Cyber Risk Legal update - December 2014
December 2014 Cyber Risk legal update
Cyber Insurance, Privacy & Data Security
2014 has been another year of high profile attacks on global corporations, with cyber-crime showing no signs of abatement.
This month we have chosen three recent cyber risk themes which draw 2014 to a close but set the scene for 2015: cyber risk implications for directors and officers; the global nature of cyber threats; and, the implications of cyber risks for the wider insurance market.
The highly sophisticated cyber attack on Sony last month highlights how organised, criminal gangs are using new, widespread and disruptive techniques to attack businesses today. The attack has been described as "unprecedented in nature" and it demonstrates that IT security measures at the largest of corporations can be ineffective at avoiding sophisticated attacks.
The financial repercussions for Sony and indeed any corporation subjected to a cyber attack can be significant, not only from the immediate costs of investigating the incident but also the long tail exposure to regulatory investigations, civil claims and heightened compliance programmes. These exposures coupled with reputational damage can reduce share price and harm investors. Directors & Officers are increasingly being held responsible for preventing such incidents and if not, may face regulatory criticism and civil claims. For a more detailed consideration of cyber risks for D&Os, please see our recent article here.
The Sony attack also highlights cyber risk as a global phenomenon. The media has suggested that North Korea carried out the attack because it was disgruntled with Sony's recent film premier involving a plot to assassinate North Korea's leader. Whether or not this is true remains to be seen, but the media has suggested there are organised gangs in Russia, Eastern Europe and China and the FBI has said that certain nation states (including some based in the Middle East) have the capability to carry out such attacks. Jurisdictions around the world are awakening to cyber risks and mitigation strategies. The global opportunities for insurers were discussed in our recent seminar on global cyber risks, and you can watch the highlights here.
Finally, a further emerging cyber risk issue is how insurers, and indeed the insurance industry as a whole, should grapple with the exposure to cyber-attacks under existing lines of business. We are looking forward to seeing the outcome of Lloyd's data collection exercise and the adoption of the new "CZ" risk code for Cyber Security Property Damage in 2015. These were recently announced by the award winning Tom Bolt and his performance management team at Lloyd's.
We end the year on a happy note, wishing you all a Merry Christmas and a cyber safe New Year.
For DAC Beachcroft privacy updates, please follows us at @DACBprivacy.
Click the below headings to read more on each of the developments...
EU Data Protection Regulation Developments
Updates from around the World...
- Germany – concerns raised by the association of data privacy officers of Germany following the draft law on IT security
- Italian data protection authority rules that consent obtained for sending of email newsletter not sufficient to cover advertising emails
- Italy - Supreme Court rules that a data breach does not automatically entitle a data subject to damages
- Brazil – right to be forgotten bill introduced into Brazilian congress
- Germany – resolutions adopted at German data protection commissioners conference
- Italian Government publishes internet bill of rights
- Luxembourg – update to proposed e-archiving law
- Spain - guide on privacy impact assessments issued by Spanish data protection authority
- The Spanish agency of the official state gazette has published a code on the right to be forgotten
- Turkey introduces new law on e-commerce
- Czech data protection office issues workplace privacy guidance
- Cyprus – Commissioner for personal data protection publishes its annual report 2013
- Austrian DPA opinion on CCTV and 'dashscams'
- Hungarian DPA recommendation on the use of drones
- Portugal – guidelines on the use of geolocation devices in the workplace setting
- Irish law reform commission launches public consultation on cyber crime
Key Dates Calendar
For more information on DAC Beachcroft please contact:
Rhiannon Davies, Associate
+44 (0) 20 7894 6577
You might also like ...
September 2014 update
Cyber security is about risk reduction, not risk prevention. No system can ever be 100% secure, particularly when constrained by financial resources and the exposure to human error or behaviour.
The law governing data security is similarly not absolute. For example, the Data Protection Act 1998 ("DPA") demands that an organisation has "appropriate" technical and organisational security measures.