I know at least one really exceptional cyber-law specialist (mentioning no names), and no, it isn’t me.
But just like every director in every business or organisation, it is becoming increasingly important to be aware of the legal considerations around cyber risk. We are hearing about more high profile cyber/data breaches. And their impact appears to be growing too. This isn’t just loss of information, a company’s ability to run its core business is being undermined.
I’m sure the more technologically-minded of you out there can explain the current state of play, but as we move towards “q-day”, when effective quantum AI is a thing, it seems to me that the likelihood of cyber attacks impacting all businesses must grow exponentially.
Cyber-security firms are in a race with the cyber criminals. But the regulatory and legal framework will undoubtedly lag a long way behind.
So, what kind of things should we be thinking about to protect our businesses from the impact of a cyber-attack?
We are constantly reminded about the more obvious steps that should be taken. Effective cyber-security measures. Training your staff to be vigilant etc. ensuring that sensitive information is appropriately protected and secured. Resilience measures and contingency planning. Testing for system weaknesses. Most of that probably sits with your IT consultants.
And you already know that a DNS attack will impact your E-commerce site. You already know that theft of intellectual property or money (or diversion of money) will directly impact your commercial or financial position. You already know that you could face reputational damage if word gets out. Cyber-insurance has a role to play there.
But as a consultant legal director, I like to think about what further steps can be taken to protect a business in the context of its legal relationships. What are your obligations and potential legal pitfalls that arise from cyber attacks.
From a business perspective, I try to break it down into four categories:
1. Regulatory obligations, claims and penalties:
- By now, everyone should have a handle on data protection regulation and obligations, around the security of an individual’s data that you hold or process. Data subject rights and claims; adequate systems; etc, etc. I’m not going to say any more on that.
- But it’s also worth thinking about how you might respond to ransomware attacks. If you are minded to pay, where might that leave you in relation to funding criminal/terrorist activity, or breaching international sanctions. It’s not really something you can plan for, but having someone on speed dial who can help seems sensible.
2. Claims made against you by customers:
- Consumers and commercial partners might hold you responsible for their losses even if the cyber breach hasn’t affected them directly. This might arise if you are unable to meet a contractual obligation due to a cyber-attack you have sustained.
- Or have you entered into some kind of indemnity or contractual obligation under which you can somehow be held liable for an indirect loss suffered by the other party, such as reputational damage caused to them by association with you when you have sustained the attack.
- How do your contracts or terms of business deal with that?
3. Failure of third-party suppliers
- Outsourced third-party suppliers and SAAS vendors provide you with solutions. Common examples include website/e-commerce hosting; cloud storage and enterprise systems; AI solutions providers; HR support; IT Support; and of course, IT security providers. It’s their business. You have probably contracted on their terms.
- Who is liable or bears responsibility for a cyber-attack or data breach that they incur, but which then affects your business and information?
4. Indirect commercial losses
- We already know about the risk of reputational damage, but you could also lose contracts.
- This might be because you are deemed to have failed to meet the cyber-security standards requirements of the other party to the contract. Maybe a cyber-attack prevents you from satisfying the selection criteria of a procurement exercise. Maybe it just entitles the other party to exit the contract without notice in circumstances of a cyber-attack.
- Are any of your existing or prospective contracts at risk?
If you are the direct target of a cyber-attack, you are a victim. But you aren’t the only victim. Everyone involved or affected by a cyber-attack is a victim (except for the hackers themselves, and the regulator). Whether or not you are first in line for the attack, there will be a chain of consequences impacting a series of victims.
It’s probably safe to assume that it’s practically impossible for you to take legal action against the hackers… if you can even identify who they are. So who takes the blame? You may be blamed by others for leaving yourself open to an attack and becoming a victim yourself. Or maybe you are blaming someone else. In the ensuing cyber bun-fight, who is going to take the brunt of the liability? Who will be more-the-victim? Is it something you can prepare for in your legal documents?
I am not a cyber-specialist, but that doesn’t stop me thinking about the consequential legal implications and risks arising from cyber breaches, and it shouldn’t stop you either.