Cyber security is more than just an issue for the IT team. The risks that come with cyber crime and the digitisation of business run through every part of an organisation.
Too often companies only involve their lawyers as a reactive measure to a data breach. However, General Counsel should be an integral part of the proactive plan to prevent, prepare and respond to a cyber attack. The financial and reputational costs of data breaches make it a commercial imperative.
Last year, a US survey of 500 Directors and General Counsel revealed that, after the traditional topic of regulatory compliance, data security topped both Directors’ and General Counsel’s lists of worries.
It’s not hard to see why. In the UK alone there were 5.1 million cases of online fraud and 2.5 million incidents of computer hacking last year. The financial incentive for cyber criminals is substantial. The black market price for stolen personal records on the dark net can be as a high as $1000 per file.
Hackers are acutely aware of organisations’ vulnerabilities. Government and company systems are being attacked more frequently every year.
Sony Pictures, Target and UNSW were all the subject of recent high profile attacks. The breach of Target’s data centres was perhaps the most damaging with payment information for 40 million customers being publicly exposed.
It is estimated that cyber crime attacks affect 5 million Australians at a total cost of $1 billion every year.
On average a cyber breach will cost a business $2.82 million. The biggest cost is in the release of information that hackers can use for blackmail or fraud. Other costs include loss of business information to competitors, the undermining of customer confidence and reputational damage.
Companies also face litigation and legal penalties if the breach reveals non-compliance with privacy obligations.
Companies are required to comply with the Privacy Act and the Corporations Act to protect personal and commercial information from misuse or public disclosure. This can include notifying affected individuals and regulators in event of a breach. There are also other industry specific laws which regulate sectors like telecommunications, finance and health care to consider.
ASIC and the OAIC are taking a close interest in how organisations plan and respond to cyber threats. It is OAIC’s primary duty to ensure strict standards on how organisations collect and store their customers’ personal and sensitive information.
Failing to comply with legal obligations can result in substantial penalties and potentially a claim or class action suit for breach of duty of care and negligence. Litigation claims in this space are starting to take off.
Cyber attacks expose not only a company’s data, but also the systems and practices designed to protect that data.
While the IT team can set up tactical defences and security software in the hope that hackers won’t get in, it’s impossible to protect every asset.
The executive and Board must decide what matters most to the business and what is most likely to be targeted. The ASIC report (REP 429 Cyber resilience: Health Check) into cyber resilience calls for greater Board involvement in cyber security planning. ASIC recommends the Board oversee the development, testing and implementation of a cyber resilience framework to plan for, protect from and respond to cyber attacks. The framework should involve all parts of the business including legal, marketing, commercial, risk and IT.
Some organisations have a Chief Risk Officer or Risk Committee who can lead on cyber security planning, but for most, the General Counsel is best placed to assess and mitigate risk. This role includes:
Cyber security may once have been an IT–only issue, but it is lawyers who now must navigate the myriad legal issues and data protection regulations.
A 2016 priority for General Counsel will be ensuring their organisations are cyber resilient, legally compliant and meeting their duties of care to clients.
You can get started on your road to cyber-resilience by reading our Cyber roadmap and Checklist:
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.