Strong corporate governance is needed to ensure that businesses mitigate the risk of a cyber security attack as much as possible, as well as to ensure that, in the event of a cyber security attack, businesses have procedures in place to allow them to deal with any attacks as quickly and effectively as possible.
Cyber security attacks often make the news, and thus the reputational damage to any company who suffers a cyber security attack will often be the most immediate concern. However, litigation risk also goes hand-in-hand with these attacks. The introduction of legislation, such as the General Data Protection Regulation (GDPR) in the EU and the Data Protection Act 2018 (DPA) in the UK, means that the liability of any company which has suffered a cyber attack is potentially very significant.
Recent case law in this area has also reflected the courts' willingness to impose liability on companies in relation to misuse of private information and breach of the GDPR and the DPA. The 2015 Google Court of Appeal judgment recognised misuse of private information as a tort distinct from breach of confidence, and also found that damages could be awarded in respect of distress alone. The 2017 WM Morrisons case represented the first group litigation case relating to a data breach coming before the Courts. Although ultimately the Supreme Court found that Morrisons were not vicariously liable for the actions of its employee, the case provided a roadmap for future group litigation to be brought in respect of data breaches. More recently, we have seen legal action launched on behalf of around 10,000 EasyJet customers, after hackers stole the personal information of nine million customers between October 2019 and March 2020. The scale of this litigation further signals the escalating litigation risk faced by companies in this space.
This is an issue that prudent businesses should be taking particularly seriously in light of the COVID-19 pandemic. A recent advisory jointly issued by the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) drew attention to the existence of malicious cyber actors who exploited the COVID-19 pandemic for their own objectives. This is reflected in the fact that the NCSC has detected more UK Government branded scams relating to COVID-19 than any other subject, although the NCSC also indicate that they have not yet seen overall levels of cyber crime increase. This is clearly a risk that businesses should take very seriously, in particular given the increase in employees working from home environment which poses additional challenges to a business' IT structures.