Cyber Risk: The Role Of The Legal Advisor
Cyber Risk: Does It Concern Everyone Or Exclusively The “Elite” And “Famous People”?
“Many people working in cybersecurity will tell you that it’s not a question of whether a company shall suffer a cyber-attack but of when it will suffer it in any form. Whether you have been cyberattacked and you have not been aware of it or you have been cyberattacked and you know it, or you will be cyberattacked sometime in the future”.
This is Martin Felli’s statement (CLO of JDA Software, one of the world’s largest software companies for logistics companies) to Dominic Carman, who conducted a special survey for Kroll.
What Felli says is in fact an explanation of the statement of former FBI Director Robert Mueller who had already since 2012, stated that: “There are only two types of companies: those who have been already hacked and those that will be hacked in the future”.
Despite the continuous digitization of all kinds of information and the use of electronic networks to carry out all sorts of transactions and operations, it is more than obvious that most companies in Greece are not aware of the risks they run themselves as well as their customers’ data from of every kind and form of cyberattacks.
But why should your legal advisor deal with this issue? Isn’t it a matter of IT?
In order to attempt a satisfactory answer to this question, we must set our sights to the recent past …
Τhe Disclosure Οf Loss Οr Leakage Οf Information Αnd Its Consequences-General.
The demonstration – disclosure of a loss or leak of information of any nature (whether it is a customer’s personal data or business secrets) starts with admitting publicly this leak. Such public action can be made either to the general public or to a limited circle of persons and legal entities whose data has been lost or leaked due to the cyberattack.
In either case (: admitting publicly or limitedly a cyberattack) the legal consequences are always serious. Third injured parties are entitled to bring proceedings against the company that has suffered a cyberattack while the competent authorities have to impose the fines provided by the existing institutional framework. The extent of the damages to be awarded and the fines to be imposed will always be directly proportional to the extent of the leakage and the severity of data lost or hucked.
In both cases (: in the first one immediately, in the second on time) the inevitable publicity attracts media’s interest and causes, inevitably, a serious damage in the company’s prestige and reputation. This second consequence of a cyberattack is similarly severe (sometimes even more) than the legal consequences of such disclosure (lawsuits, administrative fines, criminal liability).
“There Has Not Been A Thorough Investigation Of The Causes Of the Leak Of Information”: Yahoo Case
Relatively recently (in 2016), Yahoo has revealed two separate incidents of data hacking by hackers who have gained access to data for a billion users (the number actually causes vertigo). The first incident occurred in 2014 and was initially kept secret. But when 2016 a second violation took place the company was forced to make a total disclosure.
The shock to the business world of the United States was so great that a detail perhaps went unnoticed: The first to resign was Yahoo’s Head IT (: as expected) but the second was the Chief Legal Advisor. Why, though, this second resignation?
The Special Commission appointed by the Yahoo Board to investigate leakage circumstances, both in 2016 and 2014, considered that the whole group of Yahoo’s Legal Advisers failed to investigate thoroughly the causes and circumstances of the breaches in 2014. Notwithstanding the fact that it also had the data and conditions to do so. This particular failure by the legal counsel team had as a first result that no substantive measure was taken, and that, as a final and yet dramatic (result) to allow the widespread violation of 2016.
What was the duty that Yahoo’s Chief Legal Advisor omitted? What is the responsibility of the Legal Advisors of a company?
The Changes Brought In The Global Business Environment By The EU Regulation GDPR And The NIS Directive
In 2016 the European Union legislated two major legal instruments: the General Data Protection Regulation 2016/679 and the Network and Information Security Directive 2016 / 1148).
Many people are already aware of the first of them (GDPR). However, the second is ignored, despite the fact that it must also be incorporated into the domestic law of the Member States from May 2018. Member States are obliged to identify by November 2018 the operators and service providers of basic services (who now have increased responsibility for maintaining high security measures).
These laws will affect (more precisely: they already affect) directly and in one way or another all the companies that process Personal Data of European citizens. It is emphasized that they affect not only European companies but also non-European Union entities that process Union citizens’ data.
In Europe (as in North America earlier in the past), something important is changing in relation to the assessment of the risks posed by electronic data processing. The attitude of the legislative and auditing authorities appears to be abrupt and significant. With the above-mentioned legislation, the European Union is spearheaded on the issue of corporate responsibility for failing to protect and securely process information that in one way or another is processed by the companies.
Both laws, apart from all their other consequences and the multiple regulatory compliance parameters they create, are also adding further adverse consequences in the event of a cyberattack that may result in data leakage.
The Role Of The Company’s Legal Advisor
In this context of the rapid (but at the same time important) changes in business behaviors and practices brought by the current legislative trends, the role of the Legal Advisor of a company proves to be extensive and, at the same time, crucial.
The Legal Advisor of a company, as the head of the team concerned, owes to design, supervise and test in advance an Incident Response Plan for the case of a cyberattack.
Perhaps it seems strange that a lawyer and not the IT Manager is at the head of such an effort. However, only in this way can there be effective protection of the company’s interests against the consequences of a possible loss or leakage of data.
In the technical part it is obvious (and self – evident) the assistance of the specialists who will identify the type of invasion, the exploitation weakness, the identification of the volume of data leaked, etc. However, the main concern of the Legal Advisor will not only be disclosing to the management and the responsible employees of the company, but also ensuring the best implementation of the laws and best practices, mitigating the consequences of any breach and, in particular, harmonizing all the departments of the company in the implementation of the Incident Response Plan.
Your Legal Advisor (ought to) know those provisions (before cyberattack) and the actions required (after cyberattack and data leakage) to:
- Make clear to the competent Audit and Judicial Authorities that the company has done the best on both preventive (before cyberattack) and post-data leakage.
- Identify the causes of the leakage, the persons liable, the existence of willful deception or fault that contributed to the leakage of the information in a clear and understandable way (to non-experts).
- Creating optimal conditions and evidence for seeking to punish perpetrators and / or those responsible for the attack before the competent authorities and bodies.
- Manage the communication of the consequences of the disclosure of data loss / leakage due to cyberattack.
The Legal Advisor of the company will identify the specific risks for each of his client companies according to their activity and their exposure to data processing (gap analysis). In cooperation with IT, the Legal Advisor will investigate possible cybercrime scenarios and prepare an Incident Response Plan that will be simple and comprehensible to all executives and departments of the company and, in particular, to a judge who may eventually deal with it later.
To be clearly understood, let’s take a simple example: The lawyer who defends a client for medical negligence does not need to be a neurosurgeon. It is enough to be prepared to understand the philosophy and sequence of the protocol that his client ought to follow in order to respond to the disputed incident. The Legal Advisor of the company, having understood the technical issues with the valuable help of IT, will “translate” in a comprehensible manner the necessary actions and processes so that they are simple and easy to understand by both the Company’s Management and the employees and by third parties (auditing and judicial authorities).
It is particularly notable that already in the US and Great Britain, the top law firms have developed their own Cyber Security Division to provide all the services required (legal and IT).
The Issue Of Cyber-Security And Its Integration In The Company’s Regulatory Documents
On the initiative of the Legal Advisor, the Cyber Security issue must be integrated in the company’s regulatory documents (Internal Working Rules, Internal Rules of Operation, Policies for Data Processing and / or Computer Management etc.).
For illustrative purposes only it has to be noted that an Incident Response Plan should contain (indicatively – among others):
- Who are the heads of the action groups, when and how they are alerted.
- Who decides and within which time framework the (eventually) total shut down of the company’s networks or attempts to resume operations to identify the origin of the cyberattack.
- Who is the external partner (who may) be involved in system monitoring.
- What and of what nature are the written notices and reports that will be the proof of the time of awareness of the cyberattack and of the actions that took place.
- Who is responsible for communication and PR (who may) have to manage the communication part of the disclosure.
Does The Legal Advisor Have To Deal ALSO With The Insurance Against Civil Liability?
In the same context, the Legal Advisor of the company will accurately identify the most likely sources of risk and will be able to choose the right insurance against civil liability plan in relation to cyberattack. This in contravention of the usual business practice, when the cheapest offer is chosen and the first text / draft insurance contract to be sent by the selected insurance company (which may cover on the one hand absolutely unnecessary risks while on the other hand not cover what is absolutely necessary).
The Link Of The Company’s Good Repute With Its Protection
All the above actions of the Legal Advisor (: existence of clear regulatory documents, policies, Incident Response Plan, Insurance Coverage etc.), but mainly the alignment of the company and of its executives with what is provided can only have the effect of increasing the trust of customers and collaborators towards it.
Given that we all want to work with trusted partners, the (regional) benefits of the company are more than obvious: customers see that they are dealing with a serious business partner rather than a “little store”.
Creating The Conditions To Prevent an “Internal” Cyber Attack
Over the past few years, we have been facing business-secrets violations by (dissatisfied or not, active or retiring) company’s executives in the context of their long-term or opportunistic planning. Our case law has dealt with some individual cases, until now, where executives either wanted (simply) to harm their employer’s company or their personal enrichment or their transfer to a competitor-along with the business secrets of their previous employer.
The protection of the company by its (malicious) executives, although not automatic or self-evident, is, to a very large extent, feasible, with significant leverage in the existing institutional framework and the Constitution. (http://koumentakislaw.gr/en/blog/articles/enterprises-and-confidentiality/)
So, what happens when cyberattack comes “from the inside”, that is when the offender is an executive of the company? Is protection and deterrence possible? Is it possible (in the non-desired case) to detect the origin and identify the offenders so as to make an (internal) example of them and for (future) deterrence?
The Legal Advisor is the one who must create the framework and the background of business secrets. It is precisely in this same context (in close co-operation with the IT section) that he must create the conditions to prevent an “internal cyberattack”, which could seriously damage the interests of the company he represents. He is the first to “raise” the alarm but also the one who should urge the company to establish appropriate policies and procedures for the safe use of the company’s networks, electronic communications, the control of access to the company’s systems and records by its executives.
By Way Of Epilogue
The resources available are always limited. The need for their rational management is more than obvious and (also) in relation to the maximum possible protection from Cyber Risk.
If there is no rapid and thorough identification of the needs and potential risks for the particular company, it is likely that the company’s resources be “spent” in a way that will not be the optimal one.
Your Legal Advisor can lead you to a more rational and efficient use of available resources and also take the responsibility for coordinating all stakeholders.
Even if you do not choose to assign to him the specific projects, please just search for his assistance. You can be sure that the result will be infinitely better.