The cyber-threat to UK business is “significant and growing”, according to the UK's National Cyber Security Centre (NCSC) and National Crime Agency (NCA). In the three months following the setting up of the NCSC in October 2016, the UK was hit by 188 high-level attacks as well as multiple lower level attacks and data breaches. In May 2017, the NHS was among many organisations across the globe that were affected by the WannaCry ransomware attack.
Last year, for the first time, questions about fraud and computer misuse were added to the Crime Survey for England and Wales (CSEW), alongside statistics for conventional crime1. The CSEW estimated there had been 5.6m fraud incidents in the preceding 12 months, with just over half of these (53 percent; 1.9m incidents) cyber-related, and two million computer misuse incidents.
Integrated legal and comms strategy
The impact for organisations that are victims of cyber-crime range from a negative effect on brand reputation and share price through to the very real risk of legal action by data protection authorities or third parties who have been affected by the crime. Every organisation should assume that it will suffer a cyber-crime at some point. It is vital to develop a plan for that eventuality by preparing an integrated legal and communications strategy ahead of any incident. Yet, there's still widely a lack of adequate preparation in terms of crisis management and internal communications processes to deal with high profile cyber-threats.
When, not if, an organisation experiences cyber-crime, it will need to be confident that it did everything it could to meet its legal obligations for securing its systems. IT security is just a starting point when it comes to the legal considerations relating to potential cyber-attacks. In the face of a rising tide of legislation it is also important to ensure that the organisation has done everything it can contractually to limit the risks arising from a cyber-attack or data breach.
The primary legislation relating to Computer Misuse is contained within the Computer Misuse Act 1990 (as amended by Serious Crime Act 2007), however other legislation may be of relevance such as s55 Data Protection Act 1998, the Fraud Act 2006 and/or common law offences such as Misfeasance in a Public Office. More legislation/regulation relating to cyber-crime and data loss is emerging. The EU directive on cyber-security, GDPR, comes into force in the UK on 25 May 2018. The Investigatory Powers Act 2016 received Royal Assent on 29th November 2016 and it's “codes of practice” consultation was published on 23 February 2017. The Digital Economy Act 2017, received Royal Assent on 27 April, this latter legislation containing further legal implications relating to cyber-crime.
At the heart of the legislation/regulation is the need to keep computer systems and data secure and to limit, investigate and act on Internet/Computer misuse – failure to keep system security up-to-date has increasing legal ramifications. In the past, some high profile data breaches and cyber-crimes were characterised by delay on the part of organisation suffering the incident to notify the authorities and by poor communications to customers and the press. That is no longer an option.
Here are some guidelines to help develop specific legal and communications best practice ahead of a cyber-crime:
- Create a multi-disciplinary crisis team. This should bring together, possibly for the first time, IT security staff, legal advisers and PR and communications advisers – internal or external. This team should not only create a crisis response strategy, but should also support that with a crisis communications plan. Test as much as possible of the communications plan, making sure that everyone's contact details are up-to-date and keep key stakeholders such as customers, press and legal staff informed in an appropriate manner.
- Keep good detailed records – as these will form the basis of any prosecution for a cyber-attack. If there is a clear audit trail, for example by tying individual product numbers to transactions, it may be much easier to prosecute for fraud in the event of a fraudulent transaction where the fraudulently obtained goods are located. In the event of a cyber-attack, increasingly organisations are gathering internal internet based evidence themselves before going to the police and requesting assistance.
- Keep internal and external communications simple, factual and brief. If there has been a cyber-attack or data breach it is vital to communicate clearly and swiftly with parties ranging from authorities such as the police and data protection authorities through to shareholders, members of the public, suppliers and partners. Avoid jargon and reassure people as to the extent of the breach and what is being done about it to limit the damage. Take legal advice on these communications before any crisis, to ensure that the communications do not land the organisation/individuals in further difficulties, by inappropriately admitting liability or committing Computer Misuse offences, for example.
- Include requirements for cyber-security in employee contracts. Identify your crown jewels – data or parts of the system that are critical to the well-being of the organisation – and ensure that permissions to access this part of the system are locked down, both in IT security terms and legally. Make sure that employees know it would be a breach of contract to access parts of the systems that they do not have authority to access. Some companies include in their employment contract the proviso that individual employee's computers and mobile devices may be confiscated for security checks at any time without notice.
- Address the risk from disgruntled ex-employees. Develop dismissal procedures that clarify that employees do not have the right to access systems after they have left the company. In one case, a former employee looking to take legal action against their erstwhile employer, accessed the email system to find what they hoped would be an incriminating email from the boss. However, this access in itself contravened the Computer Misuse Act 1990.
In the fake news era, it is more important than ever to prepare for crisis communications to limit the damage resulting from cyber-crime. More than a quarter of crises spread to international media within an hour and over two-thirds within 24 hours, according to research by one law firm2. Combining a best practice approach to the legal aspects of reputation management with effective interaction with stakeholders including the media is key to emerging from a cyber-attack in a robust condition ready for business as usual.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.