Cyber Incidents: the battleground moves to governance

As explored in our recent article, When Is Personal Data "Personal"? Key Court of Appeal Ruling on Controller Security Duties - Burges Salmon, the Court of Appeal has confirmed that a controller’s data security obligations are assessed firmly from the controller’s perspective - not by reference to what an attacker could or could not do with compromised data.

What does this mean in practice?

From a dispute resolution standpoint, the decision has clear consequences for organisations facing post‑incident ICO enforcement and follow‑on civil claims. Arguments that compromised data was not “personal” in an attacker’s hands are now unlikely to provide a viable defence, and more generally, a strategy that attempts to resist liability through narrow, technical arguments will be met with difficulty. 

Organisations should therefore expect to gain limited traction from attempts to downplay incidents on the basis that data was incomplete, pseudonymised or incapable of immediate identification. While those factors may still be relevant to questions of harm, proportionality or penalty, they are unlikely to undermine the existence or scope of the underlying security obligation itself.

Where disputes will be fought

The focus is likely to shift firmly to what happened before the incident. For organisations facing parallel regulatory enforcement and civil claims, scrutiny will centre on the adequacy of pre‑incident security governance. This will include the quality of cyber risk assessments, the rationale for technical and organisational measures adopted (or not adopted), and the extent to which cyber risk was understood, escalated and actively managed at senior and board level.

In that context, contemporaneous and well‑documented evidence of proportionate decision‑making will be critical. Organisations able to demonstrate a structured approach to cyber risk including regular risk reviews, informed trade‑offs between cost and security, and meaningful board‑level engagement, will be better placed to manage both regulatory outcomes and litigation risk. Conversely, gaps in governance, informal decision‑making or weak audit trails are likely to be exposed and relied upon by regulators and claimants alike following a cyber incident.

Three takeaways for organisations:

• Technical defences are narrowing – arguments that compromised data was not “personal data” in an attacker’s hands are unlikely, on their own, to defeat liability.
• Governance is under the spotlight – pre‑incident risk assessment, escalation routes and board‑level oversight will be closely scrutinised.
• Evidence is critical – contemporaneous records showing how security decisions were taken, assessed and documented will be key to defending claims.

At Burges Salmon, we regularly advise organisations responding to cyber incidents. For further discussion, please contact Matthew Kaltsas-Walker, Amy Khodabandehloo, or Alice Gillie