Our focus is you

Cyber security should be taken seriously by every business. Cyber security threats almost every element of your business.

We:

  • Help you put in place the strategy and processes required to tackle head-on the threats posed by cyber security breaches and attacks
  • Advise on your legal responsibilities and potential liabilities
  • Reduce the possibility for regulatory fines and reputational and other damage to your business by training your staff and ensuring any attack is dealt with swiftly and appropriately
  • Help you recover any financial damage where possible

The law in this area develops quickly – a necessary response to the fast pace of technological development. We are legal experts, providing the most up to date, practical regulatory advice to businesses across all sectors here in the UK and internationally.

Our work includes:

  • Advising on hosting agreements – including advice on service levels and liability for security breaches
  • Development of internal policies and procedures for system security
  • Provision of data protection and cyber security training for staff
  • Advice on how to prevent cyber attacks
  • Urgent data breach response advice
  • Assistance with breach investigations
  • Advice on cyber security provisions in external contracts, agreements and agreements with consultants and external stakeholders
  • UK GDPR and related legislation compliance advice
  • Investigating attacks and identifying attackers – we take all action necessary through the courts to protect your business and employees, recovering compensation where available
  • Engaging with ISPs to ensure content removed where appropriate, obtaining injunctions and disclosure orders where necessary

We can also assist whatever the nature of the risk you face, be it hacking, identity fraud, denial of service attacks, harassment by electronic means or phishing.

Your key questions answered

What policies and contracts does my business need for a strong cyber security strategy?

As cyber threats continue to proliferate, having a tailored cyber security strategy in place is now a commercial priority. At DMH Stallard we help businesses devise commercial strategies and security policies that help minimise the risks to the business. This can be a long-term process, including educating and training staff so that there is a high level of awareness across the business about the risk of cyber threats. It also involves advising on how a business interacts with its customers and clients and what it should do when entering into binding commercial agreements with third parties.

A key part of any cyber security strategy will be a cyber or information security policy that embeds cyber security best practice across your organisation. All employees must adhere to the policy and proactively act in accordance with its requirements.

The goal of any effective cyber security strategy is to reduce the risk that your business will be attacked in the first place. It’s also to ensure that if an attack does occur you have the tools available to deal with it in a way that minimises the financial and reputational impact.

Will cyber security measures help our business comply with data protection laws like UK GDPR?

Yes. In many respects the implementation of cyber security measures is the technical way you ensure compliance with the UK GDPR regime. At DMH Stallard we work with clients to ensure their cyber security and data protection systems work in tandem with GDPR requirements. We’ll also ensure your approach is a proportionate response to potential cyber attacks and to your organisation’s specific obligations under UK GDPR.

Remember not all GDPR regulations will apply to your business. Do you actually handle personal information for example? We can assist with conducting internal audits to establish your GDPR obligations and identify potential cyber threats. We can then advise on and draft policies and procedures to implement appropriate cyber and data protection policies.

We are in dispute with our hosting provider, who is not providing services in accordance with agreed security standards and levels. What can we do?

In the absence of an effective hosting agreement, it’s sometimes complicated to establish the liability of hosting providers, whether the hosting is provided on shared or dedicated servers or is carried out under a co-location contract.  Difficulties arise when there are security breaches or unacceptably low service levels. Often it will come down to the terms of the relevant hosting agreement and what the business agreed to under those terms. In our experience these will often limit the host’s liability in line with its standard terms and conditions and therefore we would need to work with you to see what protection there may be under the agreement terms and if there is none or little, how else we could assist you to improve your position.

We can advise you on:

  • Any proposed hosting agreement for your business, assessing whether the provisions being offered are adequate for your business and what is in place relating to the service levels and data protection obligations
  • Liability for security breaches including hosting of indecent or defamatory content or material which infringes a third party’s intellectual property. It’s crucial to include provisions that deal with the host’s liability in circumstances where your site security is breached because the host’s cyber security is insufficiently robust

Our dispute resolution solicitors can provide you with guidance on the most effective way to deal with a dispute to minimise any economic or reputational damage to your business, including advice on the various methods of alternative dispute resolution (ADR).

Our IT provider has informed us that they have suffered a data breach, which may affect users at our business and potentially make personal data held on the system vulnerable. What action can we take and what should we tell our customers about the data breach?

Cyber attacks and data breaches are now a major concern for businesses. If not handled correctly the economic and reputational damage to an organisation can be significant. There is also the risk of substantial regulatory fines. When you do suffer a data breach you should be able to rely on the protocols you have in place to respond appropriately. A large part of our cyber and data security work involves helping businesses lay the groundwork for a data breach response. There are a number of things to consider in the event of a breach:

  • First, make your response measured and proportionate. Data breaches are not uncommon. Government statistics covering 2023 indicate that 32% of small businesses, 59% of medium businesses and 69% of large businesses experienced breaches or attacks in the preceding 12 months. This can come at a huge cost and major disruption to the business.
  • Not every breach will result in formal action being taken against you by the Information Commissioner’s Office (ICO), and not every breach has to be reported to the ICO. You only have to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals. So, a lot of the actions you take when you become aware of a breach are concerned with assessing the risk the breach poses to individuals, managing that risk and deciding whether you need to report the breach or not.
  • Under UK GDPR rules if the breach is one that is reportable you must report it to the ICO within 72 hours. You should immediately start to gather information about the breach, recording what happened, who was involved and what actions you’ve taken.
  • Try to minimise the impact of the breach. Can you recover the data? Can systems be shut down or access limited? What steps can you take to protect individuals who will be affected by the data breach?

Assess the risk of harm to those affected bearing in mind issues such as safeguarding, identity theft and personal distress that may be caused by the leaking of personal data. Remember a data breach might carry a low level of risk, but some breaches may carry very high risk on individuals. Where there is a higher level of risk you should proactively inform individuals of what’s happened and provide information to those individuals about the steps they can take to protect themselves.

Reacting to a breach in the correct way is crucial. We can offer advice where necessary to ensure you meet your obligations under UK GDPR, liaise with the ICO on your behalf and take the necessary steps to inform those individuals who have been affected.

Stay connected, sign up for updates

Stay connected
Tim Ashdown

Recent work

Legal advice relating to a ransomware attack

Advising client whose supplier was subject to a ransomware attack. We act for a client in relation to the provision of IT Services from a supplier, who was subject to a ransomware attack leading to repercussions for our client. We are advising our client on their rights and potential claim to damages.

Advising retail solutions provider on cyber and data protection issues

Advising client on structure of framework contracts, master services arrangements and IT solutions, including data protection structure and processing provisions. Advising on international data transfers agreements, use of SCCs/International Data Transfer Agreement and Transfer Risk Assessment for adhering to technical and organisational and other data security measures.

Legal support to airline technical solutions provider

Advising on provision of SaaS service and data processing arrangements, including cross-border data transfer arrangements for airlines in different jurisdictions, international data transfer contracts and risk assessments, data security considerations and linking to cyber security insurance. Advising and drafting a Data Breach Policy and Data Retention and Deletion Policy (internal and external versions), to support GDPR compliance obligations.

Advising IT platform development and infrastructure provider

Advising on data protection matters, regulatory compliance and drafting suite of data protection documents including general Privacy Policy, Cookies Policy, Data Handling Policy, Employee Data Protection Policy, Data Protection Impact Assessments, Legitimate Interests Assessments, Subject Access Request Process, intra-company Data Sharing Agreements (including international data transfer provisions) and Data Retention Policy.

Web shop terms and data processing

Advising a plumbing fixtures manufacturer on an agreement with an Instagram influencer and their web shop terms, as well as the provision of advice relating to data processing.

News and insights

Penalties for breaching environmental legislation

Insights

An overview of the environmental regulator’s approach to the enforcement and prosecution of environmental offences which outlines the potential penalties and other implications for a businesses who breaches environmental legislation

25/02/2015

Enforcing possession orders – how not to do it

Insights

We explain how not to enforce possession orders, as shown in London Borough of Southwark -v- AA [2014] EWHC 500 (QB)

29/09/2015