Cyber liability, cyber security and information governance are terms that directors are becoming more aware of due to high profile data security breaches.
In an increasingly interconnected world, with the expansion of the Internet and development of the ‘Internet of Things’, there has been a corresponding increase in the vulnerability of information systems to attack.
Understanding the risks
In order to assist company directors in understanding their key responsibilities in the areas of cyber liability and cyber security, we have launched the Cyber Security for Directors app with the Institute of Directors in Ireland.
The app details the various types of cyber liability and cyber risks, while drawing together the key areas for directors to consider. It also outlines both proactive and reactive strategies to manage cyber security. The app is now available for both Android and iOS devices.
Where liability might lie
The reliance we place on information systems, both for storage and transmission of data, is making data security breaches all the more damaging to organisations. It has never been clearer that companies and organisations need to have data security policies in place and good information governance. Failure to do so inevitably leads to the cyber liability which can put any company at considerable risk.
Where there is liability, there is a corresponding responsibility for that liability. As the duties of directors come increasingly under the microscope, it is clearly in the interests of directors to ensure that they understand their responsibilities in this area.
Key questions that directors should ask in relation to the collection and processing of data
1. Are we being transparent?
Data must be obtained “fairly” and the company must be transparent about reason the data is being collected and purpose for which the data will be used. Data must not then be put to a further “incompatible” use.
2. Do we have consent?
Consent is usually, but not always, required. If the information is non-sensitive, there can be implied consent. If the information gathered is sensitive (such as relating to an individual’s health, race, sex life, religious beliefs or trade union membership) then there must be explicit consent.
3. How long are we retaining data for?
Personal data can only be stored for as long as is necessary. There should be no retention of data “just in case”.
4. Are we collecting unnecessary data?
Data should only be collected if necessary. There are PR risks to any company if data is collected and stored unnecessarily.
5. Are we keeping the data secure?
You must have appropriate security measures to protect any data you are storing. Take into consideration the state of the technology you are using, the cost of implementation and the nature of the data and potential harm if a breach occurs.
6. Are we giving the data to third parties?
Are the third parties controllers or processors? In other words, on whose behalf will they use the data? If they are controllers, you will likely need consent for collection. If they are processors, special written contract terms are required.
7. Is the data leaving Europe?
If collected data remains within the EEA, transfer issues do not arise. If the data is to be transferred outside the EEA then safeguards are required unless it is an approved country, e.g. Canada.