Cyber-hacking and phishing are problems facing all businesses around the world. What can you do to protect yourself?
France’s head of cyber-defence has confirmed that up to 19,000 French websites (many of which are owned by businesses) have been hacked by pro-ISIS supporters since the Charlie Hebdo attacks in January 2015. In addition to the threat of cyber terrorism, the increasing commercial value of data matched by the increasing sophistication of data thieves, means that cyber security represents a real issue to almost every business.
A business will already be aware of the potential damage to reputation and loss of trade that could arise from such an incident. Businesses do also need to be aware of their exposure to significant litigation risk and liability in circumstances where their systems are hacked.
A business that suffers a cyber attack may, as a matter of law, be liable to its customers, suppliers or any person to whom the data relates under:
- Breach of contract: if there is an express or implied term in a commercial contract that states that data will be stored securely.
- Negligence: if there is a failure to take reasonable security precautions when storing information.
In addition, a failure to take appropriate technical and organisational cyber security measures would breach Principle 7 of the Data Protection Act.
The best way to minimise potential liability arising from a cyber attack is to ensure that the business complies with current best practice on cyber security measures. The Department for Business, Innovation & Skills (BIS) published best practice guidance in 2012 but this guidance has not been used widely by businesses. We are recommending to our clients that they review the BIS guidance when determining or updating their own data security policies.