Businesses can use legal protection to minimise the loss and risk that arises as the result of cyber attacks, according to law firm Kemp Little.
“There is a vast array of potential losses a result of a cyber incident,” Alex Cravero, commercial technology associate at Kemp Little told attendees of a seminar on cyber attacks in London.
These include loss of customers, reputational damage, PR costs, loss of competitive advantage, loss of intellectual property, the cost of replacing equipment and fixing or improving IT systems, and fines.
Potential secondary costs include breach of contract costs, litigation against cyber attackers, data monitoring services for those affected by the breach, legal costs and increased insurance premiums.
“The combination of these avenues of loss with the potentially global nature of a cyber incident can lead to enormous losses,” said Cravero.
However, he said the fact that most companies no longer handle their own IT presents the opportunity to make use of contractual protections and controls that can be put in place by both the providers and consumers of outsourced services to transfer risk to and recover losses from other parties.
“Parties may seek to pass risk to each other via indemnities for breach of confidentiality or breach of data protection clauses and laws,” said Cravero.
“Data protection and privacy clauses could include requirements for the party receiving data to maintain appropriate technical and/or organisational measures to secure and protect against accidental or unlawful destruction, loss or disclosure of data, among other obligations”.
There could also be negotiation around fines, legal costs and liability for loss of data, which he said customers will be keen to carve out of any liability caps an organisation may have and make them recoverable as direct losses.
“This allows for the recovery of damages resulting from the loss of data, regulatory or other fines, and global legal fees resulting from a breach,” said Cravero.
In addition to contractual measures, he said organisational measures such as education, training and policies play a key role in preventing and responding to cyber attacks.
“Because a large proportion of cyber incidents are linked to human error, policies are useful tools to ensure employees are clear on their roles and responsibilities regarding the data they control,” said Cravero.
However, he said policies should be “living documents” that are continually updated to adapt to evolving business and IT requirements, and should be based on the specific types and uses of data and regulations applicable to each particular organisation.
Document retention policies, for example, ensure that data and information is retained only for as long as strictly necessary.
“If data does not need to be retained for any longer, you are only increasing your risk of a cyber attack without any benefit from keeping it,” said Cravero.
Protecting IT assets
IT security and data protection policies provide a framework for how an organisation protects its IT assets from all types of threats.
“These policies ensure all users understand their responsibilities for safeguarding the data they handle so as to protect the organisation’s information systems and data, and to reduce the risk of theft, loss, misuse, damage or abuse,” said Cravero.
An incident response policy is particularly important, he said, and should at the very least task a team of individuals with responding to a cyber incident and set out clear procedures for handling the initial response to a cyber attack, investigating and remedying an attack, identifying and mitigating any legal risks resulting from an attack, dealing with PR and press releases, and reporting incidents to the appropriate authorities.
Another way of minimising risk, said Cravero, is to become certified under voluntary standards such as the European ISO 27000 series or the US National Institute of Standards and Technology (Nist) Cyber Security Framework.
“Certification allows companies to demonstrate that they have put in place best practice information security processes, and is rapidly becoming a requirement for contracting with larger organisations,” he said.
“For example, the UK government requires companies to be certified under the relatively new Cyber Essentials Scheme to obtain certain government procurement contracts.”
CES seeks to ensure that risk management practices have been independently tested and verified.
“It is likely that voluntary standards will increase in volume and coverage in the next few years, raising the minimum level of expected information security above that currently set by ISO and Nist,” said Cravero.
However, he said no matter what preventative steps are taken, all companies are likely to experience at least one cyber incident, and when that happens, companies need to address a number of areas effectively and efficiently, and often simultaneously.
“In the UK, other than telecommunications companies and internet service providers, there is currently no general mandatory requirement to notify the authorities or the public of a cyber incident or data loss,” said Cravero.
However, he noted that industry-specific mandatory notification requirements do exist, such as in the financial services sector, and the Information Commissioner’s Office (ICO) does expect to be notified of serious breaches.
“In deciding whether or not to notify individuals of a data breach, companies must consider the potential detriment to individuals affected by the breach and the volume and sensitivity of personal data lost or corrupted,” said Cravero.
Mandatory breach disclosure legislation
He also noted that mandatory breach disclosure legislation in the US has inspired legislation in Europe, especially the Network Information Security (NIS) Directive and the General Data Protection Regulation (GDPR), which are both set to introduce mandatory requirements across the European Union (EU).
While the ICO is currently able to fine companies a maximum of £500,000 for severe data breaches, Cravero said this is likely to increase significantly under the GDPR. However, he said the damage to brand image is the “real hit” businesses should fear if customers’ information is compromised.
According to Cravero, there are a number of other avenues companies will have to consider to minimise loss and resolve a cyber incident.
PR will form an important mitigation tool, he said, especially where mandatory or public notifications are required. “To do this effectively and efficiently requires planning, both in terms of content of the press release and how to demonstrate the veracity of the press release by specific actions.
“Tracing attackers and commencing litigation against the attackers may also be an option, and a claim may need to be made under any cyber insurance policy,” said Cravero.
He added that companies should also be mindful of the fact that the current system is due to change in the near future with the arrival of the NIS Directive and the GDPR, expected in late 2015 or early 2016.
“The NIS Directive is a codification of the EU’s vision of how best to prevent and respond to cyber disruptions and attacks, and will apply to companies that provide essential services such as key internet enablers and critical infrastructure operators, including e-commerce platforms, social networks and operators in energy, transport, banking and healthcare,” said Cravero.
Once in force, the NIS Directive requires those organisations to notify the regulator of security incidents that have a significant impact on the continuity of the company’s services. However, the regulator may elect to notify the public, he said, taking away a key strategic decision from the company concerned.
The directive will also require those companies it covers to demonstrate the effective use of security policies and measures.
“Failing to do so, is likely to result in reputational damage, loss of customers and potentially also breach of the GDPR leading to more severe enforcement actions,” said Cravero.
While the NIS Directive is expected to finalised shortly, the GDPR is considered to be on track for completion in early 2016.
“An important point to note is that under the GDPR, data controllers – the primary entity collecting personal data – will remain liable for data breaches even where data processing is outsourced or subcontracted to cloud service providers, for example.
“But data processors should take care as the GDPR will also impose for the first time direct obligations upon them,” said Cravero.
The key changes to the current situation that will come in the GDPR, he said, relate to mandatory notification and the levels of fines.
Under the GDPR companies will be required to notify the ICO of any data breach within either 24 or 72 hours from time of discovery. “But the precise timeframe is currently one of the key sticking points,” said Cravero.
Failure to comply with the GDPR, he said, will expose companies to fines of up to €100m or 5% of annual global turnover, whichever is greater.
“This is significantly greater than the currently ICO maximum of £500,000 – which means a single cyber incident could spell the end for a business,” said Cravero.
“It is important, as we approach the implementation of the GDPR, to ensure that you understand how it will apply to your business, that you get the necessary policies, procedures and technologies in place, and that you adapt as necessary that you don’t fall foul of the regulations when a cyber attack takes place,” he added.
In summary, Cravero said it is important to train employees and provide clear and easy-to-read policies to show them how to do what is required, and to understand all contractual risk and obligations.
He added that it is also important to manage the risks you accept as a supplier or ensuring the necessary coverage as a customer, think about appropriate cyber or other insurance, and consider updating practices to comply with voluntary standards and demonstrating compliance through formal certification.
Companies should also be aware of the changing regulatory landscape and ensure that all involved parties understand this rapidly evolving area, said Cravero.