Cybersecurity law is not just about privacy
Cybersecurity law is not just about privacy. Sure, the loss of millions of personal records is always going to hit the headlines, but legal ramifications go much further than that.
Here is just a selection of legal issues that can crop up.
- Director liability - the days where a board could leave "that technical stuff" to the IT team, are gone. With digital assets and information being important to any business, directors run a serious risk of being held personally liable if they've done nothing to assess risk of unauthorised access or disclosure, or failed to put appropriate measures in place. Business failure is not unusual in the event of a major data breach or cyber incident that is handled badly. Shareholders and creditors will naturally look at directors to see why.
- Negligence - if the business has dealt with a customer's or supplier's information negligently (e.g. by leaving it on that old internet connected 2005 PC running a non updated version of WindowsXP!) and the loss of that information or unauthorised access to it has caused that customer or supplier a financial loss, then the business will likely be liable for that loss.
- Employment law - in respect of any investigation that may need to take place where there is a suspicion that employees may have been involved either intentionally or otherwise, but also in respect of obligations to employees in respect of unauthorised access to their information. The obligation of good faith would suggest that if employee information has been lost or accessed, they need to be told.
- Insurance - cyberinsurance is a growing area but what is and is not covered can be difficult to understand. If you've got important digital assets stored on third party cloud servers in different countries for example, best check with a broker who is an expert in this area. And, at the other end, if you're looking to claim on your insurance, make sure you do not vitiate it by doing a front page mea culpa before you've talked to the insurer.
- Breach notification and regulators - we do not have mandatory breach notification in New Zealand yet despite the Law Commission and the Privacy Commissioner both calling for it. It is clearly on its way though. And, if you have customers in other countries, you may be subject to mandatory disclosure regimes there (e.g. Australia and Europe). Careful thought needs to be given to how regulators are dealt with. Fines for failure to comply can be very significant.
- Specific disclosure regimes - while there is no over-arching mandatory breach reporting obligation in New Zealand yet, various businesses may still have disclosure obligations where there is a data breach. Examples include NZX listed issuers under continuous disclosure rules, professional service providers to their regulatory bodies and Crown entities in their relationship with the auditor general and under "no surprises" policies.
- Privilege - whenever there is a major data breach in the US, class actions soon follow. There has been a recent increase in class action type litigation in New Zealand so it won't be too long before a data breach situation gives rise to action here. In the US, it is now standard practice in data breach situations to work with insurers and legal counsel first so that they can instruct the technical experts who need to stop the breach continuing, fix the holes and conduct forensic analysis. The work product of these experts therefore becomes privileged rather than being available to the class action plaintiffs as evidence of how badly your security failed.
- Contract breach - many contracts contain confidentiality provisions that are likely to be breached where data is lost because of bad security practices. It sounds trite to say it but the best protection is to not hold the information at all. Do you really need it? Or, maybe you needed it when the contract was live, but since it ended 7 years ago, you don't need it now. Delete it if you don't need it, or at least archive it securely offline where it is less open to attack.
- Privacy law - of course. Apart from reputational damage which can follow, breach of the Privacy Act is increasingly being met with significant financial penalties. The Human Rights Review Tribunal, which hears Privacy Act complaints that have not been resolved at Privacy Commissioner level, has experienced a significant increase in its caseload and recently awarded damages for a privacy breach in excess of $150,000.
- Intellectual property - if copyright in the information obtained is owned by the business, then action may be able to be taken for infringement of copyright even if no loss has been suffered, with a view to having the "stolen" material deleted or returned. The mere act of accessing the information is likely to involve unauthorised copying.
- Crime - unauthorised access to a computer system is a crime and the courts have found a way through the somewhat outdated Crimes Act provisions to arrive at the conclusion that digital material is property and can therefore be the subject of a property crime prosecution.
Given the high likelihood of a data breach in any business, preparedness, both to prevent the extent of the damage and to be able to rapidly get back up and running properly in the event of a full scale attack, is critical. Privacy, security assessments and staff training are your friends here, as is insurance and a plan for when it all hits the fan. The plan needs to interrelate with business continuity and disaster recovery plans - so that everyone knows what to do and who is to do it.