Being a victim of a cybercrime attack not only has a negative impact on the image of the hacked company but may also lead to damage claims against the company.

 Cybercrime poses a real and serious threat to every company. Even if IT specialists are successfully implementing security measures to reduce the overall vulnerability of IT systems (especially operating systems are now less prone to successful hacking attempts then they were in previous years) and hacking gets more difficult, cyber-attacks against IT systems are always increasing.

Claims against the company

Not only is the danger of being attacked increasing; the awareness of victims whose data has been hacked is much higher now than it was even just a few years ago.

Clearly, the hackers should be the primary target of damage claims and criminal proceedings. But hackers almost never get caught. So companies must be aware that being the victim of a cybercrime attack means that third parties may raise claims against the hacked company. This means that being hacked usually results not only in serious image problems but also damage claims against the company.

Protection from claims

Companies cannot protect against such claims by focusing only on the core aspects of IT security. Instead, an integrated security concept for IT compliance must be developed, implemented and – most importantly – observed in day-to-day business. There are two sides of IT compliance in this respect. First, IT systems can and should be used to support compliance systems throughout the company. Second, IT systems themselves need to be compliant. This is the only way to actually reduce the risk of being open to damage claims if the company has been hacked.

National legislation

National legislation does usually not regulate IT security in detail. Commercial Codes often do stipulate a general level of diligence an entrepreneur must observe and that a company must implement an internal accounting- and controlling system suitable for the purposes of that company. However, those stipulations do not give any practical guidelines for setting up compliant IT systems or defining security measures. Therefore international standards such as COBIT (Control Objectives for Information and Related Technology), ISO 27001 (Information technology – Security techniques – Information security management systems – Requirements) and SAS 70 (Statement on Auditing Standards - Service Organizations) are usually used to determine the requirements for IT security. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.