Cyber security – blanket?

Perhaps unsurprisingly in a relatively new and rapidly evolving area, one of the main challenges in the field of cyber security is a lack of real understanding or clarity over what the various pieces of the cyber security jigsaw look like or how they fit together, let alone what the whole puzzle looks like. The landscape is huge, encompassing the application of information security across all relevant networks and devices and everything else necessary to protect system integrity. From a legal and regulatory perspective, hotspot areas include privacy, data protection, protection of intellectual property and various other types of civil and criminal liability.

To start with, let’s consider some of the latest issues and developments on both sides of the Atlantic. Recently, there have been significant moves by lobbyists in the US to encourage the Senate to enact new cyber security legislation, for example. This has, in part, been propelled forward by recent high-profile revelations over electronic ‘eavesdropping’, both domestic and international, by the National Security Agency. As well as the implications of cybercrime and the core issues surrounding threats to privacy, clearly a key concern for businesses is the risk of liability for data being leaked as a result of a ‘hack’ or even disclosed as a result of government intervention or the intervention of a regulator.

At a time when many businesses already spend a lot of time and resource on their IT systems, there is an increasingly commonly-held view that, in a variety of situations, business and government are just not on the same page regarding data security. Some feel that, without intervention from the legislature and clearer rules which operate on a practical level, businesses will continue to be at loggerheads with the authorities. Businesses are expected to safeguard private data (and may suffer legal liability if they do not), whereas the authorities may need details of cyber security breaches to be disclosed to them, in order to tackle criminals, or even require data to be disclosed in the public interest.

In Europe, the proposed Network and Information Security (NIS) Directive has been the subject of much discussion since it was published by the European Commission earlier this year. Tagged as the “Cyber Security Directive”, the proposals include new notification obligations for various organisations (ranging from public authorities to banks to cloud service providers) meaning that, in the event of cyber attack on a significant scale, they would be obliged to notify regulators. While one of the stated aims of the new Directive is to minimise the cost and disruption to trade which is caused by cyber security breaches, the costs of complying with the new law when it comes into force could be significant. Whilst the irony is not lost on those in the industry who will likely need to find budget for this, we’re still quite early-stage in the evolution of this framework so the ultimate costs are unclear.

Although the NIS Directive is still in draft form, cyber security is a hot topic and the European Parliament recently released a report on Data and Security Breaches and Cyber Security Strategies. Regarding the cyber security puzzle mentioned above, the Parliament’s report is unequivocal: “No-one currently has a clear understanding of how all the different pieces fit together”. However, even on the more fundamental level of diagnosing problems or even spotting breaches in the first place, there are some huge challenges. According to statistics from Mandiant Corporation, it takes an average of 416 days to detect a security breach.

The report emphasises that terminology which is used in the field of cyber security, both colloquially and in law, is simply not clear and not sufficiently understood, stating

that there is a lack of “consistent and unambiguous definitions”. The report also confirms the experience of many professionals in this space that while the terms ‘breach’, ‘data breach’, ‘security incident’ and others are all connected and are regularly used interchangeably, they are contextual, subjective and potentially unclear in meaning. Putting it bluntly, how are we supposed to tackle the cyber security problem head-on if we can’t adequately understand or communicate its constituent parts?

So, given the importance of the topic, its various layers of complexity and potential confusion over terminology, where do we stand and what should we do?

The following are recommendations for those wishing to keep their head above water:

1) Ensure that you fully understand your organisation’s risk profile by assessing it properly. This will include analysing specific risks in your business sector and business activities, auditing the integrity of IT systems and considering legal and regulatory obligations. This task will, inevitably, involve cross-disciplinary teams, resourced internally and/or externally depending on the circumstances.

2) Understand your organisation’s obligations and risks in all relevant jurisdictions, being very clear about the various legal and regulatory frameworks involved and what is needed to ensure compliance and risk management. We live in a global society and networked technologies increasingly know no boundaries. An international outlook is essential.

3) Take steps to ensure that relevant business contracts are properly negotiated to protect your organisation to the maximum possible extent. In addition, understand the different layers of protection which you have or which you can implement, including the extent to which you can and should insure against the risks involved and, on a practical level, whether your disaster recovery systems are effective, robust and (where relevant) compliant.

4) Implement suitable policies, procedures and controls to avoid exposure where possible and which, in the event of exposure, help to mitigate the damage from a practical and legal perspective.

5) As well as being up-to-date with existing best practice, be ready for new developments (whether technological or legal/regulatory) in good time. This can be invaluable, not only from an operational and compliance perspective but also from the perspective of anticipating and managing costs.

When problems arise, you need to be proactive. Simply being reactive is likely to result in decisions being taken and courses of action being followed which are less considered and planned than they ought to be. Remember, too, that timings are often critical and suitable preparation will save time in a pressured situation.

IT systems are not infallible – ever. Neither are people. However, good understanding of the various issues involved, coupled with suitable preparation and planning, will help to give your organisation the protection that it needs.

Tim Ryan

This article was originally published in “Legal IT Today”.
Click here to visit their website

Information contained in this post does not constitute legal advice and is provided for informational purposes only. Recipients should not act upon it, but should seek legal advice relevant to their own situation.