A ‘defensive shield’ for legal cybersecurity risks

The top lawyers in the UK’s largest companies have recently come together and recommended a strategic framework that maps well to New Zealand.

The strategic framework maps well to New Zealand, to what other cybersecurity specialists are doing, and to what senior managers and boards are or should be doing.

It is good stuff too to help get the attention of CEOs, boards and lawyers: although they know cybersecurity is an issue, they don’t necessarily have all the tools and detail on these increasingly bet-the-bank issues, as we outline here.

The report, Cyber security law and practice, was produced by the GC100, the association for GCs of the UK’s largest 100 companies.

Much of the legal exposure is reduced or eliminated if best practice procedures are used to reduce or eliminate cybersecurity risk. Michael Wigley

It tracks the legal risks – we outline some of these below – and lists recommendations for a framework for handling the issues, including:

• Understand the legal framework, which is made up of multiple aspects, both domestically and internationally;

• Apply best practice cyber security standards;

• Ask a series of listed critical questions, to raise internally and with external suppliers, including external law firms (law firms are known for leaving the back cyber door open.

• Build a “defensive shield” against regulatory action and litigation:

That “defensive shield” is at the heart of the framework and can integrate well with what other experts are doing. The report notes:

“Organisations that track regulatory guidance, regulatory enforcement actions and court cases relevant to cyber security will be able to use their knowledge to construct a strong “defensive shield” against regulatory investigations and litigation arising from security breaches.”

Much of the legal exposure is reduced or eliminated if best practice procedures are used to reduce or eliminate cybersecurity risk. For example, the law of negligence and under the Privacy Act generally does not require more than best practice: 100 per cent protection is not expected (and can’t be achieved anyway of course). As with good IT practice, the level of protection will closely relate to the sensitivity of the information (John’s online pizza order is not particularly sensitive: his chlamydia history is).

There are multiple ways in which organisations can be exposed and that can be domestically and internationally.

Exposure can arise under the Privacy Act, and this is increasingly a big area, illustrated by the Privacy Commissioner’s recent decision to name and shame wayward companies rather than hold back as the Commissioner has in the past.

The law of negligence and duties as to confidential information can raise issues as can the law as to IP. Something particular to watch for is getting contractual buy in to cyber security obligations from suppliers and also watching out for downstream contracts which may extend cybersecurity duties to a 100 per cent requirement to ensure no breach.

All these need tomesh with IT, communications and governance strategies.

In the end, it is that defensive shield concept of keeping on top of the issues that is key, having established the approach initially. The report provides a framework to achieve this.

Michael Wigley is the Principal of Wigley + Company, a law firm specialising in ICT. He can be reached at michael.wigley@wigleylaw.com.

Send news tips and comments to divina_paredes@idg.co.nz

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.

Copyright © 2015 IDG Communications, Inc.

Security vs. innovation: IT's trickiest balancing act