In the run up to GDPR compliance (EU’s General Data Protection Act, enshrined in U.K. law as the Data Protection Act 2018), which may now seem a distant memory, as organisations looked inward into their data processing activities. A commonly posed question was ‘if we are not aware of a breach, we have no responsibility to report it?’. While the ‘ignorance is bliss’ school of thought crops up occasionally, it is fortunately far and few.. Nevertheless, for those harbouring such views, this article hopes to nip those thoughts in the bud.

The infamous examples that should inform our decisions

Earlier in the year CSO Online compiled a list of the 15 biggest data breaches of the 21st Century, based on the number of people whose data were compromised. These breaches have been heavily publicised and form part of many inhouse security awareness training programmes which emphasise the enormity of the financial impact a cybersecurity breach can cause to an organisation. However, what is also striking is majority of these attacks were long spanning infiltration attempts using known vulnerabilities, followed by a successful breach that again continued for a prolonged course of time going unnoticed and uninterrupted.

The Heartland Payment Systems attack from March 2008 was an example of a third party i.e. Visa and MasterCard noticing suspicious transactions and notifying Heartland in January 2009, over 10 months after the start of the breach. It can be argued that Heartland’s prolonged ignorance caused the enormity of the incident to grow leading to over $145 million in compensation for the fraudulent transactions.  

The new norm: Cyber security due diligence

The importance of Financial Due Diligence (FDD) ahead of a deal transaction is a long-standing norm, the importance of which is well understood and an involuntary precursor to the deal. Technology / IT and cybersecurity due diligence while gaining momentum, is unfortunately met with some degree of scepticism. For those, the Marriott-Starwood case should be a rude awakening. The multiple class-action lawsuits filed by customers whose data was breached as part of this incident have specifically singled out, within the court documents, the failure of Marriott to perform due diligence on Starwood’s information security. Furthermore, U.K.’s Information Commissioner’s Office (ICO) in July 2019 levied a fine of £99 million (approx. $120 million) for the violation of British citizen’s rights in line with the Data Protection Act 2018 (GDPR). The ICO also specifically cited Marriott’s failure to perform due diligence on Starwood’s IT infrastructure as the reason for Marriott being penalised for a breach that started prior to the merger.  

Cyber insurance: a supplement, not substitute

A common misconception is a well-drafted contract clause backed up by cyber insurance can pass on all financial liabilities there maybe from an undiscovered breach, unfortunately, it is not that simple. While in the Marriott case their cyber insurance covered the initial costs associated with the crisis, and having this cover has paid off for them in the early stages – initial costs is just the beginning. The growing direct and indirect costs, complemented with years of reputational damage cannot be written off by insurance alone.

The National Cyber Security Centre (NCSC) has published some useful guidance on cyber insurance. What is important to consider, and as the NCSC guidance indicates, Cyber insurance will NOT instantly solve all your cyber issues, and it will NOT prevent a cyber breach/attack. Simply putting it, home and car owners don’t leave their doors and windows open and intentionally leave their property vulnerable to an attack once they have insurance cover. Cyber insurance is merely supplementary to an array of preventative, detective and protective information security measures organisations are expected to have in place to secure their information environment.      

Duty of care: pleading to your moral senses

If the legal arguments have failed to strike a chord, maybe the moral obligation will? The GDPR tried to embody this important principle within Article 29 of the regulation. It also remains one of the most significant (of the eleven) criteria that regulators are asked to consider when assessing and setting fines following a breach.

Brad Lunn[1], a highly-respected name in cyber security and corporate governance rightly raises the question that directors should ask themselves when thinking about ‘reasonable cyber oversight’, What will it take to fulfil the directors’ duties of care, loyalty and duty to act on an informed basis? How does a board avoid creating systematic, sustained or otherwise negligent acts or omissions in how it performs oversight? As Mr Lunn points out, courts focus on the process used by the board to reach a decision, rather than the decision or outcome itself. In the context of cyber security, the existence of cyber red flags is not an indication of director liability or ineffective oversight, but rather paints an emerging picture of the challenges facing the board; how the board discharges that challenge, or its failure to do so, creates the breach to which personal liability may attach.

Final words

Finally, for those of us proposing that a lack of awareness equates to limited liability, you couldn’t be further from the truth. The longer you remain unaware of your cybersecurity posture and risks, the less informed your business decisions will be, hence lower the likelihood of success in achieving those ambitious strategic goals. Corporate law will evolve (slowly) as it does, and director accountability for cybersecurity oversight will start to gain prominence, as it has already started to, given the growing risk of cybersecurity threats. Directors have duties of care and loyalty, and the obligation to act on a well-informed basis on important issues impacting corporate affairs, and by extension cyber security.

A&M: Leadership. Action. Results.^SM

Our professionals have both operations and advisory experience together with a proven track record in leading businesses through tough, complex situations. A&M’s Disputes and Investigations practice combines deep experience in privacy and risk with specialist litigation and disputes support. Get in touch with our key contacts to learn more about our work.