Within the last few days the FBI has arrested 70 members of the cybercrime forum “Darkode”. Whilst this is a significant development, there are reported to be approximately 800 criminal internet forums operating worldwide.
The risks of cybercrime are becoming more and more prevalent for businesses of all sizes and trading in all sectors. In 2014, one million new malware threats were released online every day. A report from cyber security firm Symantec in April on internet security threats ranked the UK as global number 2 and Europe’s number 1 for targeted attacks in 2014. Significantly, the issue is not confined to big business; two-thirds of all targeted attacks struck small and medium-size businesses  (so much so that the government has recently proposed a financial support scheme to protect small businesses operating online).
Technology is a key part of business life and where there is life there is crime. Cybercrime is here to stay. It is not something that just “happens to other people”. It is more important than ever that businesses are familiar with and take steps to manage the legal risks associated with cybercrime. We highlight the risks for you in five key areas:
1. Your Directors
Under the Companies Act 2006 the directors of a company are subject to an objective statutory duty to manage the affairs of a company using reasonable skill, care and diligence.
In the 21st century it is not sufficient for directors to leave the IT to the “geeks in the basement” and cross their fingers and hope that all is well. A well-advised board should ensure that a full and documented analysis has been carried out of the risks of cybercrime and that appropriate policies, procedures, resources and security measures have been put in place to deal with the risk. Businesses should have a plan in place to deal with data loss or a cyber attack.
2. Your Regulators
Most companies hold personal data of some kind or another regarding their customers or others. Under the principles in the Data Protection Act 1998 (the DPA), businesses must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and be prepared to investigate and self report actual or potential breaches to the ICO swiftly and professionally.
Moreover, industry-specific regulators are now showing a keen interest in the steps taken by businesses to protect customer or confidential information. In April 2015, the FCA issued guidance for regulated businesses on fighting fraud and cybercrime more effectively. The guidance states that firms should be alert to the financial crime risks associated with holding customer data and that the FCA will expect firms “to put in place systems and controls to minimise the risk that their operation and information assets might be exploited by thieves and fraudsters".
It is important to keep up with the demands of regulators to avoid the significant regulatory intrusion, enforcement and the hefty financial sanctions that can result from default, particularly in cases concerning sensitive consumer or financial data. Recent case law in relation to the DPA suggests consumers can now bring claims for distress alone even where no financial loss has been incurred, which potentially increases the risks in this area further. As regulators increasingly dictate that consumers are put at the heart of the business, cybercrime and how it is mitigated must become a regular agenda item.
3. Your Suppliers
It is now common place for businesses to out-source some or all of their IT function most notably through the recent trend for cloud computing. In a cybercrime context the loss of direct control over this data brings legal risks, in particular if something does go wrong, and a business has to look to a supplier to rectify the situation. The standard terms and conditions of cloud or other IT suppliers can be light on detail in terms of material obligations for data security. All too often, the haste to implement takes precedence over appropriate risk assessments. Businesses sending data into the cloud will typically be classified as the data controller for DPA purposes and need to assess whether or not their supplier contracts provide sufficient protection for cloud-based data and, of course, any recourse if things go wrong. In the case of long-term contracts, businesses need to assess risks and negotiate terms where possible. In particular, an important factor might be the extent to which the contract allows you flexibility to change service provision and manage emerging threats.
4. Your Business Partners
It is not only your own data that is at threat from cybercrime or even the target of an attack. The loss or compromise of customer data could have a profound impact on your commercial relationship and give rise to a legal claim and ensuing financial liability and cost. It is important to analyse carefully the extent of your contractual obligations in relation to your customer data and whether these are covered by contractual exclusions and limitation of liability clauses which may be designed for other purposes. A relevant factor is the extent they could impose costly and overly stringent security standards which are disproportionate to the value of the contract for your business.
5. Your Employees
Data theft by employees is not a new thing but the opportunities have become more prevalent. Businesses can be called upon to cooperate with police investigations in cases where customers have suffered financial loss or identify theft. Additionally, staff, particularly in more senior roles, may now be using their own devices to access data under BYOD schemes. In these contexts it is particularly important that appropriate policies and procedures are put in place so that good data security discipline can be demonstrated to the relevant authorities and enforced in relation to staff. Furthermore, employment contracts must be updated so that controls can be put in place to allow the secure recovery and retention of data in the event that an employee wants to leave the business.