It has happened again. In September Yahoo announced that at least 500 million of its accounts were hacked in 2014. It is believed to be the result of the actions of a state sponsored actor and the world’s biggest data theft to date. They are the latest in a long line of cyber victims, large and small; last year TalkTalk’s site was hacked, reportedly affecting nearly 157,000 of its customers. The Ashley Madison hack received widespread publicity, due in part to the nature of its business, and the hacks on Sony Pictures and PlayStation also hit the newswires across the world.
Threats come from a variety of sources. The motivation may be theft of money or information, seeking access to third party data, or it may be idealistic. The attackers may be criminals, hacktivists who simply disapprove of a business’s activity, nation states, or they could be closer to home. Employees moving to new jobs or those disgruntled with their employer can steal important data and pass it to competitors, or leave a ‘back door’ open exposing the business to attack. Innocent employees may simply fall victim to a scam, or act carelessly.
The UK government has taken the problem so seriously that it has classified cyber attack as a tier one threat to the country, alongside terrorism, military crises and natural hazards.
The risks and implications of a successful attack on a business are significant. Some of the most obvious examples include data breach where sensitive information is lost, leaked, stolen or damaged. This can give rise not only to claims for damages against the business but to regulatory interest and, potentially, fines and rectification costs. The inadvertent transmission of malware causing damage to a third party can give rise to claims for damages, in addition to damages claims and fines, the internal costs to a business of dealing with the aftermath of an attack include not only management time and rectification costs (for example, in reconstituting a database) but reputational damage may also arise. The costs to businesses of course vary depending on the nature of the data breach and the size of the business. Estimates of the costs to Sony following the breach of its PlayStation network in 2011 were $171m and the later hack on its movie division in November 2014 was estimated to have cost $35m in investigation and remediation costs to the end of March 2015. TalkTalk reportedly lost 101,000 customers and suffered costs of £60m.
Different regulatory regimes apply across different industries and regard must be had to the regulatory requirements of a particular business. However, the Data Protection Act 1998 (the Act) applies across all business sectors and depending upon what personal data is held, whether it acts as a data controller or processor in relation to that data. One of the key principles of the Act is that data controllers must ensure that they take appropriate technical and organisational measures against unauthorised processing or accidental loss of personal data. Not only must they ensure that appropriate internal policies and plans are put in place, they must also take reasonable steps to ensure the reliability of any third party data processors they use, such as outsourced IT, software hosting and payroll providers. A well drafted written contract placing appropriate obligations on the third party data processor is therefore essential.
A business which fails to take these steps may unwittingly find itself in breach of the Act if it, or a supplier, is subjected to a cyber attack. In addition to dealing with the immediate fall out of the attack the business could also face claims for damages from data subjects, an investigation and penalty of up to £500,000 from the Information Commissioner’s Office (ICO), a prosecution in the Magistrates Court leading to an unlimited fine or claims for breach of contract and confidentiality and breach of duty.
With effect from 25 May 2018 the European General Data Protection Regulation will apply across all Member States and creates a raft of new obligations on data processors and data controllers such as the accountability principle, privacy by design and data minimisation. The maximum fine for a number of breaches of the Regulation (whether a data controller or a data processor) is €20m or 4 percent of annual worldwide turnover in the previous financial year, whichever is higher. For other breaches, the maximum fine is the greater of 2 percent of annual worldwide turnover or €10m.
It is now quite common to see contractual provisions detailing duties and standards to be met by counterparties to protect data and guard against hacking. Furthermore, a duty of care may well arise with non-counterparties. There is a real risk of being sued in the event of breach.
All businesses must take reasonable steps to protect themselves from the risks of cyber attack. They need to identify areas of weakness in their business and infrastructure. They should put in place appropriate policies and standards, procedures and training for staff, and review business arrangements, contracts and insurance policies. There should be a response plan in place setting out the practical steps that will need to be taken in the wake of an attack. Consideration should be given to how a later investigation will be handled, bearing in mind that if investigations are conducted under legal privilege, this could protect the business from having to disclose potentially damaging material in later litigation.
As part of its planning, a business will need to review existing insurance policies to see if they might respond to a cyber attack event. Consideration should be given to putting in place appropriate insurance if necessary. While a cyber policy is unlikely to indemnify against all losses it can provide valuable cover, but be careful to check the policy scope and exclusions. There is no ‘standard’ cyber policy and the limits and scope of cover do vary across the market.
Putting in place a plan to protect from and respond to an attack is part of the solution but in itself it is not enough. That plan needs to be constantly re-evaluated to ensure it is fit for purpose. As part of this process businesses will need to keep up to date with new regulatory requirements and the changing legal framework. The insurance market also continues to see huge growth and having the appropriate type and level of cover could help to mitigate risk.
Quite apart from the impact of a cyber attack on a business, directors should also bear in mind that failure to take appropriate steps to protect the business from an attack could lead to claims being brought against them personally for breach of fiduciary duties.
By Michael Frisby, Partner
First published in Financier Worldwide, November 2016