Ongoing disruptive threats to logistics companies – an update

For companies operating in the UK logistics sector, understanding the complex web of laws and regulations, whilst also effectively managing business operations in the face of those who wish to cause disruption, is crucial. Non-compliance can result in significant fines, legal action, and damage to reputation. Similarly, understanding which legal and practical steps can be taken both before and in response to certain issues is key to mitigating risks, managing costs, and maintaining strong commercial relationships.

In this article we look at three challenges which operators increasingly face:

• cyber-attacks;
• data subject access requests; and
• dealing with protesters and trespassers.

Cyber-attacks

Logistics companies are prime targets for cyber-attacks, due to their reliance on technology and digital systems, and their dependence on third party supply chains. Cyber-attacks can disrupt operations, cause financial loss, damage a company's reputation and also lead to legal claims by affected individuals (even if the attack is made against a third party).  

The Government recently unveiled plans for a new Cyber Security and Resilience Bill, which will be introduced in 2025. The Bill is set to update the existing regulatory framework by:

• expanding the remit of the existing regulations to protect more digital services and supply chains;
• putting regulators on a strong footing to ensure essential cyber safety measures are being implemented; and
• increasing the scope of mandatory incident reporting.  

Whilst these suggestions will hopefully provide a greater degree of protection, we anticipate that the increased scope of "mandatory incident reporting" will place stricter statutory obligations on companies in dealing with cyber-attacks, therefore potentially increasing the already burdensome regulatory requirements in place. 

In the meantime, key recommended steps from the National Cyber Security Centre which can assist with mitigating risks of cyber-attacks include:

• Spread awareness – ensure all employees are aware of the cybersecurity risks that logistics companies in particular are facing, and that they receive regular training on identifying a scam and your business's internal incident response plan. 
• Reduce your digital footprint – cyber-attacks use publicly available information about your organisation and employees to make their phishing messages more convincing.  For this reason, it is important to limit information shared online by employees and suppliers.
• Improve cybersecurity systems – this can include using an administrator account and employing a two-step factor authentication system, on important accounts such as email to improve overall cybersecurity.
• Identify scam e-mails – watch out for scam e-mails, which usually contain the following features: (1) the sender appears to be a person of authority (2) they give a limited time to respond (3) use of emotive language and (4) the email refers to a current event to make the scam seem relevant to you. 

Data Subject Access Requests (DSARs)

We are seeing an increased number of DSARs being made against companies.  Responding to a DSAR in the proper manner presents a number of particular challenges, including:

• the volume and complexity of the data (which might include customer data, shipment and tracking details, and employee files);
• personal data being processed across various systems; and
• personal data being shared with and/or processed by third parties.

Care also needs to be taken to avoid including third party personal data without consent, and to redact any information which does not relate to the DSAR requester.

Despite these challenges, it is important that DSARs are responded to quickly and efficiently. Although it is sometimes possible to reject manifestly unfounded or excessive DSARs, or to rely upon the exemptions provided by the UK GDPR and Data Protection Act 2018 to refuse access to the personal data, failure to adequately respond to legitimate DSARs can lead to enforcement action and fines from the ICO, and/or legal action by the DSAR requester.  

Our recommended steps regarding DSARs include: 

• having clear data and DSAR policies, processes and systems in place, including:

1. data retention and privacy policies;
2. where and how data is being processed; and
3. a designated person/team with responsibility for DSARs;

• using AI tools to assist with high volume DSARs;           

• assessing at an early stage whether it is reasonable to ask the DSAR requester to clarify the scope of their request, and/or to ask for an extension of time to respond; and
• keeping a clear audit trail of any decisions made throughout the DSAR process, so that this can be explained to the ICO should the need arise.

Protestors and trespassers

Protestors and trespassers have also been very active over recent months, and there have been a number of High Court injunctions granted against 'persons unknown'. These are typically granted to protect against unlawful protesting and trespassing and to stop the disruption of business operations.  

In addition, the English courts have recently been developing a further type of injunction, known as 'newcomer injunctions'. These go further than persons unknown injunctions, and are designed to include anyone else in the future who fall within the description of 'persons unknown', including those who cannot be identified in advance (i.e., 'newcomers').  

As with injunctions against persons unknown, newcomer injunctions are growing in significance and their availability is becoming a very important issue in many contexts, including industrial picketing, environmental and other protests, breaches of confidence, breaches of intellectual property rights, and a wide variety of unlawful activities related to social media. Swift action is needed in the case of any unlawful threats, but in appropriate cases the courts are willing to grant orders to deal with the future behaviour of individuals who cannot be identified in advance. Recent examples include: 

• In January 2024, Valero Energy Ltd obtained an injunction against persons unknown to stop unlawful interference with the operations and roads to oil terminals and refineries across the country.
• In July 2024, Gatwick Airport obtained an injunction to prohibit anyone from entering, occupying or remaining on the airport in connection with Just Stop Oil (or other environmental campaign groups) without consent.
• In January 2025, Morrisons obtained an injunction to prohibit persons unknown from entering, occupying or remaining upon any part of Morrisons' distribution centres without consent, and from blocking and/or interfering with the local access roads to the distribution centres in connection with agricultural protests.

Conclusions

Although logistics companies are increasingly facing threats that can cause significant business disruption, the good news is that the legal and regulatory landscape is also evolving to deal with these threats and disruptors.  

Whilst dealing with these issues can present very different challenges, the principle of staying up to date with relevant legal/regulatory developments, reviewing and maintaining policies and processes, and adopting a pro-active approach to mitigate potential risks applies universally. Companies which routinely take these steps as best practice are more likely to be resilient to threats, whilst ensuring they remain agile and responsive to the inevitable future changes to the legal and regulatory landscape.