Today technology drives business. The downside is that cyber security is the number one compliance issue for business. Businesses large and small have been and will continue to be attacked—for access to data, for ransom, and so famously in the SONY case, for embarrassment. Human error is often cited as a major cause of cyber attacks.
Data is an asset, but also a risk. Companies collect and use data across, and in, multiple jurisdictions. Cyber attackers want this data. Cyber attackers are generally outside the company, in a different country, and nearly impossible to identify. Many times the attack comes in through someone inside the company. Cyber security is a critical trans-border issue. Effective preventive measures and procedures for attack management are mandatory.
Cyber attacks are costly. Business disruption and regulatory fines cost money; decreases in sales because of loss of consumer trust and loyalty cost money; tarnished reputations and litigation cost money; loss of data and confidential information costs money.
Board of Directors and Management
The prospect of lawsuits in the U.S. against board members is increasing because a cyber attack could be considered a failure by the board to fulfill its fiduciary duty to its shareholders to protect the company.
The U.S. Department of Justice recently provided guidelines for cyber security awareness for board members. The CIO now has responsibility to communicate the cyber security strategy to board members and make them aware of critical risks to help avoid personal liability.
Plaintiffs' lawyers in the U.S. are vigorously trying to develop directors' and officers' liability for cyber attacks.
As a result, board members must understand cyber security risks, what the company is doing about them, and the board must be provided with regular updates, both on performance and cyber security incidences. On the board's agenda must be continuous review of prevention and management procedures and ways to improve. The board also must make cyber security prevention and management a priority among managers and hold management accountable. This is especially true because most cyber attacks involve either accidental or direct involvement by a company's employees. Employees, too, who have not followed cyber security policies, must be held accountable.
Cyber security is a trans-border issue, particularly as it relates to data and privacy issues. There is no uniform law covering this area so each company must do a country-by-country analysis and comply with the broadest and most restrictive laws and rules to which it is subject. Legal requirements currently are focused on the legal ramifications for (i) those who steal or misuse data; and (ii) companies that have failed to protect data adequately. A third area is the sharing of information on cyber attacks and threats between companies and countries in which they operate; for example, the recently enacted U.S. Cyber security Information Sharing Act.
Cyber attacks will continue and certainly become more sophisticated. Although it is unlikely that legal requirements will impose strict liability, companies still need to show that they have done everything within reason to prevent an attack and to protect data, particularly personal data. They will also have to prove that they can manage a breach and put in place measures to mitigate disclosure and damage due to disclosure and use of data. These measures will need to be scrupulously documented to improve the likelihood of avoiding legal liability.
However, even if legal liability is avoided or mitigated, cyber attacks are costly because of business disruption, reputational loss, loss of consumer trust and loyalty, and loss of data and personal and confidential information.
In the U.S. at the federal level the Federal Trade Commission has been relying on FTC Section 5 of the FTC Act of 1914 which bars unfair and deceptive acts and practices in or affecting commerce where companies have violated consumers' privacy rights or misled them by failing to maintain security for sensitive consumer information as a means to police companies' protection of personal data There is not yet any federal breach notification law, although most U.S. states, including New York, for example, have enacted breach notification laws. These laws generally mandate notification to all residents whose information was acquired by an unauthorized person.
Different standards are developing for public companies and financial institutions. For example, if a public company publishes material that fails to disclose adequately cyber security events, minimizes their impact or significance, or dishonestly delays publishing information, the company could be subject to claims from investors.
In Europe, the European Commission has recently agreed on its General Data Protection Regulation with the goal of standardizing and enhancing data protection in Europe. These regulations apply not only to EU companies but to all non-EU companies which supply goods or services in the EU, even if data is not stored in the EU. In addition, in February, the EU and the U.S. agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.
Globally, there is the 2001 Budapest Convention on Cyber crime, the first such international convention. It has been ratified by 48 states including European countries, USA, Australia, Canada, and Japan. Both the U.S. and Switzerland have ratified the convention.
In the next edition of the newsletter, we'll share some practical steps that companies may take to protect themselves from cyber attacks and provide a check list of best practices that can help prevent damage from such attacks and make recovery easier.