Could businesses be sued for data leaks?
When hackers exploited vulnerability due to software not being updated at a US credit agency, important data of millions of customers in the US, Canada, and the UK were leaked. The US federal authorities have launched an investigation that could lead to millions in fines. Bosses at the firm were questioned in a congressional hearing and the agency is facing the largest class action in US history. This sounds like the plot of a financial thriller, but the Equifax case did in fact happen and is a lesson for the future.
Apart from disrupting business activity, causing financial losses, and damaging a firm’s image, hacking can also lead to severe fines for failing to comply with personal data protection or cybersecurity regulations. Businesses which are victims of cybercrime might also be liable towards customers and employees for loss or leaking of important data. Compensatory liability is also possible under Polish law in cases of this kind, and may affect anyone. Cybersecurity reports show that approximately three quarters of businesses have experienced a cybersecurity incident of some kind, and these statistics are unlikely to fall in the near future. Former FBI director Robert Mueller summed up this situation well, saying “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again”.
Equifax data breach – case study
Equifax is a US-listed company that operates on the credit market. In addition to offering financial products, it collects and collates information about its customers and evaluates their credit rating and history. On 7 September 2017 the company posted a statement on its website saying that it was likely that customer data had been breached, affecting more than 143 million US residents and some customers in Canada and the UK. Among the stolen data were customers’ insurance policy numbers, dates of birth, identity card numbers, and residential addresses. The statement said that the breach had occurred at the end of May or beginning of June that year, and that the company had realised that it had occurred on 29 July. All of the information in the case shows that this is an example of inappropriate action and insufficient safeguards.
Unauthorised access was gained to sensitive data due to vulnerabilities in Equifax’ open source software, made by Apache Foundation. The vulnerability itself was discovered much earlier by the creators of the software, and a report, with the relevant patch (an update eliminating the problem), was produced at the beginning of March 2017. Equifax did not update the software, and hackers stole data of millions of customers (according to some accounts this might even have happened at the end of March 2017) with the probable intention of selling them. It is easy to see that one of the greatest cybersecurity incidents to date could have been avoided by adhering to basic procedures and ensuring that software was updated.
At the beginning of August 2017, which was a few days after the company realised that the breach had occurred but before it made it public, three Equifax managers sold parts of their stakes of a total value in excess of USD 1.7 million. These individuals were immediately charged with insider trading and attempting to use confidential information to quickly withdraw invested capital. They claim that they ordered the shares sold before they learned of the incident. As there was a delay in making the information public, and due to the coincidental timeline, it will be hard to prove that they are not guilty of wrongdoing; the case is pending. Equifax’ shares fell by more than 13% when the information was made public, and continued to fall in subsequent days. To date these losses have not been recouped.
The large scale of the breach led the US authorities to intervene. The Attorney General for the State of New York, for example, started an investigation into whether consumer rights had been breached. A class action was also filed on the day on which the breach was made public to gather as many claimants as possible in a single court case. The claimants allege that Equifax was negligent when ensuring security of customer data and took excessive cost-cutting measures in this area solely for the purpose of maximising profits. The largest class action in the history of the US judicature was filed against the company; the claim for compensation alone is for more than USD 70 bn. Many investigations directly linked to the incident are ongoing. The FBI, Federal Trade Commission, and Department of Justice are investigating, and there are thousands of individual court cases in addition to the civil action mentioned above and other subsequent class actions.
Although it is hard to imagine breaches on such a large scale in Polish conditions, similar situations are certainly possible. Financial institutions that store confidential customer information, rating agencies, construction and architectural firms, and institutions that deal with auditing, accounting and strategic and operational advice are particularly at risk.
Under Polish law, breach of information technology systems may give rise to particular obligations. Reporting obligations are usually the first mentioned. The GDPR provides for notification obligations in connection with incidents that can be classified as breaches of confidentiality, accessibility, and integrity of administered personal data. Depending on the level of risk to rights and freedoms of individuals, the controller is required to report breaches to the relevant authority or data subject who is at risk, and maintain an internal record of all personal data breaches. Information about compensatory claims under the GDPR can be found here.
There are also requirements under the National Cybersecurity System Act, which implements Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the NIS Directive) into the Polish legal system. Firms defined as key operators (firms in the energy, transport, health, and banking, and other sectors) have the strictest obligations. They are required, for instance, to create internal structures in charge of cybersecurity, implement effective safeguards, evaluate the cybersecurity risk, and provide information about serious incidents, and to handle them in cooperation with the Computer Security Incident Response Team at national level. Additional obligations (including reporting obligations) have been placed on digital service providers (providing online trading platforms, cloud processing services, internet search engines) and cybersecurity service providers.
Public companies also have to consider notification obligations under the MAR. If information about breach of an issuer’s customers’ data or other incident that poses a threat to cybersecurity is classed as confidential information under Art. 7 of the MAR, i.e. information of a precise nature which has not been made public which would have a significant effect on the prices of financial instruments or derivative financial instruments, the issuer is required to give the appropriate notification. Following these requirements prevents allegations of insider trading against persons who had access to the confidential information at an earlier time.
Businesses frequently forget about the possibility of civil claims when trying to fulfil administrative requirements. Claimants might seek compensation for breach of their personality rights or failure to comply with regulatory requirements resulting in them suffering a loss. Claims for compensation brought by the direct victims of breaches are becoming more and more common – consumers sue firms that manage their data or banks that do not observe their customer identification or transaction monitoring obligations.
In the Polish legal system, similar claims will usually be brought according to generally applicable rules on protection of personality rights under Art. 23 and 24 of the Civil Code. The catalogue of personality rights itself is an open catalogue, and therefore the list given only gives examples. In cybersecurity incidents, personality rights defined as customers’ external elements (for example if disclosure of confidential information could cause them to lose the confidence of the public), their image, secrecy of correspondence, and right to privacy might be particularly at risk. Often, one incident can be a breach of a broad range of personality rights (for example a leak of data from virtual disk space includes saved customer e-mail correspondence, private photographs, and videos of customers).
In addition to pecuniary damages for specific material loss, the aggrieved parties can also seek pecuniary compensation. It is claims of this kind that pose the greatest financial risk to businesses, especially when they are pursued by a large group. During this procedure, it has to be proven that an incident occurred due to culpability of a party that had an obligation to ensure security in cyberspace. In most cases, this will amount to demonstrating that a firm failed to observe standards for proper security of its customers’ data under the applicable laws and according to market standards.
Defence against claims
Cyberattacks are inevitable and will be experienced by more and more businesses in various sectors. To mitigate the adverse effects, measures must be comprehensive and risk management procedures have to be effective. The first priority is of course regulatory compliance, because even the fining alone by the competent regulatory authorities or a criminal conviction will be proof that is difficult to contest, and in certain situations will be a binding precedent. On the other hand, keeping safeguards at the legally required minimum can have equally adverse results and provide the plaintiff with additional arguments.
A comprehensive security system should play a preventative role and comprise appropriately designed technical infrastructure in the form of IT tools – SIEM tools, anti-APT protection, or a system operation centre (SOC). There should be a cybersecurity team (appointing a cybersecurity director or manager will be an additional safeguard) to manage these tools within the firm. The risk management procedures must be fully and regularly audited. This audit should not be limited to simple penetration testing. Creating a system of this kind is of course expensive, but the cost is a fraction of the potential cost in the event security was actually compromised.
The next step should be to develop procedures and standards for conduct to be observed in the event of an incident such as breach of the company’s customers’ data. Above all, the procedures must include requirements on clear disclosure of the incident, the method of communication with customers, and the order in which measures are taken to mitigate the effects of the breach. Clear procedures are a means of mitigating direct financial losses, but also of preventing serious damage to a company’s image.
Investment in cybersecurity securing a company’s interests
Businesses operating on a smaller scale assume that cybersecurity issues only affect the largest, global firms or particular areas of the economy. This assumption was proven wrong by the case of the UK supermarket chain Morrisons, where a disgruntled employee in the IT department copied the employee payroll and posted it online. The other employees sued their employer, and Morrisons was found liable by a court for the breach, but measures taken by the chain enabled the disclosed data to be quickly deleted. The chain was able to properly secure employees’ interests and ensure that no one suffered direct financial losses. On one hand this incident demonstrates that it is not only energy or banking sector firms that are at risk of incidents of this kind. On the other hand, it is proof that having the proper procedures in place and a quick reaction can reduce the risk of financial loss.
Cybersecurity is a continual process and is not a single act of harmonisation of systems with legal requirements. It entails a series of connected measures encompassing review of outsourced services or taking out insurance against cyberincidents. Only a complete range of protective measures will provide long-term protection of customers’ interests and protect against claims for damages.
Adam Polanowski, Łukasz Lasek, adwokat, Dispute Resolution & Arbitration practice, Wardyński & Partners