Cyber security is one of the biggest challenges businesses currently face, as cyber-attacks make national and international news headlines on an almost daily basis. Cyber-attacks are constantly evolving, as terrorists, organised criminals, nation states and ideologically-motivated 'hacktivists' become ever more sophisticated in their efforts to outwit operators in the public, private and third sectors.
The cost of a cyber breach to the affected business may be enormous once regulatory penalties, compensation claims, reputational damage and rectification costs are taken into account. While in-house lawyers may be aware of the issue, many may not know where to start in addressing the risk. This article explains the main legal considerations and how organisations can go about reducing their risk exposure.
Cyber security legislation
The Network and Security Directive (NIS Directive, aka the Cyber Security Directive) was originally proposed by the European Commission in 2013. It was finally approved by the European Council of Ministers on 17th May 2016, and is expected to come into force in August of this year, with Member States to implement its provisions into national law within 21 months.
The NIS Directive will impose security and reporting obligations on 'operators of essential services' (including entities in the energy, transport, banking, financial markets infrastructure, health, drinking water supply and digital infrastructure sectors) and 'digital service providers' (such as online market places, online search engines and cloud computing services). The NIS Directive will also require EU Member States to designate a supervisory authority and establish a strategy for dealing with cyber threats. After the 21 month implementation period, EU Member States will have six months to identify 'operators of essential services'.
To comply with the NIS Directive, organisations that may be subject to its terms will have to wait to see if they are identified as an 'operator of essential services', within their Member State, which is likely to be towards the end of 2018. However, the key obligations of the NIS Directive would be – if applicable - to maintain adequate security measures and report breaches to the supervisory authority. Prudent businesses should proactively consider their security and breach-reporting processes, not least since these will be requirements under the new data protection law explained below.
Data protection & privacy
Data protection laws seek to protect information about living individuals (personal data) by imposing obligations upon organisations that hold and use information about them. To date, Europe has lead the way with Directive 95/46/EC (the Data Protection Directive), followed by jurisdictions around the world. The European Council finally adopted the long-negotiated General Data Protection Regulation (GDPR) on 4th May 2016, which will become binding upon organisations in May 2018. The GDPR will impose strict obligations upon organisations that collect personal data about their employees, customers, clients or suppliers. Those that fail to comply with its provisions risk fines of up to €20,000,000, or 4% Worldwide Annual Turnover, whichever is the greater.
In addition to the statutory obligations, a common law right to privacy is emerging through case law, giving affected individuals a right to compensation where their personal data is misused and causes them damage or distress, even without financial loss. Accordingly, an organisation that suffers a cyber-attack risks not only regulatory action from the data protection authority, but claims for damages from affected data subjects.
Organisations must be mindful that if they lose personal information as a result of a cyber–attack, whether about their employees, customers, clients or suppliers, this may amount to a data protection breach by the organisation, even if it is the apparent victim of a cyber-attack. For example, in 2012, the British Pregnancy Advisory Service was hacked by an individual who was prosecuted by the police, however a subsequent investigation by the Information Commissioner in 2014 revealed that the charity had failed to implement sufficient security measures, and imposed a fine of £200,000.
Compliance with data protection laws is a complex challenge for organisations, particularly those that operate across international borders. However, there are some potential 'quick wins' that organisations can score to significantly reduce their exposure to the risk of regulatory action. First and foremost is understanding the personal data they hold, whether employee, customer or supplier, where this is held, how it is used, and whether such use is in accordance with applicable data protection law.
Aside from their statutory obligations, organisations should not overlook the contractual obligations they may owe to their clients in relation to cyber security and data protection and the rights owed to them by their service providers. It is fairly obvious that organisations providing IT-related services to their clients are likely to have contractual obligations including provisions around security, breach notification, and – where personal data is concerned – to comply with applicable data protection laws. However, any organisation that holds consumers' personal data, whether to provide goods or services, both online and offline, is likely to be subject to contractual obligations to protect those customers' personal information and to guard against cyber-attacks. Where organisations rely on third parties to provide their services (or goods), through outsourcing arrangements or the use of hosted or cloud services, they must ensure the contractual commitments made to them equal or exceed those the organisation gives to its clients or customers.
Following a cyber-attack, organisations may find themselves subject to contractual liability as well as statutory, and in some cases may have to take action against their service providers where the service provider (for example, a hosted IT service, or third party payment processing provider) has contributed to the breach.
To manage this risk, in-house counsel should conduct an audit of their service contracts, and ensure that any contractual commitments vis-à-vis data protection and/or cyber security made to their customers are matched in those contracts with their service providers (i.e. where the organisation is a recipient). Note that current data protection law prescribes specific contractual provisions in certain circumstances, which will become more complex when the GDPR comes into force.
An organisation suffering a cyber-attack potentially faces regulatory action under cyber security and data protection legislation, claims for contractual damages from affected clients and potentially common-law claims for misuse of personal information. The forgoing article makes some suggestions as to how in-house counsel can make a start in pre-emptively managing the risk. Of the three areas, data protection presents the greatest risk, given the enormity of the potential fines under the GDPR. Given that the clock is ticking, and 25th May 2018 is looming up, the time to start work is now.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.