Increasingly, cyber attacks have become more than just a matter of public concern but of private concern, as well, as private companies are more frequently targeted by hackers than ever before. Attacks now come from all sides, and attackers may include organized criminals, governments, competitors and even a company’s own employees. The scale of private company attacks has also increased. In the past few years, companies like Adobe, Sony, and Target have all become victims of publicized cyber attacks, which not only caused significant damage to the affected companies’ infrastructure in terms of sabotage and data pilfering but also led to related legal disputes and claims for liability.
As cyber attacks become more sophisticated, so too do the arising liability issues. In this climate, company directors need to be fully aware of their legal duties and responsibilities in the face of cyber security risks, as well as the significant liability issues that can attach to them. Among others, data breaches can expose corporate directors and officers to liability in regard to breach of contract, breach of fiduciary duty, breaches of privacy legislation, breach of deceptive business practice statutes and various other forms of tort liability.
Therefore, it may no longer be enough for companies to simply provide general and holistic outward data protection for their own sensitive data and data obtained from clients. As legal liability and best practice standards may vary from jurisdiction to jurisdiction, company directors may need to develop more intricate strategies that first identify the most sensitive and valuable corporate and client information, define levels of risk exposure and then provide correspondingly proportionate layers of protection. In many cases, information protection strategies should thus involve both a company’s IT and legal departments operating in tandem.
Moreover, a company’s strategy should also extend to policies governing the response to any breaches that may occur, especially for companies operating in regulated industries or where locally applicable laws - such as state and federal laws in the United States or the EU Data Protection Directive alongside nationals laws in EU countries – would otherwise require that breaches of a company’s systems must be publicly reported. Given the tremendous damages that can be caused by cyber security breaches and the fact that criminal and civil liability may attach to directors in their wake, companies may wish to consider adopting the following sensible precautions to mitigate risks:
- Fostering a corporate culture of vigilance that emphasizes cyber security.
- Ensuring oversight of cyber security issues at the board level.
- Involving IT, legal and other teams as necessary in strategic development and implementation as well as compliance issues.
- Identifying potential threats.
- Identifying the company’s most important and sensitive data.
- Surpassing obligatory cyber security standards. Creating intricate and multi-level defenses, especially in regard to the company’s most important and sensitive data.
- Developing workplace strategies that reduce the risk of negligence and ensuring that corresponding software and hardware are employed.
- Constantly reviewing existing systems to ensure they are up-to-date and limiting any unnecessary access that might compromise system safety.
- Ensuring appropriate staff training and oversight.
- Taking necessary steps to ensure that any subsidiaries, affiliated companies, partners and contractors employ systems and devices that do not compromise the company’s own defenses.
- Creating a response plan in the event of any breach.
- Ensuring sufficient proportionate insurance coverage.
Cyber attacks are increasing in number and will in all likelihood continue to do so. Alongside damages, they may also lead to considerable legal liability unless the proper precautions have been taken. Companies are not helpless, however. Private sector cyber security requires foresight and special preparation in order to prevent attacks or, as the case may be, to mitigate the damages and liability caused by an attack. This of course also includes obtaining specialized legal advice.