The unexpected legal consequences of cyber-attacks
In December, Yahoo! reported two unprecedented cyber-attacks, which were the biggest data breaches in the history of the Internet, involving the leak of the confidential details of more than a billion accounts. However, the biggest problem that Yahoo! is currently having to cope with is not the direct damage from the attack on its servers but several class action suits filed against it and the investigations by Congress and the US Securities and Exchange Commission (SEC) for its tardy reporting of the incident. Moreover, the merger with Verizon is now in doubt.
Yahoo's case illustrates the grave legal repercussions that can result from a cyberattack on companies. They can be exposed to lawsuits from customers whose personal details are compromised, from credit card companies and from companies with which they have specific confidential contracts. Individual executives and directors can also be exposed to personal suits for breach of fiduciary duty and a duty of care that they are binded by.
Thus, for example, during 2015, US retail giant Target was required to pay an aggregate $250 million to settle a suit filed against it by a credit card company after Target's computers were breached with the details of 70 million credit card numbers leaked, compelling the credit card company to issue millions of new cards.
Following the affair, Target CEO Gregg Steinhafel resigned and the Target board of directors was also under significant pressure. A proxy firm, Institutional Shareholder Services, recommended that investors oust several board members. The firm said the board failed to protect the company from last year’s data breach.. According to estimates, the aforementioned sum that Target paid could be just the start with damage to sales, legal costs and improving the data security system likely to amount to billions of dollars.
Yahoo! and Target are part of a growing club of companies that have suffered severe data breaches and which were followed by a wave of class action suits against them and against their executives and directors. A similar case happened to movie giant Sony, allegations and claims by its employees and investigated on claims of gender discrimination (following an email hack and an article by actress Jennifer Lawrence complaining that she was paid less than her male co-stars in the movie American Hustle). The embarrassing leak of information resulted in the resignation of Sony co-chairperson Amy Pascal that her private and damaging emails were leaked.
Israeli companies too and in particular those traded on overseas stock exchanges, might find themselves facing these lawsuits, and much faster than they think. But despite Israel's status as a global leader in the cybersecurity sector, the awareness of directors to the legal implications of a cyber breach lags way behind.
To be honest, many Israeli corporations leave the responsibility for coping with cyberattacks in the hands of their technological and data security managers without comprehending that a cyberattack, like any other crisis, required comprehensive preparedness by the company including its management. This preparedness needs to take into account that there is a reasonable likelihood that they will penetrate the company's computer systems and that the direct and indirect damages will be huge while keeping in mind that the Israeli local and foreign regulation corporation is subject to.
If that is not sufficient, domestic legislation in the overall field of cybersecurity is outdated and does not meet the needs stemming from technological developments. This legislation includes the Computers Law, which sets criminal sanctions for those that disrupt computer operations, and the Privacy Protection Law, which was last updated 11 years ago and sets out, among other things, the duties of databank owners.
On the other hand, banks and financial institutions in Israel are subject to the latest instructions of the Supervisor of Banks and the Capital Market department. The legal threat has been sharpened following new regulations and regulation is continually expanding. So, for example, the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets security rules for keeping Electronic Protected Health Information. Consequently, Israeli companies operating in the US, which may be defined as "covered entities" by HIPAA, may be liable to be exposed to investigations and procedures there.
In addition, companies collecting credit data, and companies providing financial services are also subject to cyber regulations that commit them, among other things, to prepare Cyber response plans.
Alongside technological and corporate readiness, past events teach us that it is also important to be prepared in terms of insurance. In many instances, cyber insurance can assist companies in reducing their exposure to direct and indirect damage. Important coverage that exists in a cyber policy is services to manage the event – the Incident response Team (ICT) in other words a swift response by professional experts in order to gather evidence, conduct technological assessments, locate the penetration and correct it.