The era of hacks and cyber regulation

Transcription

1 6 February 2014 The era of hacks and cyber regulation We trust that you are well versed with the details of the various cyber-attacks that made the headlines towards the end of 2014, and early this year, and the consequent proposals put forward by Cameron and Obama. Not only does the recent activity add to the growth of cyber-crimes over the past few years, it is a chilling reminder that you do not need to be a sophisticated hacking entity to cause damage. For example, the Lizard Squad, a group of hackers said to consist of members mainly in their early twenties, were able to disrupt Sony and Microsoft services, and Islamic state sympathisers alleged to be juveniles hacked US military social media accounts; it is feared that there are many more hacking groups like these in operation. This is simply the start of the problem. As technology develops further and it becomes common place for us to have fridges that re-order food for us, phone applications that control our appliances and light switches, and smart meters that speak to smart grids, we expose ourselves to the risk that hackers will be able to control every facet of our lives. The liability, when such attacks happen, will reside with the companies that provide us with services. Some piecemeal cyber regulation currently exists in the US and the EU, which has evolved in reaction to technological developments. Data controllers in the EU, for example, are required to implement appropriate measures to protect personal data and in the US, state governments have imposed significant penalties on companies who failed to disclose a data breach. The future will involve implementing regulation that can keep up with technology and protect those who suffer harm as a result of it; it is therefore likely to become more onerous. The US and the EU are synergising their approach. Both jurisdictions are placing importance on information sharing and harsher penalties, amongst other things. Companies likely to purchase cyber insurance will face regulatory responsibilities that are difficult to meet against a backdrop of increasing cyber-crime. There will be more opportunities for accidental breaches and losses and, with complex contractual arrangements and security structures, confusion over where liability resides. This will also present risks for Insurers offering cyber cover as it will become even more difficult for them to quantify the corresponding risk. The risks born from cyber-crime will impact many areas of potential liability and rather than providing bespoke policies where the risk is well-considered, insurers may find increasing demand to add on cyber wording to a range of policies.

2 With these points in mind, this briefing will consider the different aspects affected by cyber-crime and the additional risks we may face soon. Business risks The case studies below illustrate the breadth of some of the typical risks faced by companies and individuals. Case study one: a hack on a company with a similar profile to Sony. The implications of a Sony style hack are varied. Other than the more obvious type of damage to the company s reputation and any associated financial loss, the company could face: Privacy claims from service users and employees in respect of their data being leaked or compromised Liability for any associated identity theft Sensitive corporate information and trade secrets leaked Stolen intellectual property, or dilution of such rights, e.g. premature release of film scripts Business interruption losses, including costs associated with recreating lost, damaged or stolen data Costs involved in notifying concerned parties Costs associated with hiring professionals to mitigate the damage caused, e.g. Cyber Security professionals, PR consultants and lawyers Costs associated with defending and conducting third party litigation Paying fines imposed by regulators. Case study two: a hack on a private property via its smart metering system and/or other smart gadget. If the private property belongs to a public or influential figure, or someone with access to sensitive information, the motive behind such an act could be to obtain data and cause damage. The utility company (or an associated company/service provider) and the

3 telecom company collecting and transmitting the data from the smart meter could face the risks identified in case study one and: A potential property damage claim Personal injury claim. Cyber insurance may therefore become an add on service as opposed to a bespoke service simply because it impacts a wide variety of insurable areas. Companies and individuals, as described above, are likely to want peace of mind that they have protection against any eventuality caused by a cyber-crime. It is therefore plausible that any eventuality would be covered by cyber insurance wording being added on to a range of policies, as a form of an extension, rather than through a bespoke stand-alone policy. Though this would not be good news for insurers who prefer well considered bespoke policies that limit risks, it is a potential trend that the market should consider. Regulatory landscape The law is facing a new type of predicament any cyber law proposed is likely to be outdated by the time it is passed. The simplest way for legislators to provide protection and not be outdated by technological advancements, is to burden those entities who have the means to prevent attacks from occurring. Thus far, regulation in the UK has been light, public authorities and organisations who provide a service allowing members of the public to send electronic messages (telecom companies or internet service providers) are required to notify if a data breach occurs, otherwise, fines and offences are limited to those who intentionally cause a breach rather than a business that was subject to a breach. Change is afoot as there is concern that companies are keeping quiet about attacks they have faced and in parallel, the number of parties seeking compensation for cyber-crime is increasing. Regulation is a double edged sword: it will be used to place pressure on corporates and other entities to prevent cyber-attacks on systems within their control and it will punish companies if they fail to have adequate protections in place or if they omit to notify interested parties of a breach. The US The regulatory landscape in the US is developed or at least more complex in comparison to other countries. It comprises of directives from the Executive Branch and legislation from Congress that safeguards information technology and computer systems. There is also a split between federal and state regulation. Federal cybersecurity regulations focus on specific industries, mainly related to healthcare organisations, financial institutions and federal agencies. However, there is a lack of

4 regulation on computer related industries (e.g. internet service providers) and companies are free to implement their own reasonable cybersecurity measures. State governments, conscious of the shortcomings in the Federal system, have targeted companies with weak security and made a public example of them. For instance, California has a Notice of Security Breach Act which requires companies who hold personal information of Californian citizens to disclose details of any security breach, and the potential penalties imposed on companies who fail to do so can be significant. Cyber-crime and security regulation in the US has developed from being government and industry specific to recognising that companies are more likely to voluntarily invest in cybersecurity if they risk facing regulation. The US have not tried to tackle every issue in one singular bill, which allows for further reform to take place through individually tailored bills. Obama s proposals The recent proposals put forward by Obama highlight a few key themes: Information sharing between the US government and private companies via a reintroduced Cyber Intelligence Sharing and Protection Bill. It is suggested that companies who volunteer information (save for personal data) would be awarded liability protection but it is currently unclear as to what this entails. Full disclosure Obama is pushing for a new federal law (the Personal Data Notification and Protection Act) to require companies to notify customers of a data breach within 30 days. This will mean there is a single data breach notification law for all US states. Increased penalties for cyber-crime by reforming the Computer Fraud and Abuse Act. The increased penalties appear to be geared towards cyber criminals as opposed to companies, however, the act has a reputation for being draconian and it remains to be seen how it will be applied. The US approach on this issue has previously been piecemeal and reactive but Obama s proposed reform is promised to be more proactive and wide-reaching.

5 This year started with increased discussions of cooperation between Obama and Cameron on the issue of cyber-security. Discussions are likely to continue and thus the US approach may influence how relevant EU laws are interpreted and applied (and vice versa). As described below, the key themes put forward by Obama are already echoed in the proposed EU legislation. The EU Currently, EU legislation covers cyber incidents in a periodic fashion as follows: Change The E-Privacy Directive (2002/58/EC) requires electronic communication providers to appropriately manage risks to their networks and report significant breaches of security or network integrity. The European Critical Infrastructure Directive (2008/114/EC) requires critical infrastructure operators to appoint a security liaison officer and create plans to minimise risk and deal with any service interruption or infrastructure destruction. The Data Protection Directive (95/46/EC) requires data controllers to implement appropriate measures to protect personal data. It does not, however, oblige data controllers to report personal data breaches to any supervisory authorities. A new European data protection directive known as The General Data Protection Regulation is being debated in the European Parliament with the intention that it will be finalised this year. If passed, it is likely to be amongst the most stringent data protection laws in the world. It will include new obligations, such as: The appointment of a Data Protection Officer to notify data breaches to the supervisory authorities and any individuals concerned Penalties of up to 2% of a corporate s annual global turnover or a penalty of EUR 1 million (originally proposed to be much higher at 5% or a penalty of EUR 100 million) A requirement that data controllers impose contractual obligations on their data processors A data processor will be considered a data controller if it processes personal data other than as instructed by the data controller The contested right to be forgotten allowing data subjects the explicit right to request that inaccurate data held about them be rectified and the right to

6 request that any personal data held about them which is no longer necessary, or which they object to the data controller processing, is deleted. In addition, the European Commission and the High Representative of the European Union for Foreign Affairs and Security Policy have proposed a Cybersecurity Directive ( the Directive ). Its main objectives are as follows: Uniformity Each Member State to adopt network and information security strategy and emergency response teams. Cooperation Member States to cooperate on risk assessment plans for potential incidents, measures for preparation, response and recovery, strategies for cooperation between the public and private sector. Information sharing Between the European Commission and Member States as well as leading market operators, ISPs, social networking businesses, cloud computing service providers and administrative bodies. Security standards Public administrations and market operators to take appropriate measures to manage any risks posed to the security of the networks and information systems they use and control. The security standards will apply to all market operators that provide services within the EU and not just to those that are domiciled there. Enforcement All cases of noncompliance by public administrations or market operators to be investigated. Competent authorities would also have to ensure that they have the power to require market operators and public administrations to provide information to assess the security of their networks and require them to undergo audits by an independent qualified body. The Directive also includes sanctions for non-compliance. In a similar vein to the US, market operators are industry specific and include operators of critical infrastructures that are essential for the maintenance of vital economic and societal activities in the field of energy, transport, banking, stock exchanges and health. Information service providers also formed part of the definition in the European

7 Commission s draft but has been removed as the impact was considered to be unmanageable. The current draft of the Directive is advanced but further amendments may be made before it is finalised. It is expected that the Directive will be adopted later this year, leaving Member States with 18 months to transpose it into national law. With the UK general election ahead of us, it is unlikely that the Directive will be enacted until The UK The UK has been independently active in trying to develop strategies on this issue. It has introduced the Ten Steps to Cyber Security Guide, the cyber security information sharing partnership (CISP) and the cyber essentials scheme to encourage cyber certifications for businesses (on a voluntary basis). There is also an emergency response team (CERT-UK) to encourage communication between UK businesses and other CERTs on cyber security issues related to national infrastructure. The UK already obliges all data controllers to apply appropriate measures against unlawful processing, and the Information Commissioner has the power to impose monetary penalties of up to 500,000 in respect of serious breaches. Financial services companies are also subject to additional regulatory requirements by the Financial Conduct Authority (FCA). The enactment of the Directive and the General Data Protection Regulation, however, will result in a more onerous regulatory landscape for many companies operating in the UK. The future Recent events have reminded us that cyber-crime is unpredictable and can often strike when we least expect it to. On the other hand, the effects of cyber-crime are no longer as unpredictable as they once were. We now know that a cyber-attack can have a myriad of implications for a business and its related parties. We also now know that regulation is a reality and that many business will have to apply procedures that will demonstrate effective use of security policies and measures. Failure to do so will not only result in the types of damage listed in the case study examples above, but also breach data protection and information security requirements and result in an enforcement action being taken. The US and the EU have themes in common: both are striving for information to be shared between the public and private sectors, for increased cooperation, disclosure and more onerous penalties. There are, however, grey areas, and it remains to be seen how both jurisdictions respond to them and whether they take a unified approach. As mentioned earlier, one of Obama s proposals suggest that companies may obtain some form of liability protection in exchange for greater transparency. It is currently unclear how this would be implemented and whether regulators in the EU, in turn, would be

8 lenient on companies that are forthcoming with information. Such proposals do suggest that in the future, there may be further scope of limiting corporate liability in respect of cyber-crimes. Further, the proposed EU regulation leaves room for interpretation; it is not clear what adequate security procedures consist of, whether companies will be free to design and manage their security systems like in the US or whether there will be a minimum threshold to comply with, and whether the definition of market operators is malleable. Interpretation and a level of uncertainty is likely to be a live issue for some time as regulation will be drafted in a broad fashion so that it is able to evolve in response to technological changes. Cyber-crime is a global problem strongly affecting multinational companies with equal presence in the US and in the EU. Consequently, insurers writing cyber risk policies should do so in a bespoke fashion, with knowledge of the US and the EU regulatory landscapes and with their client s cyber security policies and procedures in mind. Even if the trend shifts to add on based cyber insurance policies, insurers should carry out the aforementioned evaluation and also establish whether their client has other policies that include cyber wording, so that they are able to grasp a full picture and manage any associated risks. For further information, contact john.farrell@kennedyslaw.com or punam.mehta@kennedyslaw.com Kennedys is a trading name of Kennedys Law LLP. Kennedys Law LLP is a limited liability partnership registered in England and Wales (with registered number OC353214).