Despite the digitization of information and the use of electronic networks to deal with transactions and operations, it is obvious that most companies in Greece are not aware of the risks they face as well as their customers’ data from cyber-attacks.
The legal consequences of data leakage due to cyber-attacks are always serious. On the one hand, the injured third parties are entitled to bring legal proceedings against the company for the leakage of their data while on the other hand, the competent authorities must impose the fines provided for by law.
The Νetwork And Information Security Directive
Most are now aware of the General Data Protection Regulation 2016/679 (also known as GDPR). Few, however, are aware of the Network and Information Security (2016/1148), which also had to be incorporated into the domestic law of the Member States in May 2018.
With the above-mentioned legislation, the European Union strengthens its attitude towards corporate responsibility for failing to protect and secure data management. Both of these laws provide for unfavorable consequences for the company for data leakage.
The Role of the Legal Advisor
The duty of the Legal Advisor is to ensure the correct implementation of legislation and best practices, to mitigate the consequences of any breach and, in particular, to harmonize the entire company to comply with the Incident Response Plan, which every company must have. A Response Plan to Cyber- Attacks indicatively includes:
- The composition of the crisis management team and when / how it is activated.
- The heads of the action groups, and when / how they are alerted.
- The person who decides (and the decision-making deadline) for the total shutdown of the company’s networks or the continuation as an attempt to identify the origin of the cyber-attack.
- The documents that will document the time of cyber-awareness and the actions that have taken place.
- The communications officer who (possibly) will handle the communicative part of the revelation.
Your legal advisor knows what actions are required to make clear to the authorities that the company has done its best on both preventive and post-data leakage as well as to collect the appropriate evidence. The role of the legal advisor is also critical for the preparation of a report that will clearly and easily identify the causes of the leakage and the persons responsible for such.
Also, the company’s legal advisor will identify the most likely sources of risk and will be able to negotiate the content of the proposed insurance contracts and eventually recommend the conclusion of the appropriate insurance coverage contract against cyber-attack.
All the above actions of the legal advisor (internal policies, Response Plan, Insurance Coverage), but mainly the alignment of the company with everything that is provided to this respect, can only result in the increase of the trust of its clients and associates towards it.
P.S. The article has been published in MAKEDONIA Newspaper (October 21, 2018)