A trail of disruption has been left by the “WannaCry” ransomware attack which reportedly affected 100 countries, 200,000 individuals and brought organisations such as the NHS and Fedex Renault to a standstill. This gave us pause to reflect on the practical steps organisations can take to minimise litigation risks arising from a breach of cyber security measures.
Not Just an I.T. Risk
Cyber security is a business critical issue that cannot be ignored and should be viewed as part of an organisation’s overall risk management policy.
The Government’s National Risk Assessment 2016 identified cyber security as one of the potential risks for Ireland in 2016/2017. The potential scale of the problem for Irish business is illustrated by figures released in 2015 by the UK Government which commissioned an Information Security Breaches Survey in that jurisdiction. It reported that 90% of large organisations and 74% of small organisations surveyed has experienced a security breach in the previous year with 59% expecting an increase in security breaches in the coming year. Fourteen was the median number of breaches suffered by large organisations in the previous year with four being the median number for small organisations. The average cost to a large organisation of its worst security breach ranged from £1.46 million to £3.14 million. The average cost for a small organisation ranged from £75,000 to £311,000.
Increasing Regulatory Vigilance
A key part of mitigating the risk of significant losses arising from a cyber security incident is to understand the legal implications of such a breach. Cyber security law and regulations are constantly evolving.
Regulators, particularly in the financial services industry, are increasingly asking whether organisations are “cyber-attack” ready. Organisations subject to inspection will face questions about their cyber – security risk assessment, business continuity plan, insurance, network controls and so on. Outside these regulated industries adopting best practice in terms of cyber security can significantly mitigate an organisation’s loss arising from such incident.
Types of Loss arising from a Breach of Cyber Security Measures
Most organisations will understand the potential for economic loss arising from business interruption, the reputational damage and potential data protection issues that can arise by a cyber security breach. However, they may not have considered the potential exposure to litigation.
As a result of a cyber security attack, an organisation may find itself liable for non-performance of a contract, in breach of express or implied terms to store customer data securely, or may be liable in tort for failure to take reasonable security precautions when storing customer information. In addition, data subjects may take direct action under data protection legislation.
Practical Steps to help mitigate loss arising from breach of cyber security measures
1. Be aware of the most common types of security breaches affecting your type of organisation
For example; systems failures and data corruption, viruses and malicious software; theft or fraud involving I.T. systems, incidents caused by staff and attacks by hackers.
2. Undertake a security risk review
Engaging an external information security consultant is recommended to assess the effectiveness of existing security processes. Identify the information that your company needs to protect to continue operations of a sensitive nature and identify potential areas of weakness.
3. Develop policies, procedures and plans
Putting in place a set of best practice policies and procedures will help to minimise the risk of claims in tort, for example, an information security policy and a home and mobile working policy. Develop and test a comprehensive cyber-incident response plan.
The appropriate policies, procedures, security software and cyber insurance cover will depend on the activities of the organisation. It is a question of conducting an assessment at a granular level relative to the organisation’s customers, data and funds held, the nature of the sector generally, the supply chain and any jurisdictional considerations.
Consult with external legal providers and have strategies in place to manage any reputational damage. Have “Guidelines” in place to assist those who may be responsible for issuing press releases and ensure that particular care is taken where court proceedings are in being.
4. Create a culture of cyber-security awareness
Managing cyber security risk needs to be driven from the top down. Ensure that all employees are trained to identify, mitigate the risk of and respond to a cyber security threat. Conduct periodic testing of responses to cyber-attack scenarios.
5. Designate a person to act as Cyber Security Officer
Appoint an individual within the organisation to keep a record of all cyber security incidents. Review and update policies and procedures on foot of reported incidents.
Having a person given discreet responsibility for cyber security who can collaborate with, or indeed hold the dual role of, data controller, will assist compliance with the General Data Protection Regulation (“GDPR”. The GDPR is an EU regulation intended to strengthen and unify data protection for all individuals within the EU) and ensure that there is no ambiguity as to responsibilities for each function within an organisation.
6. Review insurance policies
Consider whether the organisation has appropriate insurance policies to cover losses arising from a cyber security attack, to include business interruption services. It is advisable to ensure that any such policy makes provision for incident response assistance.
7. Review contractual agreements
Review your organisation’s entitlements arising from failure of a supplier to fully express contractual obligations as a result of a cyber security breach at their organisation.
Consider whether suppliers are contractually obliged to provide business continuity support in the event of a cyber security breach at your organisation.
Consider your organisation’s contractual obligations to continue supplying goods/ performing services where it has been subjected to a cyber security breach.
8. Review intellectual property arrangements
Some cyber-attacks specifically target an organisation’s intellectual property. Ensure that valuable intellectual property is adequately registered and protected.
9. Be aware of any notification or reporting requirements
The Data Protection Commissioner has issued a code of practice for dealing with Personal Data Security Breach. The code recommends that all incidents in which personal data has been put at risk is to be reported to the Data Protection Commissioner as soon as the data controller becomes aware of the incident. Anyone affected by the incident should also be notified. The GDPR will introduction specific penalties for lack of compliance in this regard.
10. Work with your lawyers to maximise legal privilege
Lawyers can assist with incident management and advise on the legal implications of the breach and any specific obligations on your organisation. The involvement of lawyers is also crucial to attract legal privilege, which may prove to be extremely important in the event of litigation.
By Maria Gleeson, Senior Solicitor and Michael Murphy, Senior Associate Solicitor, Litigation Department.