that entices users to click on a link that may download malware or direct them to an unsafe website. Phishing can be communicated in various ways, including via text messages, emails, or social media. However, phishing is historically a term that describes attacks via email. These emails appear to be legitimate, with a genuine link, sent to the user, designed to grant attackers access to the user’s device, allowing them to control it, install malicious scripts or files, or extract sensitive data, such as the user's personal or financial information. Phishing can be extremely dangerous, as it can install malware software that can be used to hold files for ransom, which may not be released until the owner pays a substantial amount of money.
- Distributed Denial of Service (DDoS) – This is a malicious attempt to flood a server or network with internet traffic, making it practically unworkable. Where a cyber criminal launches an attack from a single host, it's called a DoS attack; however, when many systems are used to launch attacks, this is known as a DDoS attack, according to NBC News, UK GCHQ (UK Intelligence and Security Agency) used a DDoS attack (according to Edward Snowden leaks) to shut down a chatroom with communications amongst Anonymous hacktivists.
The National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) have jointly published a new threat report, providing an analysis of the evolving threat and an overview of practical steps the UK can take. Find out more on the NCSC website.
Assessing and managing cyber risk
The best way to assess cyber risk is to conduct a cyber security risk assessment (CSRA). This will help identify, analyse, and evaluate the risks that apply to the line of business, as well as any gaps in the information security procedures, including any technical measures that need to be implemented to keep data secure. An organisation is unable to make any security decision without first assessing its risks. Many have attempted to do so, but they often fail, as it usually leads to excessive costs and a waste of time.
The ISO 27001 is an international standard for an information security management system (ISMS). This framework of policies and controls is one way to define an organisation's information risk management process. It would undoubtedly help in implementing measures to keep hackers as far away as possible.
Business continuity and legal risk
There is no doubt that an organisation’s business continuity plan (BCP) should cater for the continuity of activities and services in the event of a cyber attack, especially given the potential legal consequences of a cyber attack on operations and compliance. Good continuity planning should identify every potential risk with a set of speedy solutions to ensure that the business can continue as usual. After all, the organisation should be ready for any disaster that may affect the company, to keep it running no matter what problem arises. Our solicitors are specialists in their field and will be able to help identify your risks and how to manage them. They can assist in drafting your BCP, taking into account the size and nature of the business and any risks that may follow from your risk assessment(s).
Employee mistakes and liability
Negligence or human error - both are typical scenarios and unfortunate, but they happen in real life. However, who is liable? Unfortunately, it is often the organisation. So, it’s of the utmost importance to factor in these threats in any cyber security risk assessment and continuity planning. At times, it’s pure ignorance or a lack of training that leads an employee to click on a phishing link or browse risky websites. Both pose a threat to the organisation. It’s therefore essential that there's regular training on cyber risk and what employees can do to prevent cyberattacks. Controls can be implemented, such as role-based access and escalated approval for specific data processing. Still, ultimately, an organisation should have appropriate cyber insurance in case something goes wrong.
When it comes to rogue employees, this has been subject to much speculation, especially in light of Morrison’s case. Some organisations find the ruling in Morrison’s case to be a helpful precedent regarding whether they need to respond to the behaviour of a rogue employee. The Supreme Court ruled in favour of Morrison’s, stating it could not be held liable when its disgruntled employee uploaded payroll data of thousands of employees to a publicly accessible website. The Supreme Court decided that:
- Disclosure of the data was not sufficiently connected to what the employee was allowed to do in the course of his employment with Morrison’s
- It was ‘abundantly clear... that the employee was pursuing a personal vendetta against his employer’
Organisations should take heed and create awareness of disciplinary procedures for insider malice.
It is also important to note that if there is any failure on the part of the employer, they will likely be directly or vicariously liable.
Data breach reporting and the ICO
Depending on the type of data that has been compromised, there may be a need to report to the Information Commissioner's Office (ICO). Where there has been a breach of personal data, once you have established the likelihood of the risk to people's rights and freedoms, you must notify the ICO. If there is no risk, then there may be no need to report. In any event, this would lie at the heart of the data protection officer’s decision-making process. It is essential to have a breach reporting procedure in place that is clearly communicated and consistently adhered to, so employees are aware of who needs to be informed in the event of a breach. A personal data breach must be reported to the ICO within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, then those individuals also need to be informed, without undue delay.
The self-assessment on the ICO website can help assess whether a personal data breach is reportable to the ICO.
Cyber attacks and contract liabilities
If you are a supplier (of products or services) organisation, rule 101 is to check the contract. As a supplier or a sub-supplier, the obligations to report may filter up or down the chain and may impose time limits. Often, these time limits are not short, typically around 48 hours, which allows the ultimate client to report the breach to the ICO within the 72-hour window. Data that is considered necessary typically contains identifiable information, financial data, or trade secrets. Not all former employees may contain personal data, but contracts may include instructions on breach reporting time limits, indemnity, liability, and, at times, an immediate audit. Such things can lead to discussions regarding the renewal of terms, pricing, or termination of services. This is why any sub-processor must enter into similar onerous obligations as their client(s). This is to ensure that liability can filter down the chain.
In practice, it’s challenging to locate contracts, determine who owns them, understand their contents, and verify whether the terms are being implemented in the business. A sound contract management system can facilitate speed and efficiency in the event of a breach. A supplier risk management process should also be robust, where risks have been assessed prior to negotiating any contract. The assessment should be considered carefully in line with the organisation’s risk appetite.
Regulatory fines and legal fallout
A cyber attack that results in the loss of personal data will incur substantial fines. Any data would likely contain some, if not minimal, personal data. The higher maximum amount an organisation can be fined is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. Typically, the higher amount applies to a failure to comply with any of the data protection principles, any rights an individual may have under Part 3 of the Data Protection Act 2018, or concerning any transfers of data to third countries. Should there be any breach of administrative requirements, then the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher. Fines can lead to reputational damage as well as business sustainability.
In October 2020, British Airways was fined £20 million for security failings that facilitated a cyber attack, which led to the personal data of 429,612 customers and staff being accessed. This followed a year after the company was fined £183 million for compromising the data of 500,000 customers. The ICO is taking no prisoners and is being forceful in imposing substantial penalties.
Cyber insurance and legal protection
Cyber liability insurance is designed to protect an organisation from data breaches or malicious cyber attacks on its work computer systems.
Cyber insurance should be factored in, once you have conducted your cyber risk assessment and your continuity planning, as this is the only way the organisation will strive to survive in the event a cyber attack occurs.
Cyber liability insurance can cover the following:
- First party cover - The organisation is the first party, so this covers you. It should cover your losses resulting from a cyber attack, such as cleanup from malware or costs incurred in responding to the attack. Some insurance companies may also pay ransomware ransoms, as well as for the loss of business during any cleanup or downtime.
- Third party cover – This relates to loss or damage to others who claim your business is liable to them for damage they suffered as a result of you having suffered a cyber attack. This may relate to your sub-processors that flow up or down the supply chain.
Obtaining cyber insurance is a sensible move, especially in today's digital age. As technology advances and we process more data, the risk of a cyber breach increases. It can certainly protect your business, and it can even assist in a PR campaign, following any reputational damage. However, while cyber liability insurance can help recover costs, it doesn’t shield your organisation from the legal consequences of a cyber attack, which must be managed through proactive compliance and contractual safeguards.
Reducing legal risk after a breach
- Conduct a cyber security risk assessment and update regularly.
- Ensure your business continuity plan is updated regularly.
- Obtain relevant cyber liability insurance.
- Ensure your data is backed up.
- Provide regular, tailored training, including the implementation of strong passwords and encryption of data.
- Conduct regular software updates.
- Ensure the devices have endpoint protection (anti-virus).
- Use a virtual private network (VPN) if connecting to open networks.
- Use multi-factor authentication where possible.
- Have adequate 'bring your own device'(BYOD) procedures in place.
Expert help to manage cyber fallout
The legal consequences of a cyber attack can be far-reaching, from fines and contract disputes to reputational damage and operational disruption. Understanding your obligations and putting adequate protections in place is critical to minimising exposure. It’s not just about legal advice: frameworks like Cyber Essentials can also play a vital role in strengthening your organisation’s overall security posture and demonstrating accountability. Our experienced data protection solicitors can work with you to review your risk, develop breach response plans, implement compliant policies, and align your security strategy with both regulatory and commercial priorities.
