In our previous (debut) edition, we wrote about the risks that cybercrime poses to the shipping community and how they can potentially manage those risks.

There are many types of cybercrime methods, which will undoubtedly continue to evolve over time. We’ve listed some other modus operandi at the bottom of this article, which we hope to expound on in future editions.

But for now, let’s focus on ransomware, which is one of the most common and impactful type of cyberattack. Ransomware for the most part targets what is one of the world’s most precious assets today – data.

Ransomware attacks on shipping and logistics firms globally tripled between 2019 and 2020, according to cybersecurity firm, BlueVoyant. The world’s four largest shipping firms – CMA CGM, COSCO, Maersk and Mediterranean Shipping Company – all suffered ransomware attacks in recent years.

In fact, French container line CMA CGM just a few months ago suffered a cyberattack that resulted in sensitive data leaks. Just last year, CMA CGM also suffered a data encryption malware attack which crippled its systems.

When a breach happens and data is lost or compromised, what are your legal risks and liabilities?

Identifying liabilities

The potential liabilities from a data breach are varied and multi-layered, let’s split them more broadly into three categories – administrative, contractual and criminal.

Administrative liability – This often focusses on the administrative fining powers of relevant regulators. Some finings powers may mean that fines issued are so hefty that it can completely crush a business. For example, the General Data Protection Regulation allows the EU’s Data Protection Authorities to issue fines of up to €20 million ($24.1 million) or 4% of annual global turnover.

In 2019, in the U.K., an airline and a hotel company were tentatively fined GBP183.4 million and GBP99.2 million, respectively, following cyber-incidents that allegedly resulted in customer data being compromised and harvested by attackers.

In assessing fines, regulators will take into consideration the company’s actions leading up to and from the cyber incident. This includes whether or not there was prompt notification, cooperation with regulators, whether or not the relevant stakeholders have adhered to company policies and procedures, if there has been adequate training and incident preparation, and the effectiveness of incident response teams, to name a few.

Contractual liability – Commercial contracts often include clauses with respect to data security. Compromised data security can have serious consequences to contracting parties. There may be an inability to perform related contracts following a cyber incident resulting in potential claims for breach of contracts.

There may be potential loss of business opportunity due to reputational damage arising from the cyberattack and there may also be risk of claims arising under negligence for example due to a failure to provide adequate training or implement robust security standards, or simply because a software has not been updated.

Criminal liability – Directors of the company can be held liable and responsible if they have committed criminal offences that resulted from the circumstances of the cyber breach, for example, making false or misleading statements to regulators. The outcome can result in criminal fines and imprisonment.

The role of both in-house and external legal counsel

The primary role of both your in-house and external legal counsel is to manage and mitigate liability. Both play critical roles in responding to and mitigating the effects of cyber breaches.

The in-house legal team will be directly involved in securing information to assess the business’ legal position. They will identify the type of data involved, the location, volume and sensitivity of the data compromised and consider the level of legal risks, advise with regards to the legal obligations and manage the risks. In-house teams will need to provide strategic advice to counter any legal consequences and potential courses of action. They will also need to establish a chain of custody for the evidence obtained in order to respond to any inquiries.

Depending on the jurisdictional regulatory requirements, in-house teams may also need to give notification of the breach to government or supervisory bodies.

The role of the external legal counsel is to ensure incident response teams are aligned. External legal counsel should be formally engaged before a breach occurs as it allows the external counsel to respond quickly, and mobilise the rest of the incident response teams, which often includes forensics, insurance and public relations advisors.

This all forms a critical part of the incident response planning. When teams are engaged and in place early on, businesses can also benefit from comprehensive training on cyber incidents which should include the simulation of an attack and the team’s response.

+++

Here are some other common (but by no means exhaustive) modus operandi and tools of targeted cyberattacks:

  • Malware – Malicious software designed to infiltrate and destruct a computer without the owner’s knowledge. Malware typically exploits deficiencies in outdated software. Malware types include ransomware (which encrypts important data until a ransom has been paid), trojans and viruses.
  • Phishing – Spamming mass emails to target recipients asking for sensitive or confidential information, often including a click-through link to a fake website.
  • Destabilising the supply chain – An attack by compromising equipment, software or third-party services.
  • Credential stuffing – Using previously compromised credentials or commonly used passwords to gain access to networks and systems.
  • Denial of service (DoS) – An attack meant to shut down machines or networks, making it inaccessible to its intended users. This is accomplished sometimes by flooding the target with traffic.