[BreachExchange] The legal consequences of a cyber-attack

[Audrey McNeil]

http://techcitynews.com/2016/04/23/the-legal-consequences-of-a-cyber-attack/

As tech businesses prepare for the year head, cybersecurity should be top
of the management agenda item.

Barely a week passed in 2015 without news stories of a significant
cyber-attack, and it seems highly unlikely 2016 will be any different.

Malicious software can now be downloaded from the internet for free or a
small fee by almost anyone and then used to launch an attack – these
“commodity threats” probably represent the greatest cyber threat to UK tech
businesses and are increasingly used by organised criminals as a relatively
risk-free method to steal information and to extort money.

Disgruntled employees (or ex-employees) can steal important data and pass
it to competitors, or leave a ‘back door’ open exposing the business to
attack.

Hacktivists have attacked businesses whose activities they disapproved of
across a range of sectors including life sciences, financial services and
the entertainment industry.

In this increasingly hostile environment, what do owners of tech companies
need to be aware of?

A tier 1 threat

The Government has taken the problem so seriously that it classified
cyber-attack as a tier 1 threat to the country, alongside terrorism,
military crises and natural hazards.

The risks and implications of a successful attack on a business are
significant. Some of the most obvious examples include data breach where
sensitive information is lost, leaked, stolen or damaged.

This can give rise not only to claims for damages against the business but
to regulatory interest and, potentially, fines and rectification costs.

Inadvertent transmission of malware causing damage to a third party can
give rise to claims for damages.

In addition to damages claims and fines, the internal costs to a business
of dealing with the aftermath of an attack include not only management time
and rectification costs (for example in reconstituting a database) but
reputational damage may also arise.

The costs to businesses of course vary depending on the nature of the data
breach and the size of the business.

Estimates of the costs to TalkTalk following the breach of its website last
year were £35 million, covering response, IT and technology costs.

The Achilles heel

The risks businesses can face in relation to loss of personal data and, in
particular, the obligations under the Data Protection Act 1998 will depend
upon what personal data they hold, whether they act as a data controller or
processor in relation to that data and what obligations they have under the
Act.

One of the key principles of the Act is that data controllers must ensure
they take appropriate technical and organisational measures against
unauthorised processing or accidental loss of personal data.

Not only must they ensure appropriate internal policies and plans are put
in place, they must also take reasonable steps to ensure the reliability of
any third party data processors they use, such as outsourced IT, software
hosting and payroll providers.

A well drafted written contract placing appropriate obligations on the
third party data processor is therefore essential.

A business that fails to take these steps may unwittingly find itself in
breach of the Act if it, or a supplier, is subjected to a cyber-attack.

In addition to dealing with the immediate fall out of the attack, the
business could also face claims for damages from data subjects, an
investigation and penalty of up to £500,000 from the Information
Commissioner’s Office, a prosecution in the magistrates court leading to an
unlimited fine or claims for breach of contract and confidentiality and
breach of duty.

In short, businesses must take reasonable steps to protect themselves from
the risks of cyber-attack.

They need to identify areas of weakness in their business and
infrastructure.

They should put in place appropriate policies and standards, procedures and
training for staff, and review business arrangements, contracts and
insurance policies.

There should be a response plan in place setting out the practical steps
that will need to be taken in the wake of an attack. Consideration should
be given to how a later investigation will be handled, bearing in mind that
if investigations are conducted under legal privilege, this could protect
the business from having to disclose potentially damaging material in later
litigation.

As part of its planning, a business will need to review existing insurance
policies to see if they might respond to a cyber-attack event.

Consideration should be given to putting in place appropriate insurance if
necessary.

Whilst a cyber-policy is unlikely to indemnify against all losses, it can
provide valuable cover, but be careful to check the policy scope and
exclusions.

Responding to attacks

Putting in place a plan to protect from and respond to an attack is part of
the solution, but in itself it is not enough.

That plan needs to be constantly re-evaluated to ensure it is fit for
purpose. As part of this process, businesses will need to keep up to date
with new regulatory requirements and the changing legal framework.

The insurance market also continues to see huge growth and having the
appropriate type and level of cover could help to mitigate risk.

Apart from the impact of a cyber-attack on a business, directors should
also bear in mind that failure to take appropriate steps to protect the
business from an attack could lead to claims being brought against them
personally for breach of fiduciary duties.

In our experience, while technology businesses tend to be more attuned to
the risk of cyber-attacks and therefore better protected from the risk of
attack, given the nature of their business they are firmly in the firing
line if a customer suffers a breach. Make 2016 the year you put in place
all appropriate measures to protect yourselves and your clients.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160425/ac01f618/attachment.html>