There are three key ways businesses can limit their liability in the event of a cyber attack, according to law firm Kemp Little.
“Responses to cyber attacks need to be organic and grow as organisations learn more,” Alison Rea, intellectual property and litigation senior associate at Kemp Little, told a seminar on cyber attacks in London.
“However, key to limiting liability is identifying the source of the attack, reducing the spread of stolen data and mitigating liability to third parties,” she said.
By identifying the source of an attack, Rea said organisations are usually in a better position to stop it and identify how best to deal with it.
If it is an insider job, for example, one of the most effective ways of dealing with it may be a grievance procedure or disciplinary action against the individual involved.
“However, if the attack has been enabled by social engineering to manipulate an insider into clicking on a malicious link, then employee training and tightening up internal policies would be more appropriate,” said Rea.
If the source of the hack is a service provider, then an organisation can look at applying pressure through contractual agreements, but if the source is an anonymous third party, then the course of action is more likely to be notifying law enforcement.
“To establish the source of an attack to determine the most appropriate response and we always encourage companies to call in external investigators to reduce pressure on internal IT teams and to establish continuity of evidence immediately that will be vital if it leads to a criminal case,” said Rea.
External investigators will typically collect forensic evidence, take a snapshot of servers and put all that in a sealed evidence bag, which is often key to ensuring the strength of a criminal case.
“Technical investigators are usually able to identify IP addresses linked to an attack, and this can be useful in making a court application for a Norwich Pharmacal Order against an email services provider, for example, to get more information,” said Rea.
Once a few individuals have been identified as possible attackers, targeted organisations can apply for a search and seizure order to ensure evidence is not destroyed by the attackers.
In an attempt to limit the spread of stolen data, organisations targeted by cyber attacks can apply for an interim injunction to stop further publication.
To obtain an injunction, Rea said there has to be a serious question of law that needs to be tried, which means they are typically tied to things such as copyright infringement and breach of confidence.
“The good news is that with social media platforms, they are fairly likely to take your complaint seriously. However, they have safe harbours under legislation, so until they know about it they don’t have to do anything, which means it is useful to prepare take-down notices in advance to speed up the process of sending these out when necessary,” she said.
At the same time, targeted organisations can request information to identify who is spreading the stolen data as this data is seldom stored longer than 90 days.
Another way of regaining control, said Rea, is to take legal action to shut down domains that use trademarks, such as ashleymadisonleakeddata.com.
Technical measures to limit the spread of stolen data include third-party monitoring services for forums, social media and sharing websites to track leaked information.
Mitigating liability to third parties such as customers typically involves dealing with breach of confidence or breach of contract claims when personal data is stolen.
Where there is no opportunity for these claims, customers – and even their customers – could make a tort (legal liability) claim on the basis that the targeted organisation had a duty of care in relation to their personal data, which could result in significant liability.
“Organisations need to prepare for situations like this by thinking about what sort of losses might arise, and in the event of a breach, organisations need to be careful about making blanket statements that do not consider individual circumstances,” said Rea.
It is important, she said, for organisations to consider what their public relations (PR) response might be, what concessions they would be willing to make publicly and how they would handle a large number of customer complaints or enquiries.
“In the event of a cyber attack, organisations will typically be fire fighting on a number of different fronts. They are going to want halt the attack and find out who is behind it, they are going to have to deal with the regulatory authority, they are going to want to assess their liability to customers and at the same time assess the liability of their own suppliers,” said Rea.
“At the same time, the targeted organisation may want to send out take-down notices to halt the spread of the stolen data, and as part of all this they are probably going to have to make a few tough decisions about things, such as how to respond to ransom notes or respond to internal threats,” she said.
For these reasons, Rea recommended that organisations consider the three highlighted areas to ensure they are in the best possible position to respond to a cyber attack to limit liability.