By Ann-Marie Grace | December 4, 2017
A Summary of three articles in The International Comparative Legal Guide: Cybersecurity 2018, and their relevance to Photobox Group Security
The general thrust of the articles in the guide seems to endorse the approach of the Photobox Group to Security, particularly the following practices:
- Assessing the fluid, evolving nature of cybersecurity
- Understanding the importance of openness and sharing information to develop and adopt best practice
- Acknowledging that good security is about risk management spanning technology, people, and processes
In particular, the article, ‘Enemy at the Gates’, considers the elements essential to a good 3rd party agreement. The article also gives a useful checklist for 3rd party agreements that should be compared to what Photobox has in place.
Article 1: ‘Would the Standard of CyberSecurity be improved by the introduction of mandatory Cybersec Controls?’
- Considers mandatory cybersecurity requirements in companies (like SWIFT) to ensure clients meet certain security standards
- Mentions a UK survey that shows the directors of more than two thirds of the largest public companies have no training in responding to cyber attacks, and 10% have no incident response plan
- Questions how a meaningful set of controls can be applied in such a fluid environment and how these could be counter-productive
- Notes that as business and technology evolve, so too do cyber threats, and so should cyber law
The article further considers:
- The UK sees GDPR as an opportunity to improve cyber risk management and has stated they ‘will ensure that cyber security is at the centre of the way we promote and implement the GDPR’
- The EU supports harmonised cybersecurity standards
- A key pillar of this is the principles rather than standards-based NIS Directive, which gives reliable measures for network and info systems to prevent and minimise the impact of cyber security incidents. Organisations will have to determine the steps required to comply
- The UK government approach mirrors the PB approach:
- It recognises that an organisation can’t be immune from a cyber incident, and that good cyber security is a question of risk management spanning technology, people, and processes, rather than having a rigid set of rules in place
- Greater awareness of the threats, risks, and best practice security controls is essential
- Improvement of information-sharing & co-operation [among businesses & regulatory bodies] will be beneficial
Article 2: Enemy at the Gates: Threat posed by outsourcing, partnering, and professional advisors (3rd party suppliers)
- Describes the tendency of businesses to focus only on their own defences as naive
- Notes that suppliers hold business data and may share access to systems, thereby forming an important part of the defences against breaches
- States that businesses should ask themselves
- What they know about their 3rd party suppliers & their security
- What steps they need to take to ensure their security is maintained to their own standards?
- Notes that only 13% of UK businesses require their 3rd party suppliers to adhere to specific cybersecurity standards
- Mentions law firms, accountants, and management consultants as examples of service providers who have access to sensitive and valuable data, and are therefore a target for cyber attacks
Who is liable when a data breach occurs at a 3rd party?
If personal data is compromised as a result of a cyberattack on a 3rd party supplier, the business which outsourced the services may face enforcement action by the ICO. For example, the Crown Prosecution Service was fined £200,000 when 3 laptops containing videos of police interviews were stolen from a 3rd party service provider in a burglary. The CPS was found in contravention as it had no guarantees from the 3rd party in relation to storage.
Under GDPR, penalties will be much greater.
The many benefits of a well-drafted 3rd party agreement
When well-drafted, 3rd party agreements provide clarity of parties’ rights and obligations when it comes to cybersecurity, and help to clarify the risks specific to the relationship.
An exemplary 3rd party agreement will cover the following:
Basic security provisions - Physical security requirements of the 3rd party premises - Vetting requirements for 3rd party staff & contractors - Use of agreed, manufacturer-supported, password-protected OS - Specific data security provisions - Requirements about the use and storage of data e.g.: - How will data be given to the 3rd party - Should it be encrypted - Should it be backed up? By whom? - For how long should it be stored? - How & under what circumstances should it be destroyed or returned?
Co-operation provisions - Information requirements to allow business to obtain all necessary info to ensure compliance with DP provisions - Cooperation provisions to ensure data security audits are effective - Review & security testing requirements - Staff training provisions
Breach provisions - Notification requirements - Further cooperation requirements to ensure breaches are investigated and managed effectively
Business continuity provisions - Indemnity & limitation of liability clauses - As GDPR provides for higher fines than under current domestic legislation, it may be prudent to modify these clauses
Checklist to mitigate the 3rd party threat:
- Have you mapped out who holds or has access to your data
- Have you considered the business rationale for and appropriateness of providing data to each 3rd party supplier?
- Have you conducted recent & reliable due diligence on each 3rd party supplier?
- Have you conducted & documented a security assessment of your risks specific to each 3rd party supplier?
- Does your contract require the 3ps to comply with international standards?
- Does it make specific provisions for the security of data throughout transfer, use, storage & deletion?
- Does it provide for security with respect to physical premises & people?
- Does it preclude the use of sub-contractors without authorisation?
- Do your 3rd party suppliers provide regular reports to you regarding security testing, risks, and status updates?
- Do you regularly audit 3rd parties for security risk?
- Do you have effective access to the data they hold?
- Do you have records of the data processing activities conducted by 3rd party suppliers?
- Are your 3rd party suppliers contractually or otherwise obliged to report data breach and/or loss to you?
- Does your cyber incident response plan consider data breach at a 3rd party supplier?
- Can you cooperate with regulators’ requests for information and/or access to data?
- Do you have and can you enforce indemnity clauses for data breach in the jurisdiction in which you operate?
Article 3: Directors and Officers’ liability for Data Breach
Interesting piece on shareholder derivative lawsuits. These are claims brought against a shareholder or shareholders on behalf of a company. Usually the defendants are executive officers or directors of a company, and the claim is to enforce a corporate right that the company itself has not enforced (a duty of care has been breached and the company has suffered harm as a result). The article gives examples of suits in US following immense data breaches (Wyndham 2014, Target 2013 etc.)