Tech Focus: Cyberrisk — the legal landscape
23 September 2015 | 0
Recent high profile security incidents illustrate that no institution or business is immune from cyberattack. A cyberattack on the White House in 2014 resulted in a partial shutdown of its email system. In a reported attempt to extort money from the ECB, email addresses and other user contact information were stolen in 2014. Confidential movie scripts and emails about staff and movie stars were released as part of the 2014 Sony hack. Already this year, the Carphone Warehouse security breach in early August and the more recent Ashley Madison hack have received extensive media coverage.
Less than a third of businesses across Ireland are fully prepared to deal with a cyberattack and a significant majority are not fulfilling basic legal requirements, leaving themselves open to possible litigation and fines on top of risking the loss of intellectual property and commercially sensitive information. This is according to the first-ever A&L Goodbody Cyberrisk Study, which was launched earlier this year.
“The application of criminal law is not limited to those who perpetrate attacks — officers of a corporate body that has committed an offence under the DPA may also be guilty of that offence”
The study, conducted by Red C, confirmed that basic legal obligations not being fulfilled by businesses include: not having written cybersecurity policies in place (65%); not providing training to employees on what to do in the event of an attack (59%); and not allocating responsibility to any one employee or team to deal with an attack (49%).
Highlighting the need for companies to deal with cybersecurity issues from the top down, the survey also found that one in four (25%) company boards have not been briefed on their business’ legal obligations and the mechanisms that are in place, if any, to deal with a cyberattack.
Furthermore, less than a third (27%) of companies surveyed said they were fully prepared to deal with an attack and, when prompted, cited a lack of awareness of their company’s legal obligations as their biggest challenge (63%).
As Irish legislators try keeping up with trends and developments in this ever-more sophisticated world of cyberrisk, a number of key laws currently dominate the cyberrisk legal landscape.
Data Protection Legislation: The Data Protection Acts (DPA) require data controllers and data processors to take “appropriate security measures” to protect personal data and to ensure that staff and “other persons at the place of work” are aware of, and comply with, security measures. The law does not specify what amounts to “appropriate security measures”. The DPA does, however, identify a number of factors that may be relevant to assess appropriateness, including: the state of technological development; the cost of implementing the measures; the harm that might result from a breach and the nature of the data concerned. The Office of the Data Protection Commissioner has published a non-binding Personal Data Security Breach Code of Practice which will need to be consulted in all instances of unauthorised disclosure of personal data.
Duty of Care: A duty of care may arise in relation to data compromised during a cyberincident. Data controllers and processors both owe individuals whose data they process an express statutory duty of care under the DPA. As such, they may be subject to a claim for damages where a cybersecurity incident arises in connection with a breach of that duty. The Irish courts have to date held that actual damage must be proved and damages for distress are not recoverable unless extreme distress results in actual damage, such as a recognisable psychiatric injury.