We have one of the longest-standing privacy and cyber security teams in Europe and have been advising clients since the inception of data protection laws more than 20 years ago.

One of our key assets as a team is our global reach. Linklaters' internal privacy network spans 14 jurisdictions across Europe and Asia, while our wider network of independent privacy specialists covers over 100 countries.

We have frequent contact with the UK Treasury, Home Office and other government departments, the European Commission, as well as data protection regulators at EU and national levels. These relationships mean that should an incident occur, we have the relationships in place to support our clients as required.

Clients benefit from our deep experience of advising on:

Some of the most serious hacking and data breach crises in the last decade.
Effective cyber crisis preparedness - through training, incident response planning, and risk management strategies.
Governance and resilience arrangements - helping clients review and put appropriate governance structures in place.

Crisis Response

The right legal adviser can be pivotal to effectively managing and containing issues like cyber incidents and thinking ahead before a crisis hits: this is as much about prevention as cure.

We have assisted clients with investigations surrounding the circumstances of a hack or serious cyber incident in which our swift intervention and analysis of the facts meant that there was no need to notify either the regulators of their customers. As a result, these instances remain out of the public domain. We worked closely with the client teams to reach a final resolution that didn’t damage their reputation and avoided any form of litigation.

We are also experienced in situations where both regulators and customers have had to be notified of a breach or incident. In these cases, we have provided full support and advice on who to tell about the breach and when. This ensured that information become public knowledge only when absolutely necessary, in a manner that ensured the story was carefully and consistently messaged.

In the event of a potential breach, our team is able to:

act as the core custodian of the facts (typically under legal privilege)
ensure the right information is available to decision makers, including valuable cyber threat intelligence before an incident occurs
ensure an accurate and consistent narrative is provided throughout by PR and communications representatives
support and assist with any internal investigations
advise on securing and recovering data, including by unorthodox means
provide necessary legal advice as to the board and management’s reporting responsibilities with an eye to collateral impacts (for example in updating markets)
liaise with relevant regulators and law enforcement officials across multiple jurisdictions
advise on dealing with potential claims

Prepare and Recover

Our team can also assist with putting in place governance and training to help reduce the impact of cyber incidents by:

advising on effective incident response planning and testing, based on our experience in major incidents
delivering board level scenario training and wider organisational training
assisting with effective vendor risk management including designing procurement and audit processes
advising on wider privacy compliance issues (e.g. GDPR and the NIS Directive, issues arising from Brexit, request under the Freedom of Information Act and Environmental Information Regulations)

Our experience - Examples of our work include advising

a supplier to the NHS

a supplier to the NHS
a global IT provider

a global IT provider
a number of global, U.S.-based financial institutions

a number of global, U.S.-based financial institutions
a German bank

a German bank
an information services company

an information services company

a supplier to the NHS

on one of the largest losses of sensitive personal data in the UK, involving over a million records. As a result of or prompt advice and our client’s quick implementation of mitigations, no regulatory action was taken and the client was not obliged to notify any individual data subjects of the data loss

Close X

a global IT provider

on the unauthorised extraction of personal account details (including log in details, passwords and burglar alarm codes) of tens of thousands individuals by a disgruntled employee with previously undiscovered Islamic extremist sympathies. The details extracted included those of close family members of three heads of state, less than two weeks prior to a major inter-governmental conference. Our support involved close liaison with law enforcement and specialist agencies in three European states and resolution of a significant related commercial dispute

Close X

a number of global, U.S.-based financial institutions

on their notification strategies with data protection authorities in relation to the loss of back-up tapes being transported by subcontractors to long-term storage, some involving many millions of UK customer details

Close X

a German bank

before the competent data protection supervisory authority regarding an alleged large-scale unauthorised data loss

Close X

an information service company

on the loss of millions of sets of personal data due to a hacker attack and preparing the defence before the competent data protection supervisory authorities

Close X

Useful guides

Global crisis prevention and crisis management

High profile cyber security incidents are being reported in the press more and more often. Clients benefit from our experience, over many years, of advising on some of the most serious hacking and data breach crises in the last decade.

Find out more

Cyber security webinar presentation

A webinar presentation on ‘How to manage a cyber crisis’ and mitigating your risk exposure.

Find out more

Cyber security: The WannaCry Attack summary

The WannaCry attack provides a stark example of the damage that can be caused by a cyber-attack and provides a wakeup call for all companies of the need to protect against these attacks. We explain the background to the WannaCry attack, steps you should take when managing a cyber-crisis and the governance measures needed to avoid such a crisis developing in the first place.

Find out more

Our guide to the GDPR: Fully updated

Our GDPR survival guide to reflect the latest guidance from the European Data Protection Board and the status of national implementing law.

Find out more

Cyber Security: Global status and trends

Explore our report on the latest cyber security trends across the globe, and what to look out for in 2019.

Find out more

Insights

The ongoing battle over the right to be forgotten

21^st January 2019 //

A search on someone’s name in Google reveals a great deal about them. This might include where they work or went to school, as well as more private information such as their religion, sex life, or criminal convictions.

Find out more

Cyber risk should be a global key risk for banks – not just an IT issue – warns UK’s Financial Conduct Authority

17^th December 2018 //

Financial services firms need to do more to proactively address cyber risk. Find out more about the FCA’s cyber security recommendations for asset management and wholesale banking.

Find out more

UK - Data breach round up: Liability in an indeterminate amount to an indeterminate class?

29^th October 2018 //

This year has brought sweeping changes to the way businesses must respond to data breaches. There are new obligations to notify regulators of data breaches and significant decisions on liability in the Morrisons and Lloyds judgments.

Find out more

EU – The implementation of the “Cyber Security” Directive

27^th September 2018 //

In July 2016, the EU adopted the so-called “Cyber Security” Directive. Digital service providers and companies that operate essential services must protect their information technology systems and notify security incidents to the appropriate regulator.

Find out more