Contact | Search |

Tag: Michael-Yates

The AI-enabled threat landscape: real world lessons from lawyers, PR and cybersecurity experts

Posted on by Deborah King

In collaboration with Sodali & Co and LevelBlue, we have produced a new report offering vital insights into AI-driven cybercrime. Designed for non-technical executives and board members, it highlights key threats, practical talking points, and actionable steps to support discussions with risk, legal, and cyber security teams.

AI is transforming the cyber threat landscape, enabling faster, cheaper and more personalised attacks while lowering the entry barrier for malicious actors. These risks pose significant financial, operational and reputational challenges for businesses.

Download the full report here

Safeguarding your business in the wake of the ChatGPT share breach

Posted on by Julia Krol

In today’s fast-paced digital landscape, businesses are increasingly leveraging Artificial Intelligence (AI) tools such as OpenAI’s ChatGPT to streamline operations.

However, recent developments surrounding the now-discontinued “share” feature of ChatGPT should serve as a critical reminder of the importance of robust data governance and proactive measures to safeguard sensitive information, such as personal data and confidential business information.

What happened?

OpenAI recently faced scrutiny after its “share” feature in ChatGPT appeared to inadvertently expose private conversations to public search engines such as Google. While the feature allowed users to share chat links, discrepancies in the user interface and terms across platforms (e.g., Web, iOS, Android) led to confusion over whether shared chats were private or publicly discoverable. Although OpenAI has since removed the feature and requested the removal of indexed links from search engines stating it was a “short-lived experiment”, researchers have alleged that over 100,000 conversations, many containing personal data, were archived and remain accessible in some instances.

At the time of writing, it is also reported that chats from X.com’s “Grok” platform have been exposed online, highlighting a common risk within the industry.

Why it matters to your business

This issue underscores the risks associated with using AI tools and highlights potential vulnerabilities that could expose sensitive company or client data. For businesses, the key takeaways are:

  • Personal data: Conversations shared through AI platforms may include personal data about your employees, customers or clients. There are several data protection compliance issues that must be considered prior to sharing personal data with AI platforms from meeting transparency requirements via privacy policies to carrying out supplier due diligence on your data processing agreements with AI platforms.
  • Confidential information: As with personal data, conversations can be shared through AI platforms about your internal strategy, or intellectual property. Once shared outside of your business, such information can be challenging to remove entirely.
  • Reputational damage: Data leaks can severely impact your brand’s reputation, erode client trust, and lead to loss of business.
  • Regulatory implications: Mishandling of sensitive data could result in non-compliance with data protection laws such as the UK GDPR, leading to fines and legal challenges. Such fines can be up to £17.5m or 4% of your annual turnover (whichever the greater).
  • Legal claims: Clients or other individuals whose data is exposed may bring legal claims for breach of contract, breach of confidence, privacy or their data protection rights, and complain to the data protection regulator. Some larger data breaches have also attracted attempts to start ‘class-action’ claims.

What should you do?

If your organisation uses AI tools such as OpenAI’s ChatGPT, now is the time to review and strengthen your policies and practices. Below are some actionable steps to consider:

1. Implement an AI usage policy

If you haven’t already, establish a clear AI usage policy within your organisation. This should cover:

  • Approved AI tools and platforms
  • Guidelines on the type of information that can be inputted into AI systems
  • Specific processes for sharing data generated by AI tools

2. Train employees

Educate employees on the risks of using AI tools and ensure they understand how to use these platforms responsibly. Emphasise the importance of avoiding inputting personal data or confidential data into AI systems.

3. Conduct data audits

Review your organisation’s use of AI tools to identify any potential exposure of data. If you suspect that data may have been shared via ChatGPT’s “Share” feature, investigate whether these links have been indexed and take immediate steps to request their removal.

4. Monitor evolving AI risks

AI technology evolves rapidly, and so do its associated risks. Stay updated on developments in the AI space, including how tools such as ChatGPT handle data and privacy.

5. Seek legal support

If your business is impacted by the ChatGPT share breach or similar issues, legal advice can help you assess your exposure, address potential liabilities, and implement stronger safeguards.

How we can help

We understand the complex intersection of technology, data, and the law. Our team of experts can assist you with:

  • Drafting and implementing AI usage policies tailored to your business
  • Conducting data audits to assess your organisation’s risk exposure
  • Advising on regulatory compliance and potential liabilities
  • Supporting you with incident response and remediation in the event of a data breach, regulatory involvement, and legal claims

If you have any questions about how the OpenAI ChatGPT share breach might affect your business or need assistance in implementing preventative measures, please don’t hesitate to contact one of our specialists.

New measures announced to tackle ransomware attacks: what does this mean for businesses?

Posted on by Julia Krol

On 22 July, the UK government unveiled a set of measures designed to curb ransomware attacks and protect critical public and private sector services. Following public consultation, these steps aim to dismantle the business model of cyber criminals while fortifying national resilience against cyber threats.

Ransomware, a form of malicious software, is used by cyber criminals to encrypt victims’ systems or steal data, only unlocking access upon payment of a ransom. This cybercrime costs the UK economy millions of pounds annually, with recent high-profile attacks demonstrating risks ranging from operational disruption to life-threatening consequences.

Key Proposals

  1. Targeted ban on ransomware payments: aimed at public sector bodies, including local government and critical national infrastructure (CNI) operators, this ban intends to eliminate the financial motivation for ransomware attacks on essential services. Nearly 72% of respondents supported this targeted ban, with many agreeing it would reduce funds flowing to criminals and dissuade attacks. However, concerns about implementation, the need for clear guidance, and potential exemptions for life-threatening scenarios were raised.
  1. Ransomware payment prevention regime: this regime would require victims to report their intent to pay ransoms, allowing the Government to assess and potentially block payments to sanctioned groups. Feedback was mixed, with 47% supporting an economy-wide approach, but concerns were highlighted around thresholds creating loopholes for attackers. Respondents also stressed the importance of guidance and support for compliance, particularly for small businesses.
  1. Mandatory incident reporting regime: this proposal mandates victims to report ransomware incidents within 72 hours, followed by a detailed report within 28 days. It received strong backing, with 63% agreeing to an economy-wide mandatory reporting system. Respondents noted that such a regime would strengthen intelligence gathering and law enforcement’s ability to address ransomware threats. However, concerns were raised about reporting burdens on individuals and smaller organisations.

Next Steps

The Government is proceeding with developing these measures, taking into account the feedback received. Key actions include:

  • Publishing detailed guidance to clarify the scope and implementation of the proposals
  • Exploring proportional penalties and tailored compliance measures for organisations of different sizes and sectors
  • Strengthening victim support services, including expert guidance, operational updates, and intelligence sharing
  • Maintaining the proposed 72-hour reporting window for initial incident notifications

Read more about the Government’s position here and the outcome of the consultation here. If you would like more information, please feel free to reach out to one of our dedicated cyber security lawyers, or if you would like keep up to date on the latest in data protection, please subscribe to our quarterly newsletter, The Data Download, and watch our recent webinar here.

Cyber attacks on UK retailers: Michael Yates’ comments featured in the Financial Times

Posted on by Anna Weeden

“Hacking a well-known retail brand generates leverage…because the victim will want to avoid brand reputational damage at all costs to stop eroding customer trust.”

Michael Yates’ comments on the recent cyber attack on Marks and Spencer, which is still causing havoc for shoppers of the popular retail brand a fortnight on, have been featured in the Financial Times.

Now that two other major household names have also been targeted and a police investigation has been launched, the article discusses why hackers decide to target such trusted brands.

The full article is available here to those with a subscription.

Harbottle & Lewis strengthens client offering with new partner hires

Posted on by Alex Molyneux

Harbottle & Lewis today announced two lateral partner hires to strengthen its client offering. Private client disputes partner Charles Lloyd and reputation management partner Michael Yates will both join the firm in April 2025.

Charles Lloyd arrives at Harbottle & Lewis from Macfarlanes where he has held a leading position within his field for over 30 years, specialising in private client disputes, particularly international trusts and estates litigation. Charles’s client base includes high net worth individuals engaged in complex family and succession-related disputes, often involving multi-jurisdictional offshore trust and corporate structures. Charles’s eminent reputation and extensive experience will enable the firm to build on its leading private client practice with a specific focus on enhancing the contentious work that it does in this space.

Charles commented:

”I am really looking forward to joining Harbottle & Lewis and what is already a strong and highly reputed private client practice. This move provides a great opportunity for me to help build on the firm’s existing expertise and will enable me to contribute towards creating a leading private client disputes practice.”

Michael Yates joins Harbottle & Lewis from international law firm Taylor Wessing. As an information litigator, Michael advises high net worth and high-profile individuals and companies on reputation management, privacy protection, confidentiality, cyber response and media and information law disputes. His expertise aligns perfectly with Harbottle & Lewis’s renowned proficiency in the media, entertainment, technology and private wealth sectors. Michael’s significant focus on cyber response dovetails with the firm’s strategic emphasis on technology, and he will work alongside the firm’s technology and data lawyers to further develop its services in this area.

Michael said:

“I’m delighted to be joining the firm’s market leading media and information group and am very excited to soon be working alongside the firm’s fantastic media, tech, data and cyber experts. I look forward to working with clients to help them navigate what is an ever more hostile and complex media and information landscape, protecting them from threats to their reputation, privacy and information and mitigating the increasing risk of cyber attacks. There is no better place to do this work.”

This strategic expansion underscores Harbottle & Lewis’s commitment to bolstering its highly-regarded private client practice and enhancing its offering to high net worth and often high-profile individuals, as well as expanding and deepening its offering to companies. The addition of Charles and Michael to the partnership demonstrates the firm’s ambition to grow and to provide clients with unparalleled expertise across a spectrum of legal services.

Tony Littner, co-managing partner at Harbottle & Lewis, commented:

“The addition of two such high quality lawyers to our partnership supports the strategic growth of our firm. Focusing deliberately on extending our offering to both our private client and corporate client base, Charles and Michael are perfectly placed to complement our existing practice groups and contribute significantly to our continued growth and success.”

For further information, please contact:

Alex Molyneux, Communications & Marketing Manager ([email protected])