The legal ramifications of a cyber attack

Guy Betar examines some of the causes for concern with the growing number and size of data breaches.

It is difficult to imagine that any medium to large sized business in Australia is not aware of the growing rate of data breaches around the world. This being true, then what has this to do with the law?

It seems inevitable that the growth in sophistication of technology brings with it a directly proportional growth in exposure to hacking.

There can be a variety of agendas behind hacking activities, from serious criminal ones, to those that aim to highlight flaws in the technology, or simply identify something the developers had not thought to prevent or address.

Certainly, when technology goes wrong, or it is hacked, or there is a loss from it –we will reach a critical mass point when losses have to be chased. At present, concerns over damage to reputation and market perception often dissuade sufferers from taking steps to recover losses, or indeed letting the world know it happened at all.

Companies do not want it made public that they have suffered cyber breaches. However, I am certain there will be a levelling process, if it has not already begun, when the embarrassment of suffering a digital break in will eventually be outweighed by the need to take steps to recover losses suffered. This of course presumes steps can be taken.

Let’s put this in context by looking at the recent events involving Fiat Chrysler in the US. Much to the chagrin of manufacturers of computer controlled devices (which is almost everything these days), there are large numbers of technically skilled people who make a living legally trying to find flaws and faults with the computer and software components of such devices.

In July this year, Fiat Chrysler found out just how effective such people can be. The company was left with no option but to issue a recall of 1.4 million vehicles.

That action was taken after an article was published in Wired magazine by a group of researchers who proved beyond doubt they could wirelessly hack into a Jeep Cherokee and control almost all its key functions, including breaks and steering.

No doubt it cost Fiat Chrysler a huge amount of money to carry out the recall and attempt to shut out the technical vulnerability of the vehicle control systems. However, it is likely that the really substantial cost suffered would not appear on the bottom line for some while - the damage to reputation.

Read more: Prepare carefully before moving to the cloud

As I have indicated in previous articles, it is unquestionable there are growing domestic and business concerns over cyber security – from hacks of social media, to major intrusions into corporate networks and data repositories.

With this growing concern, there is often a demand for governments to step in and legislate to reduce the increased risks. In the case of Fiat Chrysler, there have been calls in the US for legislation to impose standards for vehicle security.

Whether such legislation will have any viable effect is not the subject of this article. However, the legal ramifications are very much the focus here. If preventative measures do not work – then the business and general community will look to remedies of compensation and punishment.

It helps to be clear on the sorts of predicaments we are talking about here. There are two broad areas to consider. The first is where an organisation has its own systems and does not rely on any third parties. In such situations, the company has no third party to look to for being at fault where a security breach occurs and a loss is suffered.

Read more: Australian enterprises a popular target for ransomware attacks

In that scenario (and indeed in the second scenario as well), what may be a major issue is the responsibility of the directors and corporate managers. Under Australian corporate law, directors and managers must exercise “care and diligence” in carrying out their duties – when the stakes get high, the proper discharge of this responsibility may be called into question if the company’s IT systems are breached and there is a major loss.

The second broad area to look at is where a company relies on third parties for some or all of its IT and security systems or IT services. There are so many possible combinations of own resources and/or systems, and third party suppliers, it is not possible to list even a substantial number.

Let us look at just one as a typical example. A company owns much of, but not all the hardware that comprises its entire IT system. It has licences of various third party software on this hardware, and that software manages the majority of (but not all of) the data the company generates and collects.

The company also has a managed services provider who oversees and controls the majority of the system, and it has a cloud provider.

Read more: Five trends affecting legal CIOs

The company’s business includes the gathering and creation of high value data, whether it be financial, personal or some other combinations. What happens if a major security breach of its systems occurs and large scale losses are suffered by it and its clients? In such a situation, a great deal of time and money may be spent trying to isolate who, if anyone, was at fault, and how fault might be apportioned.

I am confident that more and more, certain key areas of law will come under pressure to embrace technological advances, and failures. In the scenario I have suggested, the first two areas of law that come to mind are contract law and the law of tort. The latter is a body of the common law that is built on duties of care.

Consider the following as potential duties of care:

  • To implement “reasonable” security measures and systems on computer networks
  • To have business practices that reduce the risk of external parties gaining access to data, both the company’s own and that of third parties
  • To have policies and procedures within your organisation to assist in reducing the risk of security breaches, and how to minimise damage if one occurs
  • To comply with, or having taken steps to comply with, external security and related standards
  • To recognise the exposures created through a multi-level and party IT supply system, and to put in place appropriate measures to minimise exposure and to back up vital data
  • To ensure statutory requirements like those under the Privacy Act are complied with
Imagine the potential number of duties of care the parties involved in the suggested scenario might owe. Consider the contractual mire that might exist between the various parties, and how those contracts may need to be reconciled.

Understanding the totality of your own business systems, the potential duties of care and who owes them to whom, and the contracts that relate to them, is becoming more and more a critical aspect of business and risk management. I expect them all to be put to the test in the very near future.

Guy Betar is a corporate/IT lawyer with more than 20 years’ experience. He is currently special counsel at Salvos Legal and can be contacted by email at guy.betar@salvoslegal.com.au.

Join the CSO newsletter!

Error: Please check your email address.

More about Cherokeeindeed

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Guy Betar

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place