You've been hacked. What are you liable for?
'It won't happen to me...' but best be prepared
Hacking is big news and we’re all susceptible. In the UK, hackers could face jail time under the Computer Misuse Act, but the question on many businesses’ minds will be where the liability lies if they are hacked.
The list of successful mega breaches continues to grow; extra-marital affairs site Ashley Madison hit the headlines last summer when data was exposed about its 37 million users, although it appeared many of those were fake accounts. Earlier this year, Yahoo! revealed the numbers behind its 2014 data breach – 500 million user account credentials were stolen.
In 2016, the SWIFT financial payments system was hacked, and this came after another group using the same approach stole $81m from the Bangladesh central bank. Even the US central bank, the Federal Reserve, detected more than 50 cyber breaches between 2011 and 2015, according to cybersecurity reports obtained through a freedom of information request.
Telecoms company TalkTalk has the dubious honour of having received the largest fine ever imposed by the Information Commissioner’s Office – £400,000 – for a cyber attack which allowed access to customer data “with ease”. The ICO’s investigation revealed that Talk Talk could have prevented the attack by taking simple basic steps to protect customer information.
The TalkTalk fine is far lighter than the £3m fine issued by the then-FSA to HSBC in 2009 for not having adequate systems and controls to protect customers’ confidential information.
But even that fine seems small compared to the new fines on the way under GDPR. In general, failing to take appropriate measures could lead to a fine the higher of €10m or 2 per cent of an undertaking’s total worldwide annual turnover. If coupled with other data breaches, these figures could be doubled to €20m and 4 per cent.
One of the difficulties facing organisations is that data protection legislation is vague when it comes to specifying the standards of protection required. The Data Protection Directive and the UK Data Protection Act both require the data controller to “implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access”.
This concept is carried over to the new EU General Data Protection Regulation, which will be enforced throughout the EU – yes, including the UK – from May 2018. In fact, it also requires the controller to build in data protection by design and by default.
What does this actually mean though? What measures are appropriate? Well, the ICO has not yet stipulated a particular minimum threshold for protection, but it generally penalises organisations that suffer the loss of unencrypted laptops and mobile devices. The GDPR itself suggests pseudonymisation and data minimisation as part of a data controller's approach to protection.
While the vagueness in the legislation might mean businesses aren’t clear on what they have to do, it also means the law doesn’t have to be constantly updated to specify the latest industry standards on data security. Besides, every CISO I’ve spoken to has a clear understanding of what measures are appropriate, and it’s just whether they can persuade the CFO to allocate the budget for it.
In March of 2016, a Chinese businessman pleaded guilty to conspiracy to hack computer networks of US defence contractors holding information about the Stealth Bomber, which he was claimed to have passed to the Chinese government.
If you operate in the defence industry, you are likely to have made various promises to the government under the Official Secrets Act or the US and other national equivalents. You will probably have a fairly good idea of what is expected of you, so we need not go into detail here, save to reiterate that breaches could amount to jail time.
While state-sponsored hacking does happen, it seems most breaches are actually the result of either criminal activity or "kids messing around". The Chinese government might not be after your business secrets, but your competitor might. According to a Secure Works report published earlier this year, hacking a competitor could be as cheap as $500 per mailbox.
You should attempt to quantify how much it would cost your business if you are unable to prevent others from seeing your customer database or your price list. Or in the worst-case scenario, all your business data is scrambled. Love or hate Coca Cola and KFC, their businesses are based on keeping their recipes secret and out of the public domain. If their recipes leak out, it could destroy their business. Why pay a premium for use of information if you can use it for free and develop a competitive product?
While it’s unlikely you will get compensation from someone who hacks your data, you might have to pay out to your customer or supplier for any losses they sustain as a result.
Every commercial and technology agreement I draft, whether I’m acting for a supplier or a customer, has a clause clarifying that both sides will protect confidential information. This usually acts as a reminder of the general law of confidentiality, but the greater the perceived value of the information in question, the more the clause will supplement that with extra detail. At the least it will say a party will use information disclosed to it only for the purposes of the agreement and will disclose it only to those people who need to know it and for the purposes of the agreement.
A more robust clause might require the parties to get individual employees or subcontractors to execute a confidentiality undertaking. Some clauses will say a party will protect the other’s confidential information to the same standard as it protects its own and, in any event, no less than a reasonable standard. It will often have an acknowledgement that if the confidentiality obligation is breached, compensation would not be an adequate remedy and that a court injunction would be vital to protect confidentiality – although compensation will often be payable too though, if it is too late for an injunction.
Finally, many agreements contain an indemnity for breach of data protection or confidentiality obligations.
Some business partners will undertake a data security audit of your business to ensure you have adequate measures in place. Some will rely upon a warranty that you comply with ISO 27001 or some other data standard.
At the least, it will turn upon whether you took a reasonable standard of care under the circumstances. There will be no point relying upon a force majeure exception – an event beyond your reasonable control – if you should have taken stronger security measures. In its criticism of TalkTalk, the Information Commissioner effectively issued a harsh warning to other organisations:
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
It is worth taking note of two recent court rulings (although neither involved hacking). In October of 2016, the High Court granted an injunction preventing the misuse of confidential information obtained under customer-supplier relationship relating to the production of edible infused oils. In June this year, in the culmination of a long-running dispute over misuse of confidential information, the Court of Appeal upheld a judgment that a business rival set up by ex-employees had to pay $485,000 compensation for developing a competitive mosquito net product indirectly using confidential information.
Reputation damage and loss of customers
Ultimately, if your customers desert you because you have lost their confidence after a data breach, this might be more costly than regulatory fines and legal action. TalkTalk admitted to losing 101,000 customers and £60m due to the hack. The fine they received from the ICO pales in comparison against this level of loss and is higher even than the new fines under the GDPR.
It won’t happen to me
Many businesses are convinced it won’t happen to them. Kevin Mitnick, arguably the world’s most famous hacker and now a trusted security consultant, commented recently that 80 per cent of US businesses have been hacked – many not even aware of it – and HR and sales departments are the most often hacked because they are the least computer security aware.
It is clear to me that affordable data breach fines will be phased out under GDPR, and Brexit is unlikely to change that. Also, businesses have a clear remedy for a breach of confidence. It might be time for you to reassess your data security and your confidentiality obligations. ®