Cyber-attacks upon trusted organizations are becoming increasingly frequent and high profile. This is now firmly a C-suite issue. Nobody wants to be the one who gets hit, and many blue chip companies are now role-playing what would happen in that scenario to establish their response strategy.
There is increasing recognition that how an organization responds to an incident can impact its long term prospects as deeply as the incident itself. The legal, technical and reputational challenges of addressing information security are proving highly complex for organizations to manage.
The Regulatory Landscape
For any international business, complying on a global scale with laws and regulatory developments affecting cybersecurity is a challenging task. Each country has its own, often different, laws and regulations. Laws such as the EU Data Protection Directive and sectoral laws such as MIFID (affecting the financial services industry) and HIPAA in the US (affecting the healthcare industry), each impose particular security-related requirements.
However, to date there have been few laws that specifically target the increasingly prominent issue of cyber security, other than the laws pioneered by some US states which require businesses to inform the relevant regulator of a data breach, and similar breach notification requirements on telcos under the EU E-Privacy Directive.
Regulators have tried to enforce action, for instance the US Federal Trade Commission has attempted to regulate security under its "unfair or deceptive acts or practices" remit. Whether the FTC is empowered to regulate security issues was challenged in the US courts but its power to do so has been upheld by an appeals court recently.
Legal Patchwork
As cyber-attacks are becoming increasingly frequent and high profile, focus on regulation of information security is increasing, with measures such as the proposed EU Network and Information Security Directive. But businesses are still likely to have to contend with a patchwork of different laws that affect security, including those impacting their particular sector.
For example, security requirements under national data protection laws that implement the EU Data Protection Directive can vary tremendously from country to country, even in the EU, with some Member States like the UK imposing general requirements, while others like Denmark may specify detailed measures such as logging. The forthcoming EU General Data Protection Regulation, whose aims include harmonizing data protection laws across the EU, would also directly impose security obligations (and liability) on data processors (service providers handling personal data) as well as data controllers, including breach notification obligations on controllers (those who determine the purposes and means of processing personal data).
Laws affecting security can be divided into two main types: those that require certain security measures to be taken for compliance (such as national laws implementing the Data Protection Directive, under which Member States must require data controllers to take appropriate technical and organizational measures to protect personal data), and those that impose obligations or liabilities in relation to security breaches (notably, duties to report such breaches).
They're related, of course, as failure to implement required security measures could require the business to report the failing if there is a breach. But it should be borne in mind that law often lags technology. Industry best practices may recommend taking security measures that laws may not seem to cover specifically. Even if certain security measures do not appear to be legally required, if they would be advisable according to best practices as appropriate to the particular risks involved, then it would seem sensible to take them. Having implemented industry standard measures may also help to provide some defense or reduce liability or fines if there is a security breach.
Where Should Your Business Start?
So what can a business do to help protect itself from a cyber-attack? Businesses need to have a three-step process in place. They need to implement a high level of security, which means having the right technology to address external threats, together with appropriate policies, procedures and processes that govern how people within their organizations and interact with their systems. They need to have in place, in advance of an incident, a clear strategy for engaging with regulators and those affected when a breach occurs, and they need a structured incident response plan which deals with the technical and legal consequences and reputational impact of a hack or data breach.
To date, much of the focus of recent discussions has been on privacy rights, but the growing frequency of high profile incidents shows that greater attention needs to be placed on putting the processes and controls in place to help corporations protect confidential information and intellectual property as well as personal data.
A thorough vulnerability assessment, of people and processes as well as systems, should be conducted, and scoped and reviewed with the assistance of relevant experts. Lawyers and security experts can provide guidance to businesses when designing new systems or launching new products and services, or when changing existing systems, products or services. To maintain effective security standards, regular staff training and a frequent review of security policies etc. should become ingrained in company best practice.
Many businesses are now working hard not just to implement industry best practice and good procedures and controls, but also to develop cross-disciplinary teams who understand the technical, legal and reputational issues in the event of a crisis. Chief Executives, CIOs, General Counsel and Communications Directors are getting around the table to say: how do we respond if this happens to us?
In the event of a breach, it's important to bring in qualified lawyers and security experts to assess the situation immediately; lawyers can advise on the necessary approach to regulators with respect to notifying them of the breach and what information can, or must legally, be disclosed to customers. Instructing external experts through lawyers may also help to maintain the confidentiality of security reports and other sensitive documents through “legal privilege”.
Approaching reputation management experts is also advisable to assist in handling the PR fallout, as reputational damage from security breaches have been known to cost businesses as much as, if not more than, the actual data losses if handled poorly.
The Potential Fallout
The potential legal claims that could be brought against businesses by individuals (such as customers) in the event of a breach will vary depending on the countries and the laws concerned. In the UK, data protection laws enable an individual who has suffered 'distress' as a result of a security breach to sue the controller or processor.
Significantly, 'distress' does not necessarily have to be financial harm in order to qualify, provided the individual can prove their claim. This ruling, while consistent with the approach in many other EU Member States, is under appeal to the UK’s highest court.
Legal recourse is not limited to lawsuits. A particularly damaging cyber-attack could see several hundred or millions of individuals' personal information compromised. In the US, 'class actions' are increasingly common, which enable an individual to represent the affected group in a claim for compensation, and a similar 'group litigation order' can be sought in the UK. Going forward, under the proposed General Data Protection Regulation, a kind of representative 'class action' by public interest bodies such as NGOs on behalf of data subjects may also be made possible. The ramifications of claims like these could be financially devastating for a business.
The additional issue for businesses is that the legal impact isn't limited to the customers involved. When a significant breach occurs it is the responsibility of the regulator to investigate and if a business has failed to comply with the mandatory requirements for information security, hefty fines (in the UK the Information Commissioner can issue a fine of up to £500,000), and even action for negligence, can ensue. Fines may be even larger under the proposed General Data Protection Regulation if personal data are involved, possibly from 2 to 5% of the organisation’s annual worldwide turnover.
An Ongoing Battle
Regardless of the technical, legal and reputational measures put in place, the risk of a cyber-attack continues to evolve with the development of new technologies and services. Couple this with calls from the UK and US for increased surveillance and encryption back doors, and the chilling reality is that businesses must prepare themselves for an ongoing battle, with new vulnerabilities emerging daily.
The development of 'cyber insurance' products could offer a lucrative niche for the insurance sector and a financial safety net for businesses. Yet, whilst many are beginning to explore its potential, the market remains underdeveloped, especially in Europe. Regardless of the financial protection which insurance of this kind may provide, businesses can't afford to risk the legal and reputational repercussions of an attack, thus propelling information security to the top of the board room agenda.