Cyber threats from a legal point of view – how to prepare and the first steps after an incident has been identified
August 2015 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS
Financier Worldwide Magazine
Cyber crime is one of the fastest growing types of crime. Different kinds of cyber attacks have become a significant risk for companies of all sizes and in all business sectors. When companies shift their activities from the real world to the virtual world, the threats that the company faces also change. A characteristic of cyber attacks is that they may not be easily discoverable. It is far easier for a company to notice someone having broken into the company’s safe than it is for the company to realise that someone is accessing a database containing customer data or company IP.
In February 2015, the Finnish Chamber of Commerce conducted a survey on cyber threats. More than 700 Finnish companies responded to the survey but only 31 percent of respondents had an action plan to counter cyber threats and only 10 percent of respondents had practiced executing the action plan in some way. According to the survey, secure processes and personnel training play important roles in the fight against cyber threats. The first step in the fight against cyber crime is, however, to recognise that risks exist.
In this article we discuss the legal aspects of cyber threats. Any references to legal requirements are to Finnish law.
How to prepare
Companies can take a number of steps in order to mitigate cyber risks. Everything begins with appointing a person to be responsible for cyber security. This person should preferably be a member of senior management. One person, however, is rarely enough to maintain a sufficient level of security. In practice, this means that a group of people from different departments will have to be engaged in educating employees and to take any day-to-day actions that may be necessary. In order to understand the risks involved in its various data processing activities, a company should conduct an internal audit to document its current policies and practices, such as database locations, data flows, user access rights, and to identify databases that contain either personal data or company IP (or both) and understand where the risk lies.
Often a company uses third party service providers for its various data processing activities involving personal data and company IP. When drafting and negotiating such agreements it is important to include in the agreement clauses requiring the service provider to follow the company’s instructions, maintain a sufficient level of security and ensure, for example, that the company has the right to audit the service provider if a cyber attack has taken place. These are just a few examples of important issues that should be addressed in the agreement between the parties. Unfortunately, however, agreements often do not say much about these issues, which means that the courses of action available to the company, if attacked, may be limited by a poorly drafted agreement. Today, various insurance products for different kinds of cyber threats are also available.
While a company’s employees are its biggest resource, they are also its biggest threat – and cyber threats are no exception. On an ongoing basis, the company should train its staff on how to prevent cyber attacks. It should also prepare an action plan for the eventuality that something happens. Members of the cyber threat response team should have clearly defined roles and duties and should have practiced executing the action plan before a real incident takes place.
Steps to take after a cyber security incident
When a cyber security incident has been identified, it is of the utmost importance that the target organisation takes immediate steps to minimise risks and business impact. As a first step, the organisation must form a team of specialists from IT, security, HR, legal, finance and communications to investigate the incident and coordinate the company’s response. It also important to verify whether the organisation’s insurance policy covers the incident in question.
After the response team has been created, the team must conduct an internal investigation to discover the nature of the incident and any possible loss of data, trade secrets or other sensitive content. If the investigation requires access to employee emails or employees are discovered to have been involved in the incident, it is important to comply with all applicable employee and data privacy laws when conducting the investigation. In Finland, for example, employers are not allowed to access or open employee emails without the prior, explicit consent of the employee in question. Furthermore, if the breach is found to have taken place in the service provider’s systems, the relevant ICT agreements must be reviewed in order to ensure that it is possible to conduct an audit of the service provider’s systems. As regards company IP, the response team quickly needs to determine whether any IP has been lost or stolen in the incident. If an unpatented invention has been disclosed to the third parties as a consequence of the attack, a patent application must be filed within six months after the unlawful disclosure. Otherwise the company could completely lose the right to apply for patent protection for the invention. The financial implications of this can be disastrous.
From a technical perspective, it is vital that the company’s IT systems are secured and the attack brought to an end. In practice, this may mean that the company’s network must be contained partially or even in its entirety. One of the most important things during this phase is to document the investigation and steps taken and ensure that all evidence is preserved for further legal action. A classic mistake, and a way to destroy valuable evidence for legal action, is to unplug servers and computers in an uncontrolled manner after detecting the breach.
The target company must also consider whether it is under an obligation to inform customers or government agencies of the incident. Under current law in Finland, customers do not need to be notified unless the company is a telecoms operator. This will change when the EU’s reformed data protection regulation come into force. The new regulation requires that ‘data subjects’, e.g., customers, must be told without undue delay if their information has been hacked.
Under the new regulation, failure to comply with this notification requirement could lead to high fines (up to 2 percent of the company’s global turnover). The same sanction may in the future apply if the company’s technical security measures to protect personal data are found to have been inadequate. Even though most companies in Finland currently do not have a mandatory obligation to notify third parties of a cyber security incident, disclosing the incident both internally and externally can in many cases be a good idea. This is especially true where customers’ personal data or passwords have been lost or disclosed. These incidents will usually become public one way or another in any case. Well-managed internal and external crisis communication in a timely and open manner is essential.
In Finland, cyber crimes are investigated by local police and the National Bureau of Investigation. Unfortunately, no accurate statistics on the number of cyber attacks in Finland exists as in many cases these are not reported to law enforcement. The Ministry of the Interior has, however, estimated that the level of hidden crime in this area is high.
Eija Warma and Sakari Salonen are counsel at Castrén & Snellman Attorneys. Ms Warma can be contacted on +358 20 7765 376 or by email: firstname.lastname@example.org. Mr Salonen can be contacted on +358 20 7765 211 or by email: email@example.com.
© Financier Worldwide
Eija Warma and Sakari Salonen
Castrén & Snellman Attorneys