After a busy and action packed year for the UK's digital landscape, it's time to look ahead to what 2024 has in store. Charlotte Clayson, Partner in our Dispute Resolution and Litigation team looks at the 5 key issues organisations will need to keep abreast of in the year ahead.
1. For better or for worse, AI is here to stay
The big headline in 2023 was of course Artificial Intelligence, and particularly the way that Generative AI can be deployed in a rapidly changing digital environment. Whilst AI has been around for some time, it grabbed both headlines and the public's imagination with the launch of platforms such as Chat GPT and Google Bard, and lead to very vocal concerns around the globe as to what this means for the future.
It will come as no surprise that AI is here to stay. In such a data driven world, it is only natural that many organisations are already deploying AI tools to assist with data analytics and decision making, to increase automation and to drive efficiencies. However, both early adopters and those new to the market will need to keep abreast of technical, legal and regulatory developments over 2024 to ensure that the technology works for them, remains fit for purpose and that it is being used appropriately.
If AI is used without sufficient safeguards, or without identifying and managing key risks, it can result in significant concerns being raised about ethics, biased decision making, vulnerabilities in the cyber and tech environment, and fraud. Whilst not AI specific, the current legislative and regulatory framework in the UK can lead to significant fines being imposed on those who misuse it. The Information Commissioner's Office, in its role as regulator of the use and misuse of personal data, has warned that 2024 could be the year that people lose trust in AI, and has launched a consultation on the use of AI, particularly models that have been trained on personal data scraped from the web.
The UK's current principles-based approach to regulation is in contrast to many parts of the globe forging ahead with specific legislation around the use of AI. However, the UK's current approach may well be reconsidered as it comes under pressure to draw up a strong and specific regulatory framework to protect innovation and the economy, with the government reportedly now set to publish a series of 'key tests' that would need to be met in order for new AI-specific legislation to be passed.
In the meantime, a Private Members Bill – the Artificial Intelligence (Regulation) Bill – has been introduced in the House of Lords and which looks to set up a new AI Authority and promote the role of a designated AI Officer within certain organisations.
Watch this space as to how this develops in 2024, and whether the government of the day will need to draft specific AI regulations to keep pace with the likes of the EU AI Act and in response to increasing pressure from regulators and the sector alike.
2. Ransomware, ransomware everywhere
Ransomware is increasingly being deployed by cybercriminals to exploit vulnerabilities in systems, infiltrate data sets and pressurise companies to pay a ransom. This type of malware can very effectively lock you out of your systems by encrypting files, with the cybercriminals then demanding a ransom in return for the keys to decrypt the files.Alongside ransom demands for decryption, it is also becoming increasingly common for cybercriminals to threaten to leak data onto the dark web. In a matter of minutes, your entire organisation can be locked out of its systems, up against the threat of personal and confidential data being leaked, faced with demands for an extortionate ransom, and unable to operate even your critical systems.
Ransomware is a huge success story for cybercriminals and is now being commoditised so that it is not just available to those with the technical know-how to create and deploy the malware. It is now more readily available and can be purchased through 'Ransomware as a Service' models (RaaS) which exist to sell on the Ransomware to those looking to enter the world of cyber criminality. These RaaS models are being refined to ensure maximum benefit to those who wish to deploy them, and maximum profit for their creators.
There is a whole world of RaaS out there, with different business models working in different ways, and adapting depending on the nature of the intended target. For example, some RaaS models will have the key aim of attacking and disrupting those businesses that are heavily dependent on their software and IT systems to ensure physical operations continue and where being locked out can stop a business in its tracks – for example those in the manufacturing or logistics arena. Without physical access to their kit, those businesses will flounder and every day of inactivity will make a dent in profit, adding commercial pressure to the decision to pay the ransom. Other RaaS models will be formulated to target organisations where data privacy is paramount, for example in professional services and health, so the target of the attack will not simply be about getting the organisation 'off line' but ensuring that the threat of data leaks is very real.
With the increasing availability and effectiveness of ransomware as an attack vector, we expect the upwards trend of ransomware attacks to continue, with organisations needing to take active steps to protect their systems and educate their staff in order to mitigate against the risks of a successful attack.
3. Online Harm and child safety in the spotlight
We're all aware of the headlines around the use of social media by children, and the need to protect adults and children alike from harm that might be caused by particular types of content.
Until recently, the world of social media did not have its own specific legislation or regulation, and content creators, consumers and platforms alike looked to other established legislation as a guide to understand the limits of what can and should be done. However, the Online Safety Act became law at the end of 2023 and we expect final guidance and codes of practice to filter through towards the end of this year.
As a result, we expect to see children's rights and online safety to become a key theme of 2024, with a range of regulators and service providers taking the spotlight. The new legislation will mark a fundamental change for some platforms in the way that they operate, risk assess, and take down harmful content.
It is anticipated that more than 100,000 online services could be in the scope of the legislation from a diverse range of sectors including, social media, dating, gaming and adult services. Organisations will be using 2024 to fully understand the scope of the legislation and how they fit within it, with Ofcom being given the job of regulating the Online Safety Act, alongside the power to fine a whopping £18million or 10% of worldwide revenue (whichever is greater) for instances of non-compliance.
Likewise, the ICO, as regulator for personal data continues to work to do its part to keep children safe online. Following the recent £12.7m fine of TikTok for misusing children's personal data, it has recently updated its guidance on how to ensure that children are not improperly accessing online services. Age assurance is an important part of the Children's Code, and has been updated to take into account recent technological developments, the data protection framework, and following engagement with Ofcom to assure alignment between the Children's Code and the Online Safety Act 2023.
4. Developing the law through the courts
Litigation is often at the forefront of developing and expanding upon existing laws to deal with changes and developments in the world in which we live. Utilising and interpreting existing legal frameworks to deal with issues that arise from technological developments and clarify the extent of the law must be 'one to watch' for 2024.
We have already seen the law developing quickly to consider issues around cryptocurrency and any duty of care from developers to users, and we have recently seen the High Court give permission for court documents to be served by NFTs in the first case of its kind outside of the United States.
On the AI front, we expect to see more developments both in the UK and elsewhere with Getty Images bringing an action against Stability AI around the use of copyrighted material being used to train AI models, and The New York Times also suing OpenAI and its investor Microsoft for copyright infringement.
We can expect the upward trend of litigation to continue as parties test the limits of the law. Alongside key questions of Intellectual Property and copyright, we can also expect to see questions around 'black box' decision making, the misuse of personal data, bias, discrimination, and the way that introducing new technologies might increase the risk of cyber-attacks.
2024 looks to have all the key ingredients of a bumper crop of interesting litigation.
5. A more proactive approach to cyber resilience
The annual Cyber Security Breaches Survey 2023 and news headlines have showed that whilst cyber-attacks remain a key risk for organisations of any size, the resource put into preparing for and steeling against those attacks has diminished over the last year, particularly for micro businesses and SMEs.
Whilst the economic climate remains tough, with an estimated 2.39 million incidences of cybercrime across UK businesses over the 12 months included in the 2023 report, it is imperative that the trend to ignore cyber resilience does not continue. The risks involved in leaving cyber resilience to chance are simply too high.
With that in mind, we expect to see more Boards getting to grips with cyber security, prioritising this on the risk register and taking proactive steps to understand how to mitigate the risks to business at an organisational level, rather than looking at this only as an information security issue. This is echoed in the recent draft Code of Practice published in collaboration between the Department for Science Innovation and Technology and the National Cyber Security Centre, which is aimed at helping business leaders to 'bolster their cyber resilience' and to ensure that cyber security issues are put on an equal footing with financial and legal risks.
Cyber resilience is not a 'one size fits all' issue, and cannot be left with one team alone to look after. It requires a whole organisation approach with a number of elements: education of those at all levels of the business, guidance on policies and procedures for dealing with an attack when it happens, technical guidance on taking practical steps to bolster cyber security, and ensuring you have the right internal and external partners on speed dial to turn to when an attack happens.
This year, thinking seriously about cyber resilience and engaging with cyber risk is a must have, not a nice to have, and businesses will be increasingly tailoring cyber risk management to meet their needs and budgets.
If you need assistance with your cyber resilience programme, Trowers has brought together a range of expertise in one place with its recently launched collaboration with CyberQ Group. CyberSecure 360 provides clients with a bespoke and holistic approach to cyber risk management and is tailored to meet your needs. Get in touch with the team to talk about CyberSecure 360 and understand how it can help you.