Cybersecurity breaches -- closer to home than you think
Most people associate "cyber breaches" with criminal hacking, political "hacktivism" or sovereign state espionage. These types of cyber breach events are newsworthy, seem to happen overseas more often than not and attract broad media attention. They seem quite removed from the world of the average client's business in Australia.
Consider the cyber attack on Sony Pictures in November 2014. This cyber attack wiped out approximately two-thirds of Sony Pictures' computer systems and servers and was reportedly one of the most destructive cyber attacks ever to take place on American soil. Speculation that North Korea was behind the attack quickly surfaced with a direct link to Sony's controversial new comedy The Interview. Ultimately the incident culminated in the United States imposing sanctions on North Korea in response.
Cyber breaches do not just happen overseas however. Australian businesses too are increasingly likely to suffer from cyber breach events without necessarily experiencing any of the Hollywood fanfare. So how best to advise your clients on this new risk to their business?
Some initial takeaways
For Australian lawyers who are now being called upon to advise their clients on managing the legal risks associated with cybersecurity breaches there are a few tips to bear in mind:
- be aware that regulators in Australia have stepped up their efforts to bring cyber breach risks to the attention of Australian businesses with both the Office of the Australian Information Commissioner (OAIC) and the Australian Investments and Security Commission (ASIC) providing up to date and relevant guidance on managing such risks. Take the time to familiarise yourself with the OAIC and ASIC guidelines -- they are a useful source of information;
- understand that cyber risk issues cut across a number of legal and compliance areas -- you will be expected to advise broadly on contractual and regulatory risks including under the Privacy Act, 1988 and any applicable regulations which may apply specifically to your client's industry; and
- finally, take the time to understand the advantages that cyber insurance may offer your client. While cyber insurance should only ever comprise one part of your client's broader risk strategy to combat cybersecurity risk, it nevertheless can provide a useful addition to this strategy.
So how do cybersecurity breaches occur?
For lawyers advising their clients it is important to understand how such breaches can occur in the first place. There are three main ways that cybersecurity breaches can occur: First, as a result of a criminal and/or malicious attacks (ie, hacking), second, through the negligence or mistakes of employees or contractors, and finally as a result of technology or system failure.
Sometimes the breach can be inadvertent, often occurring by interception of email or other data communications. Equally common is the risk of loss of sensitive information or data caused by insiders such as employees who have security clearance to access network and communications systems.
It is clear that businesses need to consider how to design their systems security and access regimes to minimise the risk of unauthorised access to company data and prevent the occurrence of data breaches -- both from "within" and "without".
You can assist your client to focus on being prepared. This will enable your client to be in a better position to respond rapidly to a cyber breach event, to control and manage the subsequent impact on the business and to effectively manage any brand or reputational fall out. Having a plan in place will ultimately save your client's business both time and money.
So what are the real risks?
The most obvious risk to your client's business is the loss of commercially sensitive information such as the loss of trade secrets or disclosure of personal information. Laws relating to breach of confidentiality are well established. The remedies available for breach include taking action to try and compensate for the loss and damage suffered by such breach, although damages are not always an adequate remedy.
It is well known that once confidentiality is lost it cannot be regained so it is important to advise your clients on the preventative measures they can take to properly protect and secure information.
If the Privacy Act 1988 (Privacy Act) applies to your client's business, you will need to advise your client on the risks of a failure to secure data where that failure results in a breach of the Privacy Act. The Privacy Act requires entities to take reasonable steps to protect personal information such as customer details. Significant penalties may apply to your client if they are responsible for a breach of the Privacy Act. These include fines of up to $340,000 for individuals and $1.7 million for corporations as well as the potential for a compensation order being awarded.
Lawyers need to be aware that company directors should also be informed of the risks of security breaches involving a breach of directors' duties or other liability under the Corporations Act 2001. Directors should consider the risk of shareholder litigation against the board if there is a risk that the board failed to take reasonable steps to mitigate the risks of cybersecurity breaches. In limited circumstances, directors may be exposed to liability for criminal prosecution.
Another risk area involves security breaches or outages that result in systems crashing and the loss of a business' online presence. If a trading entity's website is down or if employees cannot access the network, the business is at risk of losing the online business generated by traffic to its websites as well as the loss of productivity when staff cannot access systems.
Civil litigation risk is another area for clients to consider. We are seeing greater incidence of class action litigation in the United States flowing from large scale data breaches. Notable cases include litigation following the Target breach and the Sony Playstation breach.
While Australian law relating to personal actions for breach of privacy is still in development, Australian companies need to consider the risks of litigation resulting from a breach of contract relating to data security, business continuity, privacy or breach of confidentiality. Contractual agreements may result in companies being liable for damages claims for a breach of these contractual obligations that might be caused by a cybersecurity breach.
Reputational damage is another important risk area for your clients to consider. A high profile security breach can result in damage to a business' brand and goodwill as well as a loss of trust in the firm. Immediate losses associated with reduced trade may be measurable but there is significant risk of continued and future loss of trade and reductions in revenue associated with reputational damage following a cybersecurity breach. This is a risk that may be difficult to assess and quantify if the reputational damage is sustained.
Note: Read the full article at Internet Law Bulletin May 2015, Volume 18 No 3