Anne-Marie Bohan and Bríd Munnelly explain why framing and implementing a robust cyber security policy is essential for all businesses.
The repercussions for a business of inadequate cyber security are serious, and becoming more so as customers, regulators and the public become more aware of the risks of, and potential fallout from, cyber security issues. Framing and implementing a robust cyber security policy is a multi-disciplinary project, requiring IT, management and legal input, and above all, needs to be driven by senior management and the board as a fundamental business issue.
Cyber security risk and threats are nothing new and have existed since the dawning of the information technology age. In recent years however, the cyber attacks and cyber security breaches which are being reported are getting bigger and more sophisticated, and are garnering more headlines.
Social media companies, large retail groups, banks, financial institutions and government agencies, as well as individuals and households, have all been the victims of attacks and leaks, with information relating to millions of individuals, trade and government secrets, and intellectual property at risk of theft, public disclosure and misuse.
IP PROTECTION
Cyber attacks on, and security breaches within companies can result in damage on many levels: to the company itself, where proprietary information or intellectual property is attacked and stolen; to its reputation, and the trust which its customers place in it; and to those customers themselves, where their data has been compromised by the crime or breach.
Through criminal law, considerable efforts are made to bring the perpetrators of cyber attacks to justice, whether the crime in question is a ‘traditional’ crime, such as theft, which was carried out using electronic means, or a genus of crime which could not have been perpetrated but for the technology which facilitated it, such as phishing and malware.
However, the victims of cyber attacks can in turn find themselves vulnerable to a variety of claims arising from cyber attacks which they suffer. Nor is cyber security solely concerned with protection against the threat from outside. Security risks can also arise internally, ranging from inadvertent human error to deliberate acts, each of which can give rise to claims against a business.
CONFIDENTIAL DATA
The numerous obligations to keep information and data confidential and secure to which businesses are subject can arise in a wide variety of circumstances: under legislation, regulation, common law and equitable principles, and as a matter of contract.
Businesses that find themselves subject to cybercrime may therefore be exposed to sanctions and/or claims for damages where the attack exposes a failure to meet those confidentiality and security obligations.
Similarly, failure to implement internal policies and procedures to protect information and data properly can give rise to claims. Such claims may be brought by customers arising out of alleged breaches of duties owed to those customers, in particular under contract and common law duties of care, and under the Data Protection Acts 1988 and 2003.
One of the areas in which there has been a significant increase in actions is for claims for damages for ‘mere distress’ arising from data security breaches. Whereas in the UK, in the Google Inc v Vidall-Hall case earlier this year, damages were awarded in the absence of pecuniary loss. The Irish courts have not yet adopted this approach – the High Court in the earlier Irish case of Collins v FBD Insurances declining to award damages in the absence of proven loss. Should Collins be revisited in the future, however, the spectre of significant aggregate awards of damages for mere distress will become real, as even relatively small individual awards will rapidly mount up when made to hundreds or thousands of customers.
In addition, regulators, concerned with cyber security as a significant threat to the industries they oversee, are focusing increasingly on cyber security. In February 2015, the Central Bank of Ireland identified cyber security and operational risk, and the inspection of controls and procedures around system security and access as an area of focus in its programme for themed inspections, and it has since commenced its reviews of the cyber security policies and procedures of a variety of financial institutions. Inevitably, increased regulatory focus brings with it an increased risk of regulatory sanctions for breach where systems and processes are deemed to fall short of required standards.
… the victims of cyber attacks can in turn find themselves vulnerable to a variety of claims arising from cyber attacks which they suffer
SAFE AND SECURE
While technological protections are clearly a key element in implementing strong cyber security, businesses cannot approach cyber security as a purely IT issue.
Cyber security is increasingly considered as a board level issue, in light of the significant impact on business of a serious cyber security breach. The board will have responsibility for the overall security policy, which should address various aspects of cyber security, be they technological, procedural or legal.
From a technological perspective, there are few legally mandated standards or solutions which are required to be implemented, and for good reason, in order to minimise the risk of those requirements becoming rapidly outdated.
Industries, such as the financial services industries, which are rich in personal data, are obliged to take “appropriate security measures” against unauthorised access to and use of personal data. Some guidance is given in the Data Protection Acts as to what those appropriate security measures might be, not through specification of strict requirements, but by directing that data controllers may have regard to the state and costs of technological developments, and obliging them to ensure that the level of security implemented is appropriate both to the nature of the data and the harm that might result from breach.
Different industries may therefore be held to differing standards, taking into account the data which they hold, and established and developing industry standards will be factors in determining whether a breach of legal obligations of confidentiality and security has arisen.
POLICIES AND PROCEDURES
Personnel awareness and training are also critical elements of strong cyber security, with a surprising number of breaches arising from human error, rather than nefarious acts. The policies and procedures applicable to personnel need to address both external and internal threats, raising awareness of the sources of cyber security risks, and the procedures to be implemented in seeking to eliminate and minimise those threats.
Additionally, the relevant policies and procedures, such as internet and electronic communications usage policies, procedures in relation to external disclosure of information and remote access procedures, should be considered as part of the terms of employment, with breach giving rise to appropriate disciplinary action.
Businesses also need to have appropriate internal escalation procedures where information security has been breached, whatever the cause, and to be cognisant of consequent reporting obligations, whether to customers or to regulators. Material issues within financial institutions should be brought to the attention of the Central Bank of Ireland.
In addition, the Data Protection Commissioner has published a breach code of conduct which, while not obligatory, is generally observed and deals with notification both to the Data Protection Commissioner and to affected individuals. The draft Data Protection Regulation, which is expected to become law throughout the European Union in late 2017 or early 2018, will make reporting of breaches mandatory, and will be combined with significant sanctions of up to the higher of 2% of an enterprise’s worldwide turnover or €1m.
The repercussions for a business of inadequate cyber security are therefore serious, and becoming more so as customers, regulators and the public become more aware of the risks of, and potential fallout from, cyber security issues. Framing and implementing a robust cyber security policy is a multi-disciplinary project, requiring IT, management and legal input, and above all, needs to be driven by senior management and the board as a fundamental business issue.