[BreachExchange] You've been hacked. What are you liable for?

[Audrey McNeil]

http://www.theregister.co.uk/2016/10/14/been_hacked_what_are_you_liable_for/

Hacking is big news and we’re all susceptible. In the UK, hackers could
face jail time under the Computer Misuse Act, but the question on many
businesses’ minds will be where the liability lies if they are hacked.

The list of successful mega breaches continues to grow; extra-marital
affairs site Ashley Madison hit the headlines last summer when data was
exposed about its 37 million users, although it appeared many of those were
fake accounts. Earlier this year, Yahoo! revealed the numbers behind its
2014 data breach – 500 million user account credentials were stolen.

In 2016, the SWIFT financial payments system was hacked, and this came
after another group using the same approach stole $81m from the Bangladesh
central bank. Even the US central bank, the Federal Reserve, detected more
than 50 cyber breaches between 2011 and 2015, according to cybersecurity
reports obtained through a freedom of information request.

Regulator fine

Telecoms company TalkTalk has the dubious honour of having received the
largest fine ever imposed by the Information Commissioner’s Office –
£400,000 – for a cyber attack which allowed access to customer data “with
ease”. The ICO’s investigation revealed that Talk Talk could have prevented
the attack by taking simple basic steps to protect customer information.

The TalkTalk fine is far lighter than the £3m fine issued by the then-FSA
to HSBC in 2009 for not having adequate systems and controls to protect
customers’ confidential information.

But even that fine seems small compared to the new fines on the way under
GDPR. In general, failing to take appropriate measures could lead to a fine
the higher of €10m or 2 per cent of an undertaking’s total worldwide annual
turnover. If coupled with other data breaches, these figures could be
doubled to €20m and 4 per cent.

One of the difficulties facing organisations is that data protection
legislation is vague when it comes to specifying the standards of
protection required. The Data Protection Directive and the UK Data
Protection Act both require the data controller to “implement appropriate
technical and organizational measures to protect personal data against
accidental or unlawful destruction or accidental loss, alteration,
unauthorized disclosure or access”.

This concept is carried over to the new EU General Data Protection
Regulation, which will be enforced throughout the EU – yes, including the
UK – from May 2018. In fact, it also requires the controller to build in
data protection by design and by default.

What does this actually mean though? What measures are appropriate? Well,
the ICO has not yet stipulated a particular minimum threshold for
protection, but it generally penalises organisations that suffer the loss
of unencrypted laptops and mobile devices. The GDPR itself suggests
pseudonymisation and data minimisation as part of a data controller's
approach to protection.

While the vagueness in the legislation might mean businesses aren’t clear
on what they have to do, it also means the law doesn’t have to be
constantly updated to specify the latest industry standards on data
security. Besides, every CISO I’ve spoken to has a clear understanding of
what measures are appropriate, and it’s just whether they can persuade the
CFO to allocate the budget for it.

Espionage

In March of 2016, a Chinese businessman pleaded guilty to conspiracy to
hack computer networks of US defence contractors holding information about
the Stealth Bomber, which he was claimed to have passed to the Chinese
government.

If you operate in the defence industry, you are likely to have made various
promises to the government under the Official Secrets Act or the US and
other national equivalents. You will probably have a fairly good idea of
what is expected of you, so we need not go into detail here, save to
reiterate that breaches could amount to jail time.

While state-sponsored hacking does happen, it seems most breaches are
actually the result of either criminal activity or "kids messing around".
The Chinese government might not be after your business secrets, but your
competitor might. According to a Secure Works report published earlier this
year, hacking a competitor could be as cheap as $500 per mailbox.

You should attempt to quantify how much it would cost your business if you
are unable to prevent others from seeing your customer database or your
price list. Or in the worst-case scenario, all your business data is
scrambled. Love or hate Coca Cola and KFC, their businesses are based on
keeping their recipes secret and out of the public domain. If their recipes
leak out, it could destroy their business. Why pay a premium for use of
information if you can use it for free and develop a competitive product?

Lawsuits

While it’s unlikely you will get compensation from someone who hacks your
data, you might have to pay out to your customer or supplier for any losses
they sustain as a result.

Every commercial and technology agreement I draft, whether I’m acting for a
supplier or a customer, has a clause clarifying that both sides will
protect confidential information. This usually acts as a reminder of the
general law of confidentiality, but the greater the perceived value of the
information in question, the more the clause will supplement that with
extra detail. At the least it will say a party will use information
disclosed to it only for the purposes of the agreement and will disclose it
only to those people who need to know it and for the purposes of the
agreement.

A more robust clause might require the parties to get individual employees
or subcontractors to execute a confidentiality undertaking. Some clauses
will say a party will protect the other’s confidential information to the
same standard as it protects its own and, in any event, no less than a
reasonable standard. It will often have an acknowledgement that if the
confidentiality obligation is breached, compensation would not be an
adequate remedy and that a court injunction would be vital to protect
confidentiality – although compensation will often be payable too though,
if it is too late for an injunction.

Finally, many agreements contain an indemnity for breach of data protection
or confidentiality obligations.

Some business partners will undertake a data security audit of your
business to ensure you have adequate measures in place. Some will rely upon
a warranty that you comply with ISO 27001 or some other data standard.

At the least, it will turn upon whether you took a reasonable standard of
care under the circumstances. There will be no point relying upon a force
majeure exception – an event beyond your reasonable control – if you should
have taken stronger security measures. In its criticism of TalkTalk, the
Information Commissioner effectively issued a harsh warning to other
organisations:

“Yes hacking is wrong, but that is not an excuse for companies to abdicate
their security obligations. TalkTalk should and could have done more to
safeguard its customer information. It did not and we have taken action.”

It is worth taking note of two recent court rulings (although neither
involved hacking). In October of 2016, the High Court granted an injunction
preventing the misuse of confidential information obtained under
customer-supplier relationship relating to the production of edible infused
oils. In June this year, in the culmination of a long-running dispute over
misuse of confidential information, the Court of Appeal upheld a judgment
that a business rival set up by ex-employees had to pay $485,000
compensation for developing a competitive mosquito net product indirectly
using confidential information.

Reputation damage and loss of customers

Ultimately, if your customers desert you because you have lost their
confidence after a data breach, this might be more costly than regulatory
fines and legal action. TalkTalk admitted to losing 101,000 customers and
£60m due to the hack. The fine they received from the ICO pales in
comparison against this level of loss and is higher even than the new fines
under the GDPR.

It won’t happen to me

Many businesses are convinced it won’t happen to them. Kevin Mitnick,
arguably the world’s most famous hacker and now a trusted security
consultant, commented recently that 80 per cent of US businesses have been
hacked – many not even aware of it – and HR and sales departments are the
most often hacked because they are the least computer security aware.

It is clear to me that affordable data breach fines will be phased out
under GDPR, and Brexit is unlikely to change that. Also, businesses have a
clear remedy for a breach of confidence. It might be time for you to
reassess your data security and your confidentiality obligations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161014/8604eab1/attachment.html>