Companies in every country and every industry have invested heavily in the constantly expanding and evolving technologies available for doing business. This rush to the technological front line may mean moving their sales online, collecting customer information to allow them to target their markets more efficiently, finding efficiencies by sharing information across their companies or outsourcing parts of their business. However, companies are increasingly realising that the data they hold is as much a risk as it is an asset.
High profile cases of companies being hacked from Target, whose data breach in December 2013 affected around 110 million customers, to Sony, who has suffered two significant hacks since 2011 affecting millions of people and together costing Sony over $200 million, to the more recent Ashley Madison, Optimal Payments and TalkTalk cyber-attacks (to name but a few) have put cyber-security concerns into the headlines and into the minds of company directors, their customers and, importantly, regulators.
Where are we?
Governments face an insuperable challenge in creating a legal framework that can protect their citizens in the rapidly changing, ever expanding online world. Data - including the personal and financial details of companies’ customers – is often transferred, processed and stored across multiple jurisdictions causing concerns for customers and regulators (as seen by the recent 'safe harbour' decision by the European Court of Justice).
Those seeking to access this data illegally can have no connection with the targeted company, be in an entirely separate jurisdiction and are often almost impossible to identify. Dealing with these new threats cannot be managed by governments alone; the task will require active engagement from companies, their customers and professional service providers.
Many governments (with industry input) are assisting their national industries to protect themselves by providing advisory programmes with clear statements of what steps companies need to implement to mitigate the risks from common internet based threats.
The UK government has created the voluntary Cyber Essentials Scheme which includes an Assurance Framework through which companies can receive certification to show customers, investors and third parties that they have taken these basic precautions. Certification has been made mandatory for all companies aiming to obtain higher risk supply contracts from the UK. The scheme's adherents include BAE Systems, Barclays and Vodafone.
The Australian Signals Directorate has published its "Strategies to Mitigate Targeted Cyber Intrusions” which contains thirty five practical recommendations including four key strategies that should prevent 85% of cyber intrusions: (i) using application whitelisting to help prevent malicious software and unapproved programs from running; (ii) patching common applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office; (iii) patching operating system vulnerabilities; and (iv) restricting administrative privileges to operating systems and applications.
Whilst it has proven difficult to create a comprehensive federal framework in the US, there have recently been significant moves towards new legislation dealing with cybersecurity. This includes the controversial Cybersecurity Information Sharing Act which is still in the process of being passed but which the US Senate has recently voted in favour of. This act creates a framework for the voluntary sharing of information about cyber threats between private entities and the state (and provides liability protection for participating companies). It has been strongly criticised by a number of civil liberties groups as well as many of the world's largest technology companies on the basis that it would allow the sharing of private information with the government and secret, ad hoc privacy intrusions with little or no real benefit for the detection and prevention of cybercrime.
Compliance with legal requirements
Whilst institutions such as the EU are attempting to simplify and standardise legal and regulatory requirements (see further below), companies will often find themselves bound by a wide range of requirements which can differ significantly depending upon the industries and countries they operate in. In certain countries (e.g. Australia and the US) the regulations can also vary between states. It is advisable for companies to compare all relevant requirements and then to comply across the board with the broadest and most restrictive requirements to ensure that they are suitably covered.
The 2001 Budapest Convention on Cybercrime aims to harmonise national laws, investigatory techniques and increase (and improve) cooperation between nations and has been ratified by forty seven states (including the majority of the members of the Council of Europe, the USA, Australia, Canada and Japan).
Meanwhile, China has shown an increasing desire to be at the forefront of cyber governance but with an emphasis on the importance of cyber sovereignty. In 2014, China hosted the World Internet Conference in Wuzhen (repeated this year) with a focus on global cyber governance and cyber security. It has also signed (or is looking to sign) a number of bilateral and multilateral cyber agreements including with Russia and (more restrictively) with the US. It has also been looking to vastly expand its cyber regulation framework both in relation to its responses to public security emergencies and national / industry specific standards.
The data protection regimes of most countries have been drafted on an ad hoc basis responding to specific requirements and, as such, are often based upon a number of sources.
These regulations tend to be able to be split between those targeting individuals attempting to misuse / steal others’ data and those establishing requirements on the companies whose responsibility it is to protect said data. For example, companies in the UK who hold the data of living individuals are required by the Data Protection Act 1998 to implement technical and organisational systems to prevent the unauthorised processing of private data, or damage to such data. Similarly, companies in Australia with an annual turnover of more than AU$3 million are bound by the Australian Privacy Principles (Privacy Act 1988 (as amended)) which regulates the collection, holding, use and disclosure of personal information that is included in records.
In the US, the legal framework in relation to the collection and use of private / personal data is contained in a number of state, federal and industry specific laws. The Federal Trade Commission can and does enforce section 5 of the Federal Trade Commission Act 1914 which bars unfair and deceptive acts and practices in or affecting commerce where companies have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information. Whilst there is no general federal security breach notification law in the US, the majority of US states have enacted local equivalents. These typically require any person or business that owns or licenses computerised data to disclose any breach of the system security to all residents whose information was acquired by an unauthorised person.
In the UK, those attempting to obtain unauthorised access to software or data (or otherwise modifying a database’s content) can be found criminally liable for such acts under the Computer Misuse Act 1990 which was drafted to respond to the new threats arising from a world populated by electronic data. In Australia, the Cybercrime Act 2001 covers a wide range of cyber offences including unlawful access to computers, damaging or theft of data, impeding access to computers and cyber stalking / harassment. It also creates and expands a wide range of investigatory powers including search-and-seizure provisions of electronically stored data.
The majority of companies in the UK are not subject to statutory notification requirements although the Information Commissioners Office (“ICO”) requests that it is notified of serious breaches to data security, with 'seriousness' being measured by the potential harm caused to consumers. Providers of electronic communications services (for example, internet service providers) are however required under the Privacy and Electronic Communications Regulations 2003 to notify the ICO about breaches of data security.
Under the UK Data Protection Act, the ICO can fine an organisation which fails to implement appropriate data protection measures. The ICO recently made it clear when it fined the British Pregnancy Advice Service £200,000 for its failure to secure a website that its approach is unequivocal: a lack of resources or knowledge is no excuse and organisations handling or storing sensitive information must be held accountable. Furthermore the directors of offending companies may (in certain circumstances) have personal liability. Whilst custodial sentences are not currently in force in the UK, a number of bodies and governmental committees (including the ICO) have proposed they be implemented.
Listed and regulated Companies
In addition to the above, entities which are listed on stock exchanges and/or those which are subject to oversight from financial regulators must also ensure that, in the event of a cyber-attack, they comply with all the additional obligations they are bound by.
For example, in the UK, Principle 3 of the FCA Handbook and 3.2.6R of the Senior Management Arrangements and Controls require regulated companies to take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime and to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
Principle 7 of the Australian Stock Exchange and Listing Principle 1 in the UK include similar requirements for listed entities to establish a sound risk management framework and to periodically review the effectiveness of the same. Section 2.2 of the UK Disclosure and Transparency rules requires that listed companies must disclose a cyber-security breach to the extent that the breach constitutes “inside information”. Whether or not a breach is disclosable will be determined by the nature of the company's business and the seriousness of the breach.
In the US, the Office of Compliance Inspections and Examinations released this year the results of a study it had conducted of the financial services industry. It had collected and analysed data from over a hundred firms across the industry in relation to their ability to detect, prepare for and deal with cyber-attacks including an analysis of the companies’ protocols, training and policies in relation to cyber security.
It is further worth noting that, where a company publishes material that fails to adequately disclose cyber security events, minimises their impact / significance or dishonestly delays publishing material, it may also face claims from investors.
In 2007, Nationwide were fined £980,000 by the FSA after a laptop containing nearly 11 million customers details was stolen from an employee’s house. The FSA criticised “The failure to manage or monitor downloads of very large amounts of data onto portable storage devices [meaning] that Nationwide had limited control over information held in this way or how it was used” and noted that “Firms' internal controls are fundamental in ensuring customers' details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up-to-date to prevent lapses in security.”
The risk for companies who outsource their data responsibilities (even on an intra-group level) can be seen in the £2.27 million fine issued by the FSA to Zurich Insurance PLC in 2010 for failing to have adequate systems and controls in place to maintain the security of confidential customer data. Zurich UK had outsourced the processing of part of its general insurance data to Zurich Insurance Company South Africa Limited. The contractor lost an unencrypted drive containing the financial personal data of 46,000 policy holders and 1,800 third parties during a routine transfer. Zurich had made confidential disclosures of the fact to the FSA and ICO.
In addition to the regulatory risks, companies may face litigation from customers, shareholders and third-parties in the event of a security breach. In the US, a District Court judge in Minnesota recently ruled that Target was negligent in relation to the security on its credit card data and, as such, is liable to a class-action suit brought by certain banks affected by the recent cyber-incident. The judge also approved a $10 million offer by Target to settle a class action lawsuit by customers. Whilst actions of this nature are less likely in jurisdictions such as the UK which do not have the same class actions regime and there will often be significant issues for claimants in evidencing their loss, the coming years and further technological advances are likely to see an increase in such cases.
Claims may be also be brought by customers / third parties for breach of contract – either where there are express or implied terms concerning IT functions or where the disruption to a business caused by a security breach results in a company failing to fulfil contractual provisions unrelated to cyber security – or under negligence - where the company's failure to exercise reasonable skill and care could result in liability to third parties.
Companies should consider their cyber security risks when drafting contracts, including the insertion of suitably worded force majeure clauses, and should aim to comply with the industry best practice (i.e. the UK Department of Business, Innovation and Skills 2012 guidance on cyber security (as updated) and the Cyber Essentials Scheme).
The European Commission is currently in the process of agreeing the General Data Protection Regulation (the “draft GDPR”) which aims to standardise and enhance data protection requirements across Europe (and would extend to non-EU companies which supply goods or services to EU individuals irrespective of whether the data they handle is stored within the EU).
Its key provisions are expected to include a requirement on companies to document data management processes, to appoint a data protection officer (in particular where a company processes sensitive personal data) and to increase the reporting requirements in the event of a data security breach.
One of the greatest proposed benefits of the draft GDPR is the harmonisation of data protection rules across the EU in relation to cross-border transfers outside of the EEA. Currently, national implementing rules of the previous Data Protection Directive (95/46/EC) require a country specific approach. This proposal has however been challenged by some member states where it would risk diluting existing national rules.
Fines for breaches of this regulation will be determined by national regulators, but are expected to reach the greater of EUR 100m or 5% of the organisation’s annual worldwide turnover - this is a significant increase on, for example, the ICO's current authority in the UK which permits the imposition of fines of up to £500,000.
The EU has also published a draft of its Network and Information Security Directive (commonly known as the “Security Directive” or “NSID”). Revised text was approved by the European Parliament on 13 March 2014 but still needs approval from the EU institutions meaning practical implementation at a national level is not expected until 2016.
The NSID is similar to the US Cybersecurity Framework except that it creates mandatory requirements whereas the US Framework is voluntary. It applies to operators of infrastructure that are 'essential for the maintenance of vital economic and societal activities', including those in the financial, transport, health and energy sectors, in addition to certain online services such internet exchange points (but not e-commerce platforms). It proposes a number of new obligations on companies including requirements:
- for appropriate and proportionate technical and organisational measures to detect and effectively manage the risks posed to the security of their networks and information systems;
- to notify the appointed competent authority, without undue delay, of incidents which have a significant impact on the continuity of the core services they provide. The competent authority may in turn require that the public is informed;
- the creation of a co-operative network between member states to share information and volunteer early warnings of breaches. The most recent version of the text also states that listed companies should voluntarily make cyber incidents public in their financial reports;
- compliance with binding instructions from the competent authority, including providing evidence of effective implementation of security policies such as undertaking and making available an audit. The frequency and severity of this obligation is tailored according to the 'criticality' of the organisation; and
- member states are to encourage the use by businesses of international inter-operable standards / specifications.
Whilst the list of industries covered by the NISD is still to be finalised (on 29 June 2015, it was confirmed that information society services (such as cloud computing providers, search engine operators, digital retailers etc.) would be “treated in a different manner” to essential services under the NISD), it appears that it will cover key Internet companies (including social networks), the banking sector and stock exchanges, public administrations and the energy, transport and health sectors.
One of the most significant concerns for companies will be the loss of goodwill / business that goes with (often highly publicised) breaches. Whilst companies (and their customers) are increasingly realising that a cyber security breach is almost unavoidable, the question of whether the company had implemented reasonable protective measures and how it deals with the effects of the attack remain key.
In order to protect their reputation and maintain their client base, companies should be fully cognisant of the risks facing them and have a well-rehearsed plan (incorporating the company's management, public relations, legal and IT teams) for how to respond in the hours, days and weeks following the event.
The risks and difficulties facing companies have been all too apparent recently in the wake of the TalkTalk attack. The company has repeatedly stressed that it is the victim of a criminal act rather than guilty of negligence, however it has faced repeated calls for compensation and to allow its customers to end their contracts early.
Cyber Security Insurance
Insurance against cyber risk is progressively being seen as a business expense. Standalone products are increasingly common and insurers are teaming up with cyber security experts to help them understand the risks involved and to assist them in the event of a claim.
The recent case of Zurich American Insurance Co. v Sony Corp of America et al in the Supreme Court of the State of New York highlights that companies who assume that their standard commercial general liability insurance will cover cyber risk related losses may often find themselves exposed. The court ruled in favour of Zurich stating that the cyber-attack in question did not trigger the insurers’ obligation to defend Sony from resulting litigation on the basis that the policy in question required the policy holder to perpetrate or commit the act itself and not where third-party hackers breached the security. An appeal by Sony against this ruling was settled out of Court in April 2015.
Cyber-security issues will only increase in the coming years in parallel to technological advances and increasingly this is the number one compliance issue for business to address.