ISP Contracts
Insurance
Remedies
With the e-economy experiencing one of the biggest booms in its history, hack attacks are becoming increasingly common. So what are the legal implications of security threats?
A recently published survey of 500 global financial institutions revealed that the number of businesses that share bandwidth or negligently allow free access to their networks, and are victims of a hacker attack, multiplied in the last year. This vulnerability is of great concern from both a security and a legal point of view.
Apart from the immediate effects which hack attacks have on a company’s liability to its customers, contacts and employees - especially when sensitive financial data is disclosed - another concern from an Irish perspective is the risk of breach of (i) the Data Protection Acts 1988 to 2003, and (ii) any contract in place between the company and its internet service providers (ISPs).
In Ireland, the Data Protection Acts provide that appropriate technical and organizational measures should be taken against any unauthorized or unlawful processing of personal data - that is, data from which an individual can be identified (a company will usually hold personal data of its employees, customers and contacts). Consequently, by either allowing or not preventing unauthorized third-party access to personal data, a company is in breach of its information security responsibilities under the Data Protection Acts.
Any such breach may result in a notice being issued by the data protection commissioner requiring the data controller to rectify the problems connected with the processing of the personal data. Alternatively, the commissioner can make an order requiring the data controller to stop all processing.
Failure to comply with the terms of the notice will constitute an offence, which may result in a fine upon prosecution, and more seriously can render the directors of the company liable to prosecution where it was aware of the breach or where it was negligent in carrying out its duties in this regard.
Liability is not avoided where a third party processes a company’s personal data on its behalf. If the breach occurs on the network of a third party, the company would need to be in a position to show that it had imposed the necessary security obligations on the third-party processor.
Standard ISP contracts usually prohibit the sharing, redistribution or resupply of the service/broadband by a company, so that by allowing a third party to piggyback on its network, a company will be in breach of the contract with its ISP.
In most cases these risks are not covered by insurance policies. Insurance companies specifically exclude cover for losses arising through security breaches. Other insurers have been offering specific IT cover for a high premium.
Remedies against hackers are viable from a legal point of view, but less feasible from a practical one. Identification of hackers can be difficult, especially when particular identity protection devices are used. Even when the intruder can be identified, it is unlikely that he or she will be able to compensate the company for any loss suffered.
In the end, any business risks legal action if it fails to take information security seriously and cannot show that it has used its best endeavours to prevent breaches of its security.
For further information on this topic please contact David Sanfey at A & L Goodbody by telephone (+353 1 649 2000) or by fax (+353 1 649 2649) or by email ([email protected]). The A & L Goodbody website can be accessed at www.algoodbody.ie.