In the past year, the number and extent of IT attacks on public authorities, organisations, private enterprises, defences, and most recently hospitals have virtually exploded. To counter this development it is crucial that measures be taken, in an IT context as well as in a legal context.
IT security challenges
Attacks are performed by means of code injection, ransomware, malware, robot technology, and artificial intelligence as sophisticated as the available IT protection tools.
The object of such attacks varies greatly, but the most current examples are:
- Hacking in order to get access to information about the identity of individuals, trade secrets or other confidential information that may be sold on the Internet.
- Ransomware is a form of kidnapping, where data is locked and may be unlocked only against payment of some type of ransom.
In addition, there are many other types of malware, spyware, and phenomena that typically do not have illegal or harmful purposes.
The explosive increase in attacks is complicated by various factors in relation to contemporary IT application such as outsourcing, self-service solutions, remote access, infrastructure and data centre solutions, various devices and platforms, all creating multiple access roads into IT systems, increasing the risk of security breach and the vulnerability.
The market offers numerous protection and scanning tools that may assist in hindering or limiting the extent of an IT attack or may scan for vulnerabilities, which of course is the first line of defence; however, the legal aspect is also important when it comes to prevention and compliance.
Legal regulation of IT security
IT evolution sharpens our focus on the legal framework for IT security, which may generally be divided into three dimensions:
- Contract terms.
These may be further divided into a number of sub-categories as illustrated in the table below.
Legislation includes specific legislation on IT security, the most important of which are listed below.
A much vaster area is indirect statutory requirements to IT security, where legislation with its regulation of and requirements to a specific area involves extensive requirements to IT security, for instance:
- Anti-money laundering rules
Apply to banks, financial enterprises, lawyers and accountants who are subject to specific requirements concerning e.g. investigation and reporting duty, cf. s. 6 of the Danish Money Laundering Act: Enterprises and individuals covered by the Act must be aware of customer activities [...].
- Confidentiality rules
Section 27 of the Danish Public Administration Act applying to public administration and rules applying to lawyers, doctors and the clergy, requiring IT security in relation to compliance with the statutory duty of confidentiality.
- Stock exchange regulations
Compliance with e.g. the Market Abuse Regulation regarding duty to report, insider trading, price manipulation, internal rules, etc., that must be considered in the IT systems.
- Legislation and rules on transportation, payment, foodstuffs, health, etc.
The specific rules to be observed are highly significant in IT security.
- Executive order on security
E.g. s. 12: Measures must be implemented to ensure that only authorised users may gain access and that such persons may only gain access to the personal data and applications for which they are authorised.
The legislation is relatively general and as such is to be completed by case law, similarly to much other legislation. Of particular importance in the time up to 2018 is the new General Data Protection Regulation (GDPR), which is based on basic principles of integrity and confidentiality.
In relation to IT security, various highly process-oriented standards apply, including:
- To be observed by the state, regions, and municipalities and their suppliers.
Private and public contingency plans
- Contingency plans in private enterprises according to management decision.
- Contingency plans in the public sector according to legislation and decision.
- Various executive orders have been issued on contingency plans in particular sectors, such as telecoms networks, energy networks, and the health sector.
Auditing standards for annual reports, auditing, and IT security
- ISAE 3402, ISAE 3000 or ISRS 4400 (US standards are SOC 1, 2 and 3).
Quality and security standards - Information Technology Infrastructure Library (ITIL)
- ITIL is the most applied and recognised method within IT Service Management on a global scale, based on experiences and best practices of the private and the public sector.
- http://www.infosectoday.com/ Articles/ITIL_and_Security_Management.htm
Risk Management standards
E.g. Payment Card Industry Data
- Security Standard (PCI DSS).
- For a Danish version go to NETS's website: https://www. nets.eu/dk/ payments/sikre-betalinger/pci/pcidss-12-sikkerhedskrav/
The standards are very processoriented and offer no guidance as to how to introduce IT security, only for the process.
Relevant contract terms with suppliers
It is highly relevant and necessary to regulate IT security contractually with one's suppliers, including:
- Access and security framework
- Operations-related security
- Encryption Security updates
- Safeguarding the solution
- Safeguarding networks and infra-structure
- Disaster recovery and business continuity plans
- Regular updates and practical tests
- Audit and control
- Supplier's duty to report, including any breach of security
- Pro-active remedies
- Supplier's own quality assurance and risk management
- Auditor statements ISAE 3402, type I or II or special statements
- Particular areas (e.g. environment, foodstuffs, health)
- Protection of particular information
- Safeguarding against supplier bankruptcy
- Physical security
- Operational reliability.
How to achieve legal compliance
In order to achieve legal compliance we recommend:
- Checking compliance against legislation and standards
- Reviewing IT contracts with suppliers to check whether IT security is adequate and sufficiently regulated
- Amending existing contracts and/ or concluding new ones
- Introducing procedures for conclusion and management of contracts, with particular focus on IT security.