Government statistics show that nearly 70% of larger firms in the UK have been hit by a cyber attack or a breach in the last year and almost half of all UK businesses reporting at least one attack or breach. Over 4 million individuals found themselves the victim of cyber-crime, with 66% of cases resulting in a loss of money or goods.
Cyber-attacks can cause havoc to a business, raising questions about the security of IT systems and the legal implications involved. It is a relatively new phenomenon and very complex field that requires expert legal knowledge.
If your business has been the victim of a cyber-attack, you could face a number of repercussions that can affect your profits. These include claims from customers who have suffered a financial loss as a result of the attack, loss of client data, disruption to sales and staff work time, and reputational damage.
Business owners can also face claims from customers for breach of data protection and, if you have responsibility for data protection under your client contracts, you may be held in breach of contract.
Currently, under the 1998 Data Protection Act, organisations must take “appropriate technical and organisational measures” to protect personal data from unauthorised access or disclosure. However, as legal firms have discovered during recent years, the DPA contains some serious holes that have been exploited, leaving businesses reeling from the subsequent fallout, as well as the initial attack.
In response, the EU’s General Data Protection Regulation will come into force in May 2018, requiring all organisations to undertake data protection impact assessments for the riskiest uses of personal data. It means that companies must ‘continuously’ identify risks that could put personal data at risk. Hefty fines for any breach are expected, up to maximum of €20million or 4% of annual global turnover, whichever is higher. New legal obligations will be introduced to report serious data security breaches and clearer guidelines given on what data is regarded as ‘vulnerable’. The government has already stated that this regulation will continue to be enforced after Brexit.
In the short-term, be prepared for an in-depth investigation into any cyber breach and make sure you have a solid plan of action to cope. Legal experts can help to determine if the incident needs to be reported to the Information Commissioners Office (ICO). Ensure that breaches are reported sooner rather than later, and with full disclosure and details of preventative action initiated as a result. This can mean the difference between a ‘lessons learned’ scenario or regulatory enforcement.
Seek expert legal advice around any liability claims arising from the cyber breach. This could include investigation into the contractual position with any outsourced IT or virus protection providers to see if any losses can be recovered.
Longer term actions to implement include cyber security risks assessments and plans. As both businesses and the threats they face are constantly changing, these documents should be regularly reviewed to ensure compliance with legal obligations, and to give customers and clients peace of mind that their data is safe.
Your legal team can advise on any review of systems to protect your business from future attacks and any training required to help staff respond effectively.
An expert cyber-crime legal advisor can also review your situation before you fall victim to an attack. They can check your business complies to legal requirements and has the correct procedures and contracts in place to effectively protect it.