We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our cookie policy. Learn more here.Close Me
Cybercrime poses a real and serious threat to every company.
Even if IT specialists are successfully implementing security
measures to reduce the overall vulnerability of IT systems
(especially operating systems are now less prone to successful
hacking attempts than in previous years) and hacking gets more
difficult, cyber-attacks against IT systems are always
increasing.
Increased awareness
Not only is the danger of being attacked increasing; the
awareness of victims whose data has been hacked is much higher now
than it was even just a few years ago. Companies are more aware
that, due to the extended use of IT systems in all types of
business processes and decisions, the potential damage from a
breach of IT security is enormous. Attacks on the security or
integrity of sensitive client- and customer data stored on company
servers thus also pose a threat from increased data protection
awareness.
Claims against the company
Clearly, the hackers should be the primary target of damage
claims and criminal proceedings. But hackers almost never get
caught. So companies must be aware that being the victim of a
cybercrime attack means that third parties may raise claims against
the hacked company. This means that being hacked usually results
not only in serious image problems but also damage claims against
the company. The risk of being exposed to such damage claims is
higher the more sensitive the third party data the company is
storing or processing.
Protection from claims
Companies cannot protect against such claims by focusing only on
the core aspects of IT security. Instead, an integrated security
concept for IT compliance must be developed, implemented and
– most importantly – observed in day-to-day
business. There are two sides of IT compliance in this respect.
First, IT systems can and should be used to support compliance
systems throughout the company. Second, IT systems themselves need
to be compliant. This is the only way to actually reduce the risk
of being open to damage claims if the company has been hacked.
Austrian legislation
Austrian legislation does not regulate IT security in detail.
Section 347 Commercial Code (Unternehmensgesetzbuch) sets the
general level of diligence an entrepreneur must observe. Section 84
Companies Act (Aktiengesetz) is the corresponding provision for
CEOs of stock corporations. Section 22 Limited Liability Companies
Act (GmbH-Gesetz) stipulates that a company must implement an
internal accounting- and controlling system suitable for the
purposes of that company. As the stipulations do not give any
practical guidelines for setting up compliant IT systems or
defining security measures, international standards such as COBIT
(Control Objectives for Information and Related Technology), ISO
27001 (Information technology – Security techniques
– Information security management systems –
Requirements) and SAS 70 (Statement on Auditing Standards
– Service Organizations) are usually used to determine
the requirements for IT security. A company can reduce its exposure
to damage claims from faults in IT compliance only by integrating
these (or comparable) technical standards to the extent necessary
into its legal framework.
This article was originally published in the schoenherr
roadmap`12 - if you would like to receive a complimentary copy
of this publication, please visit:
pr.schoenherr.eu/roadmap.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The recent "Data Retention Operation" by the Italian DPA revealed that compliance with data retention legislation among telecom and internet service providers is still considerably low.
The European Union’s draft data protection regulation contains new and controversial extra-territorial provisions extending the Regulation’s reach to some companies based outside the European Union.
A US district court in New York has recently ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement.
In a decision earlier this month, a US district court in New York has ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement.
The Authority for the Protection of Personal Data has announced that it has initiated a formal investigation into Google Inc. to ensure that the privacy policy company complies with the requirements laid down in Directive 95/46/EC.
Con un comunicato dello scorso 27 febbraio, l’Autorità Garante per la Protezione dei Dati Personali ha reso noto l’avvio di un’ indagine nei confronti della società Whatsapp Inc.
The processing of personal data is regulated by the Federal Act on Data Protection, its ordinances and by other laws.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
