It is difficult to imagine that any medium to large sized business in Australia is not aware of the growing rate of data breaches around the world. This being true, then what has this to do with the law?
It seems inevitable that the growth in sophistication of technology brings with it a directly proportional growth in exposure to hacking.
There can be a variety of agendas behind hacking activities, from serious criminal ones, to those that aim to highlight flaws in the technology, or simply identify something the developers had not thought to prevent or address.
Certainly, when technology goes wrong, or it is hacked, or there is a loss from it –we will reach a critical mass point when losses have to be chased. At present, concerns over damage to reputation and market perception often dissuade sufferers from taking steps to recover losses, or indeed letting the world know it happened at all.
Companies do not want it made public that they have suffered cyber breaches. However, I am certain there will be a levelling process, if it has not already begun, when the embarrassment of suffering a digital break in will eventually be outweighed by the need to take steps to recover losses suffered. This of course presumes steps can be taken.
Let’s put this in context by looking at the recent events involving Fiat Chrysler in the US. Much to the chagrin of manufacturers of computer controlled devices (which is almost everything these days), there are large numbers of technically skilled people who make a living legally trying to find flaws and faults with the computer and software components of such devices.
In July this year, Fiat Chrysler found out just how effective such people can be. The company was left with no option but to issue a recall of 1.4 million vehicles.
That action was taken after an article was published in Wired magazine by a group of researchers who proved beyond doubt they could wirelessly hack into a Jeep Cherokee and control almost all its key functions, including breaks and steering.
No doubt it cost Fiat Chrysler a huge amount of money to carry out the recall and attempt to shut out the technical vulnerability of the vehicle control systems. However, it is likely that the really substantial cost suffered would not appear on the bottom line for some while - the damage to reputation.
As I have indicated in previous articles, it is unquestionable there are growing domestic and business concerns over cyber security – from hacks of social media, to major intrusions into corporate networks and data repositories.
With this growing concern, there is often a demand for governments to step in and legislate to reduce the increased risks. In the case of Fiat Chrysler, there have been calls in the US for legislation to impose standards for vehicle security.
Whether such legislation will have any viable effect is not the subject of this article. However, the legal ramifications are very much the focus here. If preventative measures do not work – then the business and general community will look to remedies of compensation and punishment.
It helps to be clear on the sorts of predicaments we are talking about here. There are two broad areas to consider. The first is where an organisation has its own systems and does not rely on any third parties. In such situations, the company has no third party to look to for being at fault where a security breach occurs and a loss is suffered.
In that scenario (and indeed in the second scenario as well), what may be a major issue is the responsibility of the directors and corporate managers. Under Australian corporate law, directors and managers must exercise “care and diligence” in carrying out their duties – when the stakes get high, the proper discharge of this responsibility may be called into question if the company’s IT systems are breached and there is a major loss.
The second broad area to look at is where a company relies on third parties for some or all of its IT and security systems or IT services. There are so many possible combinations of own resources and/or systems, and third party suppliers, it is not possible to list even a substantial number.
Let us look at just one as a typical example. A company owns much of, but not all the hardware that comprises its entire IT system. It has licences of various third party software on this hardware, and that software manages the majority of (but not all of) the data the company generates and collects.
The company also has a managed services provider who oversees and controls the majority of the system, and it has a cloud provider.
The company’s business includes the gathering and creation of high value data, whether it be financial, personal or some other combinations. What happens if a major security breach of its systems occurs and large scale losses are suffered by it and its clients? In such a situation, a great deal of time and money may be spent trying to isolate who, if anyone, was at fault, and how fault might be apportioned.
I am confident that more and more, certain key areas of law will come under pressure to embrace technological advances, and failures. In the scenario I have suggested, the first two areas of law that come to mind are contract law and the law of tort. The latter is a body of the common law that is built on duties of care.
Consider the following as potential duties of care:
- To implement “reasonable” security measures and systems on computer networks
- To have business practices that reduce the risk of external parties gaining access to data, both the company’s own and that of third parties
- To have policies and procedures within your organisation to assist in reducing the risk of security breaches, and how to minimise damage if one occurs
- To comply with, or having taken steps to comply with, external security and related standards
- To recognise the exposures created through a multi-level and party IT supply system, and to put in place appropriate measures to minimise exposure and to back up vital data
- To ensure statutory requirements like those under the Privacy Act are complied with.
Imagine the potential number of duties of care the parties involved in the suggested scenario might owe. Consider the contractual mire that might exist between the various parties, and how those contracts may need to be reconciled.
Understanding the totality of your own business systems, the potential duties of care and who owes them to whom, and the contracts that relate to them, is becoming more and more a critical aspect of business and risk management. I expect them all to be put to the test in the very near future.
Guy Betar is a corporate/IT lawyer with more than 20 years’ experience. He is currently special counsel at Salvos Legal and can be contacted by email at firstname.lastname@example.org.