Cyberattacks leave businesses wide open to lawsuits

28 May 2015

John Whelan, partner and head of A&L Goodbody’s International Technology Practice

The damage to both reputation and finances caused by a security breach or cyberattack would put fear into the heart of any business owner — even before thinking about the potential lawsuits and fines that could follow.

Yes, failure to secure your systems means irate customers whose finances were compromised or identities stolen are well within their rights to sue you. And if you are a US-based company, class actions by angry shareholders are an ever-increasing reality.

A study by A&L Goodbody found that less than a third of businesses across Ireland are fully prepared to deal with a cyberattack and a significant majority are not fulfilling basic legal requirements, leaving themselves open to possible litigation and fines on top of risking the loss of intellectual property and commercially sensitive information.

The study, conducted by Red C, confirmed that basic legal obligations not being fulfilled by businesses include: not having written cybersecurity policies in place (65pc); not providing training to employees on what to do in the event of an attack (59pc), and not allocating responsibility to any one employee or team to deal with an attack (49pc).

Highlighting the need for companies to deal with cybersecurity issues from the top down, the survey also found that one-in-four (25pc) company boards had not been briefed on their business’ legal obligations and the mechanisms that were in place, if any, to deal with a cyberattack.

Furthermore, less than a third (27pc) of companies surveyed said they were fully prepared to deal with an attack and, when prompted, cited a lack of awareness of their company’s legal obligations as their biggest challenge (63pc).

The survey also highlighted the risk that companies are exposing themselves by not taking heed of the cyber-risk policies of third-party service providers that have access to their data. Half (50pc) of companies surveyed confirmed that their data is stored by a third party off-site and, within this group, 44pc admitted to not knowing their supplier’s cybersecurity policy.

10pc of firms admit a security breach would close their business

San Francisco-based John Whelan, partner and head of A&L Goodbody’s International Technology Practice, told Siliconrepublic.com that, as hackers are becoming more sophisticated and malware more devious, company boards need to ensure they have policies in place for the aftermath of an attack or breach.

He said that 28pc of boards in Ireland have not considered the possibility of a cybersecurity attack, despite two-thirds of boards agreeing a cyberattack could impact their firm’s reputation.

10pc agree that an extreme attack could close their business, while 65pc agree it would impact on their business in a serious way.

Whelan said that firms only need to look at the fallout of the attack on Loyaltybuild – the largest data breach in business history in Ireland – that pulled a number of other businesses into the drama. This led to the theft of 90,000 Irish customers’ debit and credit card details because they had signed up for weekend break deals with well-known brands like Super Valu, AXA, ESB and Centra.

Whelan said: “When we look at the legal framework for cyber risk – this involves data protection, contract law, directors’ duties under the new Companies Act and legislation coming down the track in terms of the EU Regulatory Framework — all companies must have a cyber policy.

The recent attack on Target had practical implications in terms of the CEO and CIO resigning. Target has so far had to settle cases to the value of US$17m. Sony is currently fighting more than 65 different lawsuits.

“They need to be training employees in terms of data governance and reporting and be fully prepared to deal with the eventuality of a crisis or cyberattack.”

While the European business landscape doesn’t have the same class-action culture as the US, he said recent high-profile cyberattacks have had serious implications.

“The recent attack on Target had practical implications in terms of the CEO and CIO resigning. Target has so far had to settle cases to the value of US$17m. Sony is currently fighting more than 65 different lawsuits.

“While in Europe we are likely to be slower to see litigation from customers, that doesn’t mean there isn’t the potential for litigation if data is stolen or compromised.

“Currently board members are more concerned about headlines in the newspapers, but as we go forward it’s not the stigma of an attack but the actual legal imperative and what could follow. Do you have the policies in place?”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com