Cybersecurity: legal trends for a major business concern
August 2014 | EXPERT BRIEFING | RISK MANAGEMENT
Even if this theme is not – yet – permanently all over the news, over the past few years, cybersecurity has gradually emerged as a major business concern. It is indeed now unfortunately becoming more and more frequent to hear about data thefts, ransom demands for stolen data or even simple system vulnerabilities potentially affecting a huge number of users, be it individuals or businesses.
For instance, in France over the past few months, several leading businesses in a varied range of industries, including a major telecommunications operator, a leading provider of transportation and logistics services and even an international fast food pizza franchise, have been affected either by intentional attacks from hackers or by vulnerabilities in their IT system. But each time, the privacy of more than 600,000 customer records, including personal data such as email addresses or passwords, has been jeopardised, with potential major reputational risks at stake.
Of course, if cybersecurity threats can result from malicious attacks, uncontrolled data disclosures may also result from unintentional network vulnerabilities, such as an incorrect configuration of the network equipment or software.
Courts gradually confirm cybersecurity is a major feature of IT products/services
Even though such cybersecurity occurrences are often far less spectacular, in a growing number of situations, cybersecurity issues arise from simple negligence in setting up an IT system, either from the customer side or from the service provider side.
As parties more and more frequently litigate in order to determine the respective liabilities resulting from a security breach, the courts have recently confirmed in several situations that cybersecurity has become a key feature for technology products or services.
For instance, in France, a recent decision (Appellate court of Colmar, decision of 16 April 2014 RG 1A 12/05051) established that a flaw in the implementation of telecoms equipment could be equivalent to a hidden defect, triggering a possible reduction of the price of the services or even a cancellation of the sale since the security features of the telecoms equipment concerned are considered as a key feature of the equipment sold. Also, concerning the scope of the obligations of a provider of IT maintenance services, the Appellate court of Versailles recently ruled (25 March 2014) that a service provider, when contractually bound to provide general assistance services, is obliged to perform security checks of the IT system and to warn the customer who owns the IT system if potential vulnerabilities are identified.
However, it is important to note that, while the courts have gradually recognised that the manufacturer or service provider has a key role for the implementation of an IT system’s cybersecurity features, they have also clearly stated that the customer must take appropriate measures to protect the data on its IT systems. Failure to do so can jeopardise the ability of the customer to claim damages, at least for the part of the damages that result from a cause attributable to the customer (e.g., failure to effectively implement a data backup and restoration strategy).
The top-down approach of the EU cybersecurity directive
In this context of increasing cybersecurity awareness, the European Union has decided that implementing a harmonised cybersecurity framework between EU Member States is critical. As a result, a draft Cybersecurity Directive is currently under discussion.
The proposed Cybersecurity Directive is expected to create an obligation for each of the Member States to create a Computer Emergency Response Team and to adopt its own network and information security strategy. In addition, some of the key provisions of the Cybersecurity Directive are expected to impose on the operators of critical infrastructure (such as energy, transport, banking, stock exchange, healthcare etc.), key internet enablers (e-commerce platforms, social networks, etc.) and public administrations the obligation to assess the risks they face and to adopt appropriate and proportionate measures to ensure effective information security. These entities will also have to report to competent authorities incidents with a significant impact on the core services they provide.
Even though the provisions of the draft Cybersecurity Directive are mainly targeted at the aforementioned operators of critical infrastructures and key internet enablers, the obligations imposed on such operators to ensure a high level of cybersecurity will most likely be propagated to the service providers that contribute substantially to the activities of the operators of critical infrastructures or other key internet enablers.
Business impact of cybersecurity on contractual and compliance strategies
Now that cybersecurity is truly becoming a global concern, businesses obviously need to factor this topic into their legal processes. This is not only a matter of general compliance with mandatory legal provisions; rather, there needs to be a broader view to working with business partners, on a contractual basis, to apply principles ensuring a high degree of cybersecurity.
In practice, this would typically imply, for a business entering into an agreement for the provision of IT products or services, imposing on its contractor certain requirements in terms of data protection and security, security service levels and, of course, an obligation to promptly inform the owner of the IT system of any vulnerability or security breach affecting the system that comes to the contractor’s attention.
In an ever more connected world, adopting such contractual best practices will be key, not only to ensure a strict legal compliance, but most of all to effectively protect the data and intangible assets of the business, while receiving the benefits of a powerful and interconnected IT system.
Olivier Haas and Bénédicte Graulle are counsel, and Edouard Fortunet is an avocat, at Jones Day. Mr Haas can be contacted on +33 1 56 59 38 84 or by email: firstname.lastname@example.org. Mrs Graulle can be contacted on +33 1 56 59 46 75 or by email: email@example.com. Mr Fortunet can be contacted on +33 1 56 59 38 34 or by email: firstname.lastname@example.org.
© Financier Worldwide
Olivier Haas, Bénédicte Graulle and Edouard Fortunet