The data and cyber regulatory regime in the EU – which includes, for the time being at least, the UK – is undergoing a very significant shake-up. The new General Data Protection Regulation which will come into force on 25 May 2018 will bring a number of new measures into play such as much increased fines (up to the higher of 4% of annual worldwide turnover or 20 million euros, in some cases) and mandatory reporting of most data security breaches. The new rules will also catch for the first time businesses established outside the EU but who sell to EU data subjects or monitor data subjects’ behaviour within the EU. Other changes afoot include the Network and Information Security Directive, which when implemented over the next two years or so, will cover critical infrastructure providers, such as key operators in the energy, banking, transport, finance and health sectors and, importantly, the digital sector; and the Electronic Identification Regulation which from 1 July this year will regulate providers of trust services e.g. businesses involved in providing identification, verification or authorisation of a person’s identity in electronic transactions.
The level of interest amongst regulators, and also amongst governments, is not surprising due to the high cost and disruption suffered. The Department for Culture, Media and Sport recently announced government research findings that two thirds of large businesses experienced a cyber breach or attack in the past year. And the same research revealed the high cost of cyber breaches and attacks to business, with last October’s attack on TalkTalk, for example, reported to have cost the telecoms company over £60m and led to the loss of more than 100,000 customers. The threat of cyber-attack comes from many sources, such as infections by viruses and malicious software, theft or fraud involving IT systems targeting things such as confidential information, intellectual property, credit card data and other personal information, incidents caused by staff and attacks by unauthorised outsiders, criminal, terrorist as well as nation-state-sponsored attacks such as the Stuxnet worm deployed to sabotage Iran’s nuclear program in 2014.
Apart from regulatory fines, cyber-related risks, costs and losses include wasted management time, legal and consulting costs, adverse publicity, reputational damage, loss of customer confidence, reduced sales, business and operational disruption, litigation risk such as contractual claims, allegations of negligence and, particularly in the US, class actions, and increased cost of insurance. Firms need robust cybersecurity programs to address these and other risks through focusing on areas such as compliance with applicable industry laws and regulations, implementation of information security policies and other best practices, vulnerability risk assessments and testing, employee training programs, incident response plans, insurance coverage review and investor communications.
Firms also need to develop robust approaches to contracting with third party suppliers in order to deal with issues such as compliance with laws such as the Data Protection Act, audit, background screening, information security and the like. Further, when thinking about existing contractual relationships, and with the explosion of cloud computing in particular in mind, firms should review, and stress-test, the array of contractual and other risks which may arise in the event that a third-party supplier who hosts or processes a firm’s personal data, customer credit card details or other confidential information is compromised. For these purposes all material outsourcing, cloud computing and other important supplier contracts should be reviewed along with the scope of services provided (which may have changed since the contract was signed) and an assessments of the risks undertaken.
In any business-to-business contract, it is highly likely that these issues will have been addressed to some degree or other, typically through some combination of representations, warranties, indemnities and general contractual obligations (such as those often imposed on data processors), which depending on the circumstances and the way that the contract is crafted will give rise to remedies such as service credits, step-in, termination and damages. Exclusions and limitations of liability will also be relevant. For example, it is not uncommon for the parties to a business contract to seek to exclude liability for what are usually referred to as indirect and consequential losses, and these clauses often include a laundry list of losses which, depending on their construction, may prevent a firm recovering lost or corrupted data, from recovering certain economic losses such as lost profits or business, or from seeking to recover for damage to reputation. Although firms with leverage will be able to ensure that certain clauses can be included to counter the risk, the firm needs to balance the risk involved with other considerations such as the price which it is willing to pay via a risk premium loaded onto the charges, and the alternatives such as insuring (or self-insuring) the risk itself rather than seeking to transfer it via the contract.