References
- Allodi, Luca, and Fabio Massacci. 2014. “Comparing Vulnerability Severity and Exploits Using Case-Control Studies.” ACM Transactions on Information and System Security, 17. ACM. https://doi.org/10.1145/2630069.
- Allodi, Luca, Fabio Massacci, and Julian Williams. 2021. “The Work-Averse Cyberattacker Model: Theory and Evidence from Two Million Attack Signatures.” Risk Analysis. https://doi.org/10.1111/risa.13732.
- Baines, Jacob. 2023. “Assessing Potential Exploitation of Grafana’s CVE-2021-43789 for Initial Access.” 21 February. https://vulncheck.com/blog/grafana-cve-2021-43798.
- Brazilian Government. 2018. Lei Geral de Proteção de Dados Pessoais, Article 46. https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm.
- Bussani, M., ed. 2011. Pure Economic Loss in Europe. Cambridge: Cambridge University Press.
- California Code Civil Code. 2018. “Civ Division 3 - Obligations Part 4 - Obligations Arising from Particular Transactions Title 1.81.5.” California Consumer Privacy Act of 2018 Section 1798.100. (2018). https://law.justia.com/codes/california/2018/code-civ/division-3/part-4/title-1.81.5/section-1798.100/.
- China Briefing. 2021. “RC Personal Information Protection Law (Final): A Full Translation”. 24 August. https://www.china-briefing.com/news/the-prc-personal-information-protection-law-final-a-full-translation/.
- CISA. 2016. “SSL 3.0 Protocol Vulnerability and POODLE Attack.” 30 September. https://www.cisa.gov/news-events/alerts/2014/10/17/ssl-30-protocol-vulnerability-and-poodle-attack.
- CISA. 2019. BOD 19-02: Vulnerability Remediation Requirements for Internet-Accessible Systems. https://www.cisa.gov/news-events/directives/bod-19-02-vulnerability-remediation-requirements-internet-accessible-systems.
- CISA. 2021a. BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities.
- CISA. 2021b. “CISA Releases Directive on Reducing the Significant Risk of Known Exploited Vulnerabilities.” 3 November. https://www.cisa.gov/news-events/news/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities.
- CISA. 2022. “Known Exploited Vulnerabilities Catalog.” https://www.cisa.gov/known-exploited-vulnerabilities-catalog.
- Coatanroch, et al. 2022. “New Technologies and New Digital Solutions for Improved Safety of Products on the Internal Market.” European Parliament, 30 June. https://www.europarl.europa.eu/thinktank/en/document/IPOL_STU(2022)703348.
- Common Vulnerability Scoring System Version 3.1: User Guide. n.d. https://www.first.org/cvss/user-guide.
- Condon, Caitlin, Jake Baines, Spencer McIntyre, and Brendan Watters. 2021. “Rapid7 2021 Vulnerability Intelligence Report.” Rapid7. https://information.rapid7.com/rs/411-NAK-970/images/Rapid7%202021%20Vulnerability%20Intelligence%20Report.pdf.
- Council of Europe. 1981. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. https://rm.coe.int/1680078b37.
- CVE. 2023. “CVE Metrics.” https://www.cve.org/About/Metrics.
- CVE. n.d. “CVE® Program Mission.” https://www.cve.org/.
- Cyber Safety Review Board. 2023. “Review of the December 2021 Log4j Event.” 11 June. https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf.
- Cyentia Institute, Kenna Security. n.d.a.. “Prioritization to Prediction Volume 2: Measuring and Minimizing Exploitability.” Prioritization to Prediction. https://library.cyentia.com/report/report_002992.html.
- Cyentia Institute, Kenna Security. n.d.b. “Prioritization to Prediction Volume 8: Measuring and Minimizing Exploitability.” Prioritization to Prediction. https://library.cyentia.com/report/report_008756.html.
- DSG Retail Limited v Information Commissioner. 2022. (UK First Tier Tribunal 5 July).
- ENISA. 2009. “Cloud Computing Risk Assessment.” 20 November. https://www.enisa.europa.eu/publications/cloud-computing-risk-assessment.
- ENISA. n.d. “Vulnerabilities and Exploits”. Accessed 4 November 2022. https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/vulnerabilities-and-exploits.
- EPSS Model Motivation. n.d. https://www.first.org/epss/model.
- European Commission. 2022. “Product Liability Directive - Adapting Liability Rules to the Digital Age, Circular Economy and Global Value Chains.” 11 December. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12979-Product-Liability-Directive-Adapting-liability-rules-to-the-digital-age-circular-economy-and-global-value-chains_en.
- European Data Protection Board. 2021. “Guidelines 01/2021 on Examples Regarding Personal Data Breach Notification.” January. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012021-examples-regarding-personal-data-breach_en.
- European Parliament. 2022. “Cyber Resilience Act - Impact Assessment.” 15 September. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act-impact-assessment.
- European Union. 1985. Directive 85/374/EEC - Product liability for defective products, § Art 1. https://osha.europa.eu/en/legislation/directives/council-directive-85-374-eec#:~:text=of%2025%20July%201985%20on,concerning%20liability%20for%20defective%20products.&text=The%20Directive%20establishes%20the%20principle,a%20defect%20in%20his%20product.
- European Union. 1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- European Union. 2001. Directive 2001/95 EC - Product Safety. https://osha.europa.eu/en/legislation/directives/53.
- European Union. 2009. Directive 2009/136/EC of the European Parliament and of the Council. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:en:PDF.
- European Union. 2014. Directive 2014/53/EU of the European Parliament and of the Council. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014L0053.
- European Union. 2016. “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation)”. https://eur-lex.europa.eu/eli/reg/2016/679/oj.
- European Union. 2017. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (2017). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745.
- European Union. 2019. Commission Implementing Decision (EU) 2019/417, § Annex 3. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019D0417&from=EN.
- European Union. 2021. Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive (2021). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2022.007.01.0006.01.ENG.
- European Union. 2022a. Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
- European Union. 2022b. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (2022). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554.
- Floresca, Lauri. 2014. “Cyber Insurance 101: The Basics of Cyber Coverage.” Woodruf Sawyer and Company. 19 June. https://conferences.law.stanford.edu/cyberday/wp-content/uploads/sites/10/2016/10/3g_CorpEx-DO-Blog-Cyber101-Lauri-061914-2.pdf.
- Fruhlinger, Josh. 2019. “Zero Days Explained: How Unknown Vulnerabilities Become Gateways for Attackers.” CSO, 12 April. https://www.csoonline.com/article/565704/zero-days-explained-how-unknown-vulnerabilities-become-gateways-for-attackers.html.
- GDPR. 2018. (n 65) Article 5(1)(f)., 65 § Article 5(1)(f).
- GDPR Enforcement Tracker. n.d. https://www.enforcementtracker.com/?insights.
- Graeme Smith & Other Claimants and Talktalk Telecom Group Plc Defendant. n.d.
- Hedley, Steve. 2002. Tort. Butterworths. https://books.google.co.uk/books/about/Tort.html?id=Gyk5AAAACAAJ&redir_esc=y.
- Hessen Datenschutzgesetz. 1970. 7 October. 41 § Part I. https://starweb.hessen.de/cache/GVBL/1970/00041.pdf.
- ICO. 2018a. “MPN: The Carphone Warehouse Limited”. Monetary Penalty Notice. Information Commissioners Office, 8 January. https://ico.org.uk/media/action-weve-taken/mpns/2172972/carphone-warehouse-mpn-20180110.pdf.
- ICO. 2018b. “MPN: Bayswater Medical Centre”. Monetary Penalty Notice. Information Commissioners Office, 21 May. https://ico.org.uk/media/action-weve-taken/mpns/2258897/bayswater-medical-centre-mpn-20180523.pdf.
- ICO. 2020a. “MPN: DSG Retail Limited”. Monetary Penalty Notice. Information Commissioners Office, 7 January. https://ico.org.uk/media/action-weve-taken/mpns/2616891/dsg-mpn-20200107.pdf.
- ICO. 2020b. “MPN: Cathay Pacific Airways Limited”. Monetary Penalty Notice. Information Commissioners Office, 10 February. https://ico.org.uk/media/action-weve-taken/mpns/2617314/cathay-pacific-mpn-20200210.pdf.
- ICO. 2022. “MPN: Tuckers Solicitors LLP”. Monetary Penalty Notice. Information Commissioners Office, 28 February. https://ico.org.uk/media/action-weve-taken/mpns/4019746/tuckers-mpn-20220228.pdf.
- ICO. n.d. “Information Commissioner’s Office: Action We’ve Taken.” https://ico.org.uk/action-weve-taken/enforcement/.
- ICO. n.d. “Information Commissioner’s Office: How We Are Funded.” https://ico.org.uk/about-the-ico/who-we-are/how-we-are-funded/.
- Indian Government. 2022. Digital Personal Data Protection Bill. § c.9(4). https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf.
- Jacobs, Jay, Sasha Romanosky, Benjamin Edwards, Idris Adjerid, and Michael Roytman. 2021. “Exploit Prediction Scoring System (EPSS).” Digital Threats: Research and Practice 2 (3): 1–17. https://doi.org/10.1145/3436242.
- Leverett, Éireann, Andrew Coburn, and Gordon Woo. 2019. Solving Cyber Risk. Hoboken, NJ: Wiley.
- Leverett, Éireann, Art Manion, and Matilda Rhode. n.d. “Vuln4Cast Source Code (Version 1.0.0).” https://github.com/FIRSTdotorg/Vuln4Cast/.
- Leverett, Éireann, Matilda Rhode, and Adam Wedgbury. 2022. “Vulnerability Forecasting: Theory and Practice.” Digital Threats: Research and Practice 3 (4): 1–27. https://doi.org/10.1145/3492328.
- Mari, Angelica. 2023. “Brazil Issues First Fine for Data Protection Breach”. Forbes. 11 July. https://www.forbes.com/sites/angelicamarideoliveira/2023/07/11/brazil-issues-first-fine-for-data-protection-breach/.
- Massachusetts Government. 2022. “Data Breach Notification Letters October 2022.” https://www.mass.gov/lists/data-breach-notification-letters-october-2022.
- Mell, Peter, Karen Scarfone, and Sasha Romanosky. n.d. “A Complete Guide to the Common Vulnerability Scoring System.” https://www.first.org/cvss/v2/guide.
- Miranda, Lucas, Daniel Vieira, Leandro Pfleger de Aguiar, Miguel Angelo Bicudo, Mateus Schulz Nogueira, Matheus Martins, Leonardo Ventura, Lucas Senos, and Enrico Lovat. 2021. “On the Flow of Software Security Advisories.” IEEE Transactions on Network and Service Management 18 (2).
- Miura-Ko, R. A., and N. Bambos. 2007. SecureRank: A Risk-Based Vulnerability Management Scheme for Computing Infrastructures. IEEE Explore. IEEE.
- Muvija, M. 2021. “Grand National Sets Record for UK Online Sports Betting.” Reuters, 12 April.
- NCSC. 2014. “Cyber Essentials Scheme: Overview.” 7 April. https://www.gov.uk/government/publications/cyber-essentials-scheme-overview.
- NCSC. 2022. “Cyber Essentials: Requirements for IT Infrastructure”. 1 January. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf.
- NCSC. 2023. “Cyber Security Toolkit for Boards.” 30 March. https://www.ncsc.gov.uk/collection/board-toolkit.
- NCSC. n.d. “Coordinated Vulnerability Disclosure; The Guideline.” Accessed 8 July 2022. https://english.ncsc.nl/binaries/ncsc-en/documenten/publications/2019/juni/01/coordinated-vulnerability-disclosure-the-guideline/WEB_Brochure-NCSC_EN.pdf.
- Nigerian Government. 2020. Nigeria Data Protection Regulation 2019: Implementation Framework”. 1 November. https://nitda.gov.ng/wp-content/uploads/2021/01/NDPR-Implementation-Framework.pdf.
- Ormandy, Tavis. 2021. “Google Project Zero”. This Shouldn’t Have Happened: A Vulnerability Postmortem. (blog) 1 December. https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html.
- Overseas Tankship (UK) Ltd v Morts Dock & Engineering Co (The Wagon Mound). 1961. AC 388.
- PCI Council. n.d. “PCI DSS: V4.0”. https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf.
- Risk Metrics Working Group. 2022. “Reporting Cyber Risk to Boards: CISO Edition.” 14 March. https://www.eurocontrol.int/sites/default/files/2022-03/reporting-cyber-risk-to-boards-ce-20220322.pdf.
- Romanosky, Sasha, and Alessandro Acquisti. 2009. “Privacy Costs and Personal Data Protection: Economic and Legal Perspectives.” 24. Berkeley Technology and Law Journal. https://www.jstor.org/stable/24118273.
- Roncevich, Tim. 2018. “Why Unpatched Vulnerabilities Will Likely Cause Your Next Breach.” Infosecurity Magazine, 23 May. https://www.infosecurity-magazine.com/opinions/unpatched-vulnerabilities-cause/.
- Royal Courts of Justice. 2015. Google Inc. - and - Judith Vidal-Hall Robert Hann Marc Bradshaw - and - The Information Commissioner. 3 March.
- Royal Courts of Justice. 2023. Tulip Trading Limited v Wladimir van der Laan, Jonas Schnelli, Pierer Wuille, Marco Falke, Samuel Dobson, Michael Ford, Cory Fields, George Dombrowski, Matthew Corallo, Peter Todd, Gregory Maxwell, Amaury Séchet, Jason Cox, Bitcoin Association for BSV, Eric Lombrozo, Roger Ver.
- Sarabi, Armin, Parinaz Naghizadeh, Yang Liu, and Mingyan Liu. 2016. “Risky Business: Fine-Grained Data Breach Prediction Using Business Profiles.” Journal of Cybersecurity 2 (1): 15–28. https://doi.org/10.1093/cybsec/tyw004.
- Shahzad, Muhammad, Muhammad Zubair Shafiq, and Alex X. Liu. 2012. “A Large Scale Exploratory Analysis for Software Vulnerability Life Cycles.” IEEE. https://ieeexplore.ieee.org/document/6227141/authors#authors.
- Solove, Daniel J., and Woodrow. Hartzog. 2022. Breached!: Why Data Security Law Fails and How to Improve It. Oxford: Oxford University Press. https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2857&context=faculty_publications.
- Talesh, Shauhin A. T. 2018. “Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as ‘Compliance Managers’ for Businesses.” Law and Social Inquiry, 27 December. https://www.cambridge.org/core/journals/law-and-social-inquiry/article/abs/data-breach-privacy-and-cyber-insurance-how-insurance-companies-act-as-compliance-managers-for-businesses/1A10E0F87EB1C205EEA43AB4E8270FB2.
- UK Government. 2019. “Product Safety Advice for Businesses.” 29 March. https://www.gov.uk/guidance/product-safety-advice-for-businesses.
- UK Government. 2021. “Product Security and Telecommunications Infrastructure (PSTI) Bill: Factsheets.” 24 November. https://www.gov.uk/government/collections/the-product-security-and-telecommunications-infrastructure-psti-bill-factsheets.
- UK Parliament. n.d. “UK Parliament: Consolidated Fund.” https://www.parliament.uk/site-information/glossary/consolidated-fund/.
- US Government. n.d. “National Vulnerability Database.” https://nvd.nist.gov/.
- Wikipedia. n.d. “Patch Tuesday”. https://en.wikipedia.org/wiki/Patch_Tuesday.
- Wolf, Nicky. 2016. “DDoS Attack That Disrupted Internet Was Largest of Its Kind in History, Experts Say.” The Guardian, 26 October. https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet.
- Woods, Daniel, and Andrew Simpson. 2017. “Policy Measures and Cyber Insurance: A Framework.” Journal of Cyber Policy, https://doi.org/10.1080/23738871.2017.1360927.