Cybersecurity: Legal Obligations for Companies and Directors

  • Security
  • 08.12.2020 03:17 pm

The recent ransomware attack on Manchester United’s IT network has brought the increasing risk of cybercrime to the forefront of public consciousness once again. 

Other high-profile cyberattacks in recent years include Software AG in Germany, French IT service giant Sopra Steria, the hotel chain Marriott, MGM Resorts, Twitter and Zoom. 

Cybersecurity is without question, a major concern for every organisation that operates with digital technology. Other than wanting to protect your intellectual property, brand reputation and capital investments, businesses have a legal obligation to protect the personal data of employees, customers and third-parties. 

Companies that fail to install an effective multilayer cybersecurity strategy that prevents data breaches, or at the very least, minimise the damage caused, are liable to pay penalties. In some incidences, company directors may also be deemed to be in breach of personal regulatory obligations.

International Cybersecurity Regulations

The legal obligations for a company to take precautionary cybersecurity measures typically differ from one jurisdiction to the next. However, in general, every company in the world is bound by international security regulations stipulated by the EU-US Privacy Shield and the General Data Protection Regulation (GDPR).

The EU-US Privacy Shield is a cybersecurity defence program designed by the U.S Department of Commerce and the European Commission and Swiss Administration. 

Requirements provided for within the framework require participants to maintain data integrity and purpose limitation, ensure accountability for data transfer to third parties and to certify a commitment to apply the principles of the Privacy Shield.

The basic rules of the General Data Protection Regulations (GDPR) stipulate that companies must include a privacy policy on their website, inform customers of their right to access personal data, provide a dispute resolution, limit personal information for the purpose of processing. 

Cybersecurity penalties are designed to make non-compliance a costly mistake. In 2020, GDPR regulators issued hundreds of fines to companies including Google and Facebook. GDPR.EU reported that fines amounting to more than €114 million were issued in the first 20 months.

Cybersecurity Regulatory Obligations

Cybersecurity breaches may extend to the personal liability of company directors. Regulatory obligations - such as the financial services regulatory board - will closely scrutinise the acts of directors during an internal investigation of a reported data breach. 

In the UK, for example, if a company director fails to uphold his regulatory duties by not properly managing the cyber risk faced by the company, a claim may be brought in tort for misuse of private information.

Whilst these claims are brought against the company, directors are typically brought into the spotlight. Publicity in high-profile cases - especially in local press publications - can damage an individual's personal reputation. 

Data protection laws are still in their infancy, and until the legal system irons out the creases, cases brought under the data protection act, cybersecurity laws and regulations will accumulate in the court system. 

For companies that collect the personal data of individuals and third parties, understanding cybersecurity laws can feel overwhelming. Speak with a specialist in cybercrime, understand your obligations and prevent attacks.

Related News