Cyber risk - the legal landscape
Recent high profile security incidents illustrate that no institution or business is immune from cyber attack. A cyber attack on the White House in 2014 resulted in a partial shutdown of its email system. In a reported attempt to extort money from the ECB, email addresses and other user contact information were stolen in 2014. Confidential movie scripts and emails about staff and movie stars were released as part of the 2014 Sony hack. Already this year, the Carphone Warehouse security breach in early August and the more recent Ashley Madison hack have received extensive media coverage.
Less than a third of businesses across Ireland are fully prepared to deal with a cyber attack and a significant majority are not fulfilling basic legal requirements, leaving themselves open to possible litigation and fines on top of risking the loss of intellectual property and commercially sensitive information. This is according to the first-ever A&L Goodbody Cyber Risk Study, which was launched earlier this year.
The study, conducted by Red C, confirmed that basic legal obligations not being fulfilled by businesses include: not having written cybersecurity policies in place (65%); not providing training to employees on what to do in the event of an attack (59%); and not allocating responsibility to any one employee or team to deal with an attack (49%).
Highlighting the need for companies to deal with cybersecurity issues from the top down, the survey also found that one in four (25%) company boards have not been briefed on their business’ legal obligations and the mechanisms that are in place, if any, to deal with a cyber attack.
Furthermore, less than a third (27%) of companies surveyed said they were fully prepared to deal with an attack and, when prompted, cited a lack of awareness of their company’s legal obligations as their biggest challenge (63%).
As Irish legislators try keeping up with trends and developments in this ever-more sophisticated world of cyber risk, a number of key laws currently dominate the cyber risk legal landscape.
Data Protection Legislation: The Data Protection Acts (DPA) require data controllers and data processors to take “appropriate security measures” to protect personal data and to ensure that staff and “other persons at the place of work” are aware of, and comply with, security measures. The law does not specify what amounts to “appropriate security measures”. The DPA does, however, identify a number of factors that may be relevant to assess appropriateness, including: the state of technological development; the cost of implementing the measures; the harm that might result from a breach and the nature of the data concerned. The Office of the Data Protection Commissioner has published a non-binding Personal Data Security Breach Code of Practice which will need to be consulted in all instances of unauthorised disclosure of personal data.
Duty of Care: A duty of care may arise in relation to data compromised during a cyberincident. Data controllers and processors both owe individuals whose data they process an express statutory duty of care under the DPA. As such, they may be subject to a claim for damages where a cybersecurity incident arises in connection with a breach of that duty. The Irish courts have to date held that actual damage must be proved and damages for distress are not recoverable unless extreme distress results in actual damage, such as a recognisable psychiatric injury.
Directors’ Duties: The Companies Act 2014 provides for indemnification from a director or officer to the company for loss arising from a breach of his/her fiduciary duty. This indemnification obligation may come into play if, for example, it is established that a cyberattack or its consequences are attributable to breach of a director’s duty.
Contracts: Contracts play an important role in regulating cyberrisks and in some cases it is mandatory to have a contract in place. For example, the DPA requires a contract to be put in place when a data controller appoints a data processor. Contractual security will typically (i) allocate responsibility between the parties for compliance with applicable law obligations in relation to security and data protection including risk in the form of caps on liability and indemnities; (ii) include provision for auditing compliance with those obligations and (iii) require notification and cooperation in the event of a cyberincident.
Criminal Law: There is a patchwork of criminal legislation relevant to cyber incidents. For example, it is an offence under the DPA to access or obtain and disclosure to another person personal data without the prior authority of the data controller or data processor. The Criminal Damage Act creates two basic computer crime offences: that of causing criminal damage to a computer; and that of unauthorised access. The unlawful operation of a computer with the intent of making gain is a criminal offence under the Criminal Justice (Theft and Fraud) Offences Act 2001.
It may also be an offence to fail to report information in relation to certain cybercrimes to An Garda Siochana. The application of criminal law is not limited to those who perpetrate attacks — officers of a corporate body that has committed an offence under the DPA may also be guilty of that offence, if it is proved to have been committed with their awareness or as a result of their neglect.
There are two pieces of draft European legislation that are expected to have a significant impact on the area of cyber risk across Europe and here in Ireland — the Draft Network and Information Security Directive and the Criminal Justice (Offences Relating to Information Systems) Bill.
While the precise wording of both is being finalised, it is clear there will be significant changes from the current EU regime, which will affect cyber security law including mandatory breach notification to data protection authorities and affected individuals and fines of up to 2.0% of worldwide turnover or €1 million. There will, however, be a two year lead in period after the text of both are finalised.
We understand that publication of the Criminal Justice (Offences Relating to Information Systems) Bill, which is intended to transpose the EU Cyber Crime Directive and enable ratification of the Council of Europe Convention on Cybercrime, is expected shortly.
With both developments pending, here in Ireland we can expect significant changes to legislation governing cyber risk. But what should Irish business be doing today to reduce cyber risk?
Legal preparedness – Best practice tips
- From a technical perspective businesses are legally required to have “adequate security measures” in place. The applicable industry technical standards should be considered. Senior management need to be familiar with the steps that have been taken.
- Appropriate levels of training should be provided to employees.
- Businesses should at all times know where their business and confidential information (including all personal data) is held, and held by whom. If sensitive information is held this should be categorised separately. In the event of an attack it is imperative to be able to know immediately what information has been compromised.
- Employees should find it easy to obtain guidance, in the form of a written cyber policy, on how to keep data safe and giving instructions on what to do in the event of a cyberattack.
- Businesses need to ensure that policies for mobile devices (including bring-your-own-device) enhance, and not hinder, the safety of company data.
- Ensure that general governance arrangements have explicit data security elements – e.g. reporting by IT department to an audit and risk committee. Cybersecurity should be a fixed agenda item and have a Board sponsor.
- Consider contracts with suppliers who handle your data (such as couriers, records management companies, cloud providers), and ensure that they are aware of your security requirements. Regular audit or reporting should occur. Retain the right to step in and to manage communications and notifications in the event of an attack.
- Clarify the responsibilities for running the investigation within the business. Everyone should know what to do in the event of a cyberattack.
- It is important to keep a written record of the above and any other steps that you have taken to prepare the business for a cyberattack. This will be, amongst other things important for any subsequent regulatory investigations.
This article was first published in TechPro by TechCentral.ie (September 2015).
For further information please contact Claire Morrissey.
Date published: 05 October 2015