Out-Law Analysis 6 min. read
24 Nov 2015, 3:03 pm
Major organisations operating in multiple jurisdictions face a growing number of legal and regulatory obligations on information security. As a result of the fact that laws on information security can be said to lag behind technology, companies should look to industry best-practices and not merely their minimum legal duties on information security to reduce their own exposure to cyber risk.
Deploying a high level of preventative security measures is just one of three steps organisations need to take to address the cyber threat posed to their business.
Information security measures – going beyond legal requirements
Cyber attacks on trusted organisations are becoming more frequent and high profile, as shown by the major incident that recently affected telecoms provider TalkTalk. Cyber security is now firmly a board room issue. Nobody wants to be the one who gets hit, and many blue chip companies are now role-playing what would happen in that scenario to establish their response strategy.
However, the legal, technical and reputational challenges of addressing information security are proving highly complex for organisations to manage. The issue is not helped by the fact that multinational companies face an increasing number of laws and regulations on information security.
In the EU organisations face general obligations around the security of personal data under the Data Protection Directive. National laws implementing the Directive, however, vary. For instance, whilst only general data security rules apply under UK law, other countries, like Denmark, are specific about the security measures organisations need to implement to remain compliant.
Information security is a main thrust of planned new EU data protection laws. The forthcoming EU General Data Protection Regulation would directly impose security obligations, and liability, on data processors as well as data controllers. New data breach notification obligations look set to be imposed on data controllers too under the Regulation.
Then there are sector-specific requirements. In the US, for instance, health care providers face information security obligations under HIPAA. In the EU, financial services companies have to adhere to the MiFID regime, whilst telecoms providers have obligations to report data breach incidents to regulators under the EU's e-Privacy regime.
Further data breach notification laws are set out in many US states, whilst the Federal Trade Commission has attempted to regulate security under its "unfair or deceptive acts or practices" remit.
In Asia, companies have had to respond to a maturing data protection law framework, with new legislation implemented in Singapore, for example.
The threat posed by cyber criminals to critical national infrastructure has also been recognised by EU law makers who are currently negotiating a new Network and Information Security Directive to stiffen protections.
The various laws affecting security can be divided into two main types: those that require certain security measures to be taken for compliance, and those that impose obligations or liabilities in relation to security breaches – notably, duties to report such breaches. They are related, of course, as failure to implement required security measures could require the business to report the failing if there is a breach.
However, the law often lags behind technology. Industry best practices may recommend taking security measures that laws may not seem to cover specifically. It is sensible for businesses to implement security measures, appropriate to the particular risks they face, which are identified as best practices even if their implementation is not a legal requirement.
Implementing industry standard measures can also help to provide some defence or reduce liability or fines if there is a security breach.
Implementing a high level of security, which means having the right technology to address external threats, together with appropriate policies, procedures and processes that govern how people within their organisations and interact with their systems, is the first step in addressing modern day cyber risk.
Preparing for cyber attacks also means knowing how to respond
As well as implementing preventative security measures, businesses need to have in place, in advance of an incident, a clear strategy for engaging with regulators and those affected when a breach occurs. They also need a structured incident response plan which deals with the technical and legal consequences and reputational impact of a hack or data breach.
Much of the focus of recent discussion on information security has centred on the protection of personal data and addressing privacy rights. However, the growing frequency of high profile incidents shows that greater attention needs to be placed on putting the processes and controls in place to protect confidential information and intellectual property as well.
A thorough vulnerability assessment, of people and processes as well as systems, should be conducted, and scoped and reviewed with the assistance of relevant experts. Lawyers and security experts can provide guidance to businesses when designing new systems or launching new products and services, or when changing existing systems, products or services. To maintain effective security standards, regular staff training and a frequent review of security policies, among other actions, should become ingrained in company best practice.
Many businesses are now working hard not just to implement industry best practice and good procedures and controls, but also to develop cross-disciplinary teams who understand the technical, legal and reputational issues in the event of a crisis. Chief executives, CIOs, general counsel and communications firectors are getting around the table to say: how do we respond if this happens to us?
In the event of a breach, it is important to bring in qualified lawyers and security experts to assess the situation immediately. Lawyers can advise on the necessary approach to regulators with respect to notifying them of the breach and what information can, or must legally, be disclosed to customers. Instructing external experts through lawyers may also help to maintain the confidentiality of security reports and other sensitive documents through 'legal privilege'.
Approaching reputation management experts is also advisable to assist in handling the PR fallout, as reputational damage from security breaches have been known to cost businesses as much as, if not more than, the actual data losses if handled poorly.
The cost of getting prevention and response wrong
The potential legal claims that could be brought against businesses by people, such as customers, in the event of a security breach will vary depending on the countries and the laws concerned. In the UK, data protection laws enable an individual who has suffered 'distress' as a result of a security breach to sue the controller or processor.
Significantly, 'distress' is enough: it is no longer necessary to show financial loss in order to qualify, provided the individual can prove their claim in distress. This ruling, while consistent with the approach in many other EU countries, is under appeal to the UK’s highest court.
Legal recourse is not limited to lawsuits. A particularly damaging cyber attack could see millions of personal data records compromised. In the US, 'class actions' are increasingly common, which enable an individual to represent the affected group in a claim for compensation, and a similar 'group litigation order' is possible in the UK. Under the proposed EU General Data Protection Regulation, a kind of representative 'class action' by public interest bodies such as NGOs on behalf of data subjects may also be made possible.
The ramifications of claims like these could be financially devastating for a business.
The additional issue for businesses is that the legal impact is not limited to the customers involved. When a significant breach occurs it is the responsibility of the regulator to investigate. If a business has failed to comply with the mandatory requirements for information security then financial sanctions can follow.
The UK's information commissioner currently has the power to issue a fine of up to £500,000 for a serious breach of the Data Protection Act. Fines for security breaches may be even larger under the proposed General Data Protection Regulation where personal data is involved, possibly from 2 to 5% of the organisation’s annual global turnover.
The development of 'cyber insurance' products could offer a lucrative niche for the insurance sector and a financial safety net for businesses. Yet, whilst many are beginning to explore its potential, the market remains underdeveloped, especially in Europe, although a PwC report earlier this year predicted that the global cyber insurance market could triple in size by the end of the decade, from $2.5 billion to $7.5bn.
Regardless of the financial protection which insurance of this kind may provide, businesses cannot afford to risk the legal and reputational repercussions of an attack.
Ian Birdsey is an expert in cyber risk at Pinsent Masons, the law firm behind Out-Law.com. A version of this article was first published by Infosecurity Magazine.