A quick Google search on data breaches/cyber security issues/GDPR investigations and fines results in hundreds of thousands of hits covering best practice guidance, scary facts and figures and detailed analyses of the causes of information security and data breaches. To illustrate:
- Gartner predicts that the worldwide information security market is forecast to reach $170.4 billion in 2022 (Gartner)
- 68% of business leaders feel their cybersecurity risks are increasing (Accenture)
- Hackers attack every 39 seconds (University of Maryland)
- 52% of breaches caused by malicious attacks and 80% affect personal info (IBM)
- It takes on average 280 days to ID and contain a breach (IBM)
- Total annual cost of cyberattacks is increasing (Accenture)
DT can both help and hinder cybersecurity and data management: new technologies monitor security threats in sophisticated and agile ways – “cybersecurity-as-a-service” (CaaS) is becoming more prevalent and can offer a simple, effective “one stop shop” approach to ensuring system security and integrity. Outsourcing CaaS, or indeed adopting state of the art cybersecurity hardware, software and processes, does not completely remove the risk of breach – like a chain, cybersecurity is only as strong as its weakest link.
Any DT project will therefore need to address cybersecurity contractually, by including terms stipulating: (1) the information security/cyber security standards that the supplier is obliged to meet – be they “appropriate and technical organisational measures” in GDPR-speak or other security standards, (2) that the customer can vet and audit the supplier’s compliance with the contractually mandated standards, (3) the circumstances in which the supplier is liable for a breach/cyberattack, (4) the extent of a party’s liability financially, and (5) what costs, expenses, losses and liabilities are recoverable.
Liability for cyberattacks/breach of GDPR/breach of information security commitments is a key focus for both customers and suppliers when negotiating the Ts&Cs for any DT project. The approach to cybersecurity issues has changed in recent years owing to the potential significant consequences of a GDPR breach and, for now at least, breaches of confidentiality, GDPR and information security obligations are addressed as one issue.
The usual starting positions of both supplier and customer are illustrated in Chart 1 below. Typically, a negotiated deal will result in the parties agreeing some form of middle ground based on: (1) the nature of the data/information at issue (e.g., does the supplier process sensitive “special category” data or financial data or more “low risk” personal data such as employee email addresses?), (2) the service offered by the supplier and how it uses the customer’s data, (3) the committed revenue spend by the customer, (4) the customer’s industry (is it regulated? are there established standards?), (5) the risk posed to the customer resulting from a breach of security/confidentiality/GDPR committed by the supplier, and (6) market practice.
Chart 1 – cyber and data risks and liabilities
The negotiation of the legal terms as described above should be based on a risk-based assessment in full knowledge of the roles of the supplier and customer and data flows and data uses. The following questions and considerations may help focus the discussions on key risks and concerns and no contract should be signed by the parties unless the following points have been addressed in one way or another:
- Each party should understand what data it possesses and its role in relation to that data – is it a controller or processor for GDPR purposes? Are they joint controllers?
- Is it possible for the supplier or the customer to override contractual commitments by choosing specific options within the software/service offered by the supplier?
- If a breach occurs, what’s the potential impact on the parties and any other individual or entity impacted by the breach? Is it a GDPR issue? Or a disclosure of confidential business information (e.g. financial reports, know-how, trade secrets)? Are fines possible? Can individuals or third parties make claims?
- What is the supplier required to do in the event of a breach? Must it provide all assistance in a timely manner? Does it have a process for dealing with cyber/data breaches?
Fix first, argue later
If a breach arises, speed of response may be crucial as any delay may increase loss or liability. It’s good practice, therefore, for the parties to adopt a “fix first, argue later” approach to addressing the consequences of a data breach. The parties should be permitted to take necessary steps to mitigate/reduce/remove the breach or cause of the breach in the most appropriate way possible based on what the parties view as the best approach without first having to assess potential contractual and legal liability. This is particularly key for “as-a-service” offerings where 1 breach of security for 1 customer may cascade through to other customers of the supplier. The supplier may therefore reserve rights to suspend access to all or part of the service to resolve this issue and may also take unilateral action where it believes it’s required to reduce the likelihood of/avoid a breach. In suggesting these remedies and pursuing a “fix first, argue later” approach, we are not advocating for carte blanche for either party to do what it thinks appropriate in response to cyber incidents – the terms of the contract will still apply and each party will still be able to exercise its rights – we are simply suggesting that good governance requires the parties to attempt to resolve the incident while the lawyers’ review the applicable contractual terms!