Organisations could face new security requirements under ‘cyber duty to protect’ plans?

Government call for information suggests new security requirements could be introduced to protect online accounts and user data from hackers

Last year saw a 159% increase in unauthorised access to personal information (including hacking) and an 89% rise in computer misuse offences overall. In response to this rising threat, the UK Government has issued a call for information, seeking views on “potential” government intervention. 

In its ministerial foreword (now former) Home Secretary Priti Patel explains that “[t]his work will explore measures to reduce the burden on citizens for cyber security, including the application by organisations of secure-by-default principles to protect user accounts and information. It will also examine whether to supplement requirements in data protection legislation to ensure that providers of online services and accounts, as well as processors and holders of UK citizens’ personal data, exercise an appropriate and proportionate degree of responsibility for the protection required of the data and access to it.”

The call for information is the first stage in the Government’s public consultation on its ‘Cyber Duty to Protect’ programme (a working title). The programme aims to reduce the burden of cyber security on citizens and reduce harms to citizens from unauthorised access and associated harms.

What does the call for information cover and who should respond?

The UK Government is seeking the views of organisations, businesses and individuals on:

• The risks associated with unauthorised access to UK citizens’ online accounts and personal data.
• Actions that are currently taken to address the problem.
• Actions that should be taken to address the problem and where responsibilities for taking that action should lie.

In particular it is looking for respondents with views on how government intervention could help reduce the cyber burden facing citizens and encourage organisations to do more to protect users’ accounts and personal data. It also welcomes responses from businesses and industry regarding how they could be helped to better understand the risks they, and their customers, face and how to mitigate them. Finally the call asks for views on what measures could be introduced to mitigate these threats and reduce the burden on user’s regarding login security.

Follow on security proposals?

Following this call for information, the Government has said that it will work with service providers and other key stakeholders to develop proposals for appropriate security measures which providers of online services and accounts and organisations processing personal data could implement. The aim of these will be to ensure users’ accounts and their personal data are better protected against attack. The proposals will also look at provisions to ensure compliance with those measures.

According to the Government, this would mean ‘exploring supplementing the current approach to the protection of data, under the Data Protection Act and GDPR, with a greater understanding and consideration of the risk to individuals of the compromise of their data held by organisations.’ What this would look like in practice remains to be seen, although the Government recognises that any new proposals should complement existing obligations. It also acknowledges that certain steps are already being taken to try and resolve some of the issues associated with this. For example, the Product Security and Telecommunications Infrastructure Bill, currently before Parliament, is seeking to tighten up password security.

Next steps

The call for information is open until 27 October 2022. If you would like to help shape the Government’s response in this space, you can complete a survey or submit a written response. There will then be another chance to comment as the follow-on proposals will be subject to a call for views.