Companies across the globe and in all industries have invested heavily in new technologies for doing business creating dynamic, exciting and ever expanding business opportunities. This rush to the technological front line may mean moving their sales online, collecting customer information to allow them to target their markets more efficiently, finding efficiencies by sharing information across their companies or outsourcing parts of their business. Companies are however increasingly realising that these new opportunities (particularly the data they hold) can be as much a risk as they are an asset.
High profile cases of companies being hacked from Target, whose data breach in December 2013 affected around 110 million customers, to Sony, who has suffered two significant hacks since 2011 affecting millions of people and together costing Sony over $200 million, to the more recent Ashley Madison, Optimal Payments and TalkTalk cyber-attacks (to name but a few) have put cyber-security concerns into the headlines and into the minds of company directors, their customers and, importantly, regulators.
Where are we?
Governments face an insuperable challenge in creating a legal framework that can protect their citizens in the rapidly changing, ever expanding online world. Data - including the personal and financial details of companies’ customers – is often transferred, processed and stored across multiple jurisdictions causing concerns for customers and regulators (as seen by the recent 'safe harbour' decision by the European Court of Justice).
Those seeking to access this data illegally may have no connection with the targeted company, be in an entirely separate jurisdiction and are often almost impossible to identify. Dealing with these new threats cannot be managed by governments alone; the task will require active engagement from companies, their customers and professional service providers.
Many governments (with industry input) are assisting their national industries to protect themselves by providing advisory programmes with clear statements of what steps companies should implement to mitigate the risks from common internet based threats.
The UK government has created the voluntary Cyber Essentials Scheme which includes an Assurance Framework through which companies can receive certification to show customers, investors and third parties that they have taken these basic precautions. Certification has been made mandatory for all companies aiming to obtain higher risk supply contracts from the UK. The scheme's adherents include BAE Systems, Barclays and Vodafone.
The Australian Signals Directorate has similarly published its "Strategies to Mitigate Targeted Cyber Intrusions” which contains thirty five practical recommendations including four key strategies that should prevent 85% of cyber intrusions.
Companies should keep abreast of the most recent advice in order to protect themselves from common cyber threats and to ensure that they can be seen to be complying with standards expected of them. Certain industries also have their own sets of standards.
Compliance with legal requirements
There are a number of international initiatives aimed at simplifying and standardising the legal and regulatory cyber frameworks (including those led by the EU, China and under the Budapest Convention or Cybercrime) however companies will often find themselves bound by a wide range of requirements which can differ significantly depending upon the industries and jurisdictions they operate in. It is advisable for companies to compare all relevant requirements and then to comply across the board with the broadest and most restrictive requirements to ensure that they are suitably covered.
The data protection regimes of most countries have been drafted on an ad hoc basis responding to specific requirements and, as such, are often based upon a number of sources. They tend however to be split between regulations discouraging the committing of cyber-attacks and those establishing the standards with which data holders must comply (i.e. encouraging cyber protection).
It is essential that companies which hold sensitive, confidential or personal data comply with any applicable regimes whether this is the UK Data Protection Act (which requires companies to implement technical and organisational systems to protect the private data of living individuals), the Australian Privacy Principles (which regulate the collection, holding, use and disclosure of personal information by companies with an annual turnover of more than AU$3 million) or the numerous state, federal and industry specific laws that exist in the US.
In the UK, the Information Commissioners Office (“ICO”) is responsible for enforcing the Data Protection Act and recently fined the British Pregnancy Advice Service (a British charity) £200,000 for its failure to secure a website from hackers. By doing so, it made it clear that its approach is unequivocal: a lack of resources or knowledge is no excuse and organisations handling or storing sensitive information must be held accountable. In addition to fining the company directly, in certain circumstances, the directors of offending companies can have personal liability. A number of bodies and governmental committees (including the ICO) have advocated implementing custodial sentences.
Meanwhile, China has shown an increasing desire to be at the forefront of cyber governance but with an emphasis on the importance of cyber sovereignty. In 2014, China hosted the World Internet Conference in Wuzhen (repeated last year) with a focus on global cyber governance and cyber security. It has also signed (or is looking to sign) a number of bilateral and multilateral cyber agreements including with Russia and (more restrictively) with the US. It has also been looking to vastly expand its cyber regulation framework both in relation to its responses to public security emergencies and national / industry specific standards.
Duty to notify
In addition to complying with their duties to protect the information that they hold, companies need to be aware of any duty to notify regulators (and / or affected individuals) once a cyber event has occurred.
Whilst in the US there is no general, federal requirement to notify customers of breaches, the majority of states have enacted local equivalents which typically require companies to inform their customers of any data breaches that have affected their personal data.
In the UK companies are not generally subject to statutory notification requirements however the ICO requests notification of serious breaches with 'seriousness' being measured by the potential harm caused to consumers. There are also certain exceptions. Providers of electronic communications services are, for example, bound by a specific notification regime and listed companies (S.2.2 of the UK Disclosure and Transparency rules) must disclose a cyber-security breach to the extent that the breach constitutes “inside information”.
Listed and regulated Companies
Just as some industries have additional regulatory requirements, so too are entities which are listed on stock exchanges and / or subject to oversight from financial regulators. In the UK, FCA regulated companies must take reasonable care to establish and maintain effective systems and controls countering the risk that it / the data it holds can be used to further financial crime. Similarly, listed companies in Australia and the UK are required to establish a sound risk management framework and to periodically review its effectiveness.
It is also worth noting that, where a company publishes material that fails to adequately disclose cyber security events, minimises their impact / significance or dishonestly delays publishing material, it may also face claims from investors.
"The risk for companies who outsource their data responsibilities (even on an intra-group level) can be seen in the £2.27 million fine issued by the FSA to Zurich Insurance PLC in 2010 for failing to have adequate systems and controls in place to maintain the security of confidential customer data. Zurich UK had outsourced the processing of part of its general insurance data to Zurich Insurance Company South Africa Limited. The contractor lost an unencrypted drive containing the financial personal data of 46,000 policy holders and 1,800 third parties during a routine transfer. Zurich had made confidential disclosures of the fact to the FSA and ICO."
Companies may also face litigation from customers, shareholders and third-parties in the event of a security breach. In the US, a District Court judge in Minnesota recently ruled that Target was negligent in relation to the security on its credit card data and, as such, is liable to a class-action suit brought by certain banks affected by the recent cyber-incident. The judge also approved a $10 million offer by Target to settle a class action lawsuit by customers. Whilst actions of this nature are less likely in jurisdictions such as the UK which do not have the same class actions regime and there will often be significant issues for claimants in evidencing their loss, the coming years and further technological advances are likely to see an increase in such cases.
Claims may be also be brought by customers / third parties for breach of contract (for example either where there are express or implied terms concerning IT functions or where the disruption to a business caused by a security breach results in a company failing to fulfil contractual provisions unrelated to cyber security) or under negligence (where the company's failure to exercise reasonable skill and care could result in liability to third parties).
Companies should consider their cyber security risks when drafting contracts, including the insertion of suitably worded force majeure clauses, and should aim to comply with the industry best practice (i.e. the UK Department of Business, Innovation and Skills 2012 guidance on cyber security (as updated) and the Cyber Essentials Scheme).
There are a number of regulatory updates expected in the next few years which companies should be aware of including the EU's General Data Protection Regulation (“GDPR”) and Network and Information Security Directive (the “NISD”).
The GDPR is aimed at harmonising and expanding data protection requirements across Europe (and is likely to extend to non-EU companies which supply goods or services to EU individuals).
Its key provisions are expected to include a requirement to document data management processes, the appointment of a data protection officer and to expand reporting requirements in the event of a data breach.
Fines for breaches of the GDPR are still being negotiated and will be determined by national regulators - but are expected to reach at least 1 million euros or 2% of the organisation’s annual worldwide turnover - a significant increase on, for example, the ICO's current authority in the UK which permits the imposition of fines of up to £500,000. Certain parties are arguing for an increase to €100 million or 5% of annual worldwide turnover.
The NISD is expected to apply to operators of infrastructure that are 'essential for the maintenance of vital economic and societal activities', including those in the financial, transport, health and energy sectors, in addition to certain online services such internet exchange points (but not e-commerce platforms). It is similar to the US Cyber Security Framework except that it creates mandatory requirements whereas the US Framework is voluntary. It proposes a number of new obligations on companies including notification requirements, technical and organisational measures to detect and effectively manage the risks posed to the security of their networks and information systems and the creation of a co-operative network between member states to share information and volunteer early warnings of breaches. The most recent version of the text also states that listed companies should voluntarily make cyber incidents public in their financial reports.
One of the most significant concerns for companies will be the loss of goodwill / business that goes with (often highly publicised) breaches. Whilst companies (and their customers) are increasingly realising that a cyber security breach is almost unavoidable, the question of whether the company had implemented reasonable protective measures and how it deals with the effects of the attack remain key.
In order to protect their reputation and maintain their client base, companies should be fully cognisant of the risks facing them and have a well-rehearsed plan (incorporating the company's management, public relations, legal and IT teams) for how to respond in the hours, days and weeks following the event.
The risks and difficulties facing companies have been all too apparent recently in the wake of the TalkTalk attack. The company has repeatedly stressed that it is the victim of a criminal act rather than guilty of negligence, however it has faced repeated calls for compensation and to allow its customers to end their contracts early.
Cyber Security Insurance
Insurance against cyber risk is progressively being seen as a business expense. Standalone products are increasingly common and insurers are teaming up with cyber security experts to help them understand the risks involved and to assist them in the event of a claim.
The recent case of Zurich American Insurance Co. v Sony Corp of America et al in the Supreme Court of the State of New York highlights that companies who assume that their standard commercial general liability insurance will cover cyber risk related losses may often find themselves exposed. The court ruled in favour of Zurich stating that the cyber-attack in question did not trigger the insurers’ obligation to defend Sony from resulting litigation on the basis that the policy in question required the policy holder to perpetrate or commit the act itself and not where third-party hackers breached the security. An appeal by Sony against this ruling was settled out of Court in April 2015.
Cyber-security issues will only increase in the coming years in parallel to technological advances and increasingly this is the number one compliance issue for business to address.