Cyber security breaches and cybercrime are at an all-time high. The techniques used are getting more advanced, and the tools to enable cybercrime (such as ransomware software) are now widely available. From a business perspective, an organisation’s reputation, finances, and compliance with the law can all be affected by network breaches and cybercrime.
This article discusses preventative steps to reduce an organisation’s exposure to cybersecurity breaches.
Cyber Security Plan
As a first step, we recommend creating a cybersecurity plan which is specific to your organisation (or engaging an expert consultant to do this).
A cybersecurity plan will identify exposure points/risks for your organisation, assesses those risks and determine security measures and protocols to manage those risks.
For example, phishing emails are a common way for attackers to attempt to access networks. Phishing emails look to deceive the individual into entering sensitive information or downloading malicious software.
These emails masquerade as being genuine and sent for legitimate reasons. By being sent in mass, all it takes is one employee to click on a link/open an attachment and subject your organisation to great harm. If you have many employees, this risk can be significant.
You can reduce this risk through various steps including up-to-date email filtering, employee education and awareness. Many organisations now require all new employees to complete some form of cybersecurity training. In addition, some organisations send ‘test’ phishing emails to employees (to check whether employees are adhering to cyber security policies), where a report logs if the phishing email is either reported as malicious (good), or a link is followed/opened (bad).
Cyber Insurance
If your organisation has any form of exposure to cyber risks, we recommend obtaining cyber insurance. Cyber insurance helps by minimising the financial losses experienced in cyber security breaches and cybercrime. Coverage may include costs for data recovery, forensic investigations, customer notifications, and loss of business income.
Contracts
From a contractual perspective, we recommend that you review your organisation’s terms of trade and contracts, paying close attention to clauses that reference data breaches, cyber security, liabilities and disclaimers. Contracts and terms of trade that are well-prepared can help mitigate cyber risks and should be carefully prepared for your organisation’s specific circumstances.
Disclaimers of Liability
You should consider whether appropriate disclaimers from liability are included in your organisation’s terms of trade and other relevant contracts.
For example, where your organisation uses a third-party supplier to host customer data, the third-party host suffers a data breach then your customer data could be compromised. This breach may be from no wrongdoing of your organisation, yet your organisation may be liable to customers if your contracts do not contain the appropriate disclaimers.
For this reason, we recommend that your contracts contain disclaimers tailored to your organisation’s activities.
Assurances
We recommend that you avoid ‘absolute’ assurances for data security, privacy and confidentiality in your terms of trade.
In the current digital age, it is often impossible to ‘guarantee’ or ‘ensure’ data security, privacy, and confidentiality to customers.
Liability cap
You should consider including a liability cap in your contracts (including your terms of trade) if it is possible to do so. A liability cap limits your organisation’s potential liability under the contract to a specified amount. The cap may be a multiple of the fees paid or a maximum value.
Hosting providers
If your organisation stores customer data with third parties such as online data storage providers (i.e. in ‘the cloud’), you should ensure that your customer contracts and privacy policies give you the right to do so.
In addition, you should review your services contracts with third-party providers to ensure they contain adequate security and protection measures. In what jurisdiction is the data hosted and what controls does the provider have in place?
Privacy Act
You should ensure that you are familiar with the Privacy Act 2020 (the Act) and how this applies to your organisation. The Act imposes obligations on organisations in how they are to collect, store, use and disclose data.
Importantly, unless a relevant individual has authorised disclosure of their personal data outside of New Zealand, the disclosing party (such as your organisation) will need to ensure that the information will be protected by safeguards comparable to New Zealand’s privacy laws before transferring it offshore.
An exception to this exists where personal information is transferred to an offshore data processer (e.g. a cloud storage provider), provided that the offshore data processor does not use the information for its own purposes.
If you intend to use social media plug-ins (Facebook, Twitter etc.) on your website, or utilise any offshore service providers (such as marketing or survey companies), you should obtain authorisation from users of your website permitting their information to be disclosed to these recipients.
To obtain authorisation, we recommend that you adopt a privacy policy and implement a pop-up on your website when a user first visits your website, containing a link to your privacy policy and requiring the user to ‘accept’ the privacy policy.
A privacy policy that has been tailored to your organisation’s specific practices for collecting, storing and using personal information is an important measure to reduce the risks involved if a privacy breach occurs.
If a privacy breach occurs that either causes or is likely to cause anyone serious harm, the affected organisation must notify the Privacy Commissioner and any affected people as soon as practically able to do so. This can be a huge task, with significant costs involved and sizable fines for non-compliance.
Summary
Most organisations face a range of cyber risks daily. By being proactive in identifying these risks, and by assessing and implementing appropriate cyber strategies, organisations can reduce both the risks of suffering a security breach, and the consequences if this occurs.
Contracts (including terms of trade) and up-to-date privacy policies are an important part of an overall cyber risk strategy. We recommend reviewing these documents and obtaining legal advice to ensure that these documents best suit your organisation’s needs and the cyber risks it may face.
If you would like to have a conversation with us about cyber security and how this may impact your organisation, please get in contact with us.
Disclaimer
This article is provided to assist clients to identify legal issues on which they should seek legal advice, and by its nature cannot be comprehensive and cannot be relied on as advice. Please consult the professional staff of Clendons for advice specific to your situation. Clendons has experience advising on cyber security and cybercrime and can assist New Zealand organisations with these issues.