Publication date: 19 October 2017
We are frequently startled by international cyberattacks. Hackers steal confidential information and ransomware shuts down companies, hospitals and governments. What concrete preventive legal measures can you, as a director or supervisor, take to guarantee the safety of the company to the greatest extent possible, and thereby comply with your duty of care? Reinier W.L. Russell, Esq., managing partner at Russell Advocaten, explains in his contribution to the Fall Issue of Paradigm, the Primerus magazine. This article is a follow-up to our previous publications on legal risk management and management of digital risks for companies.
We are frequently startled by international cyberattacks. Hackers steal confidential information and ransomware shuts down companies, hospitals and governments. Since company computer systems are increasingly connected to the Internet (online stores) and also rely on Information Communication Technology (ICT) for internal processes, they are not just more vulnerable to attacks, but the impact of such attacks is higher. Orders cannot be processed, documents cannot be accessed, (manufacturing) processes are interrupted, and client data are made public with the risk of high regulatory fines. Obviously, you can prevent that by taking IT measures. Less obvious, but still as important, is that you can take preventive legal measures to reduce the risk of an attack, limit the potential consequences of a hack and invest in your cybersecurity.
This article deals with concrete preventive legal measures you, as a director or supervisor, can take to guarantee the safety of the company to the greatest extent possible, and thereby comply with your duty of care. A breach of the duty of care may lead to directors’ liability.
Cybersecurity must be dealt with at the highest level. In addition, there has to be the required expertise. It has to be discussed at management level what kind of systems will be used and what the risks involved in using them are. This has consequences for the structure of the organization, the management and the company:
Chief information officer
Appointing a chief information officer (CIO) is a good way to acquire digital knowledge, centralize it and use it effectively. Many large and medium-sized companies have CIOs as the ICT has no longer only a supportive role but is leading in all company processes. The CIO is a member of the management and has the ultimate responsibility for the ICT policy of the entire organization. This is necessary for the company and will reduce the risk that the company and director are liable in the event of infringements relating to cyber security.
Maybe your company is too small to employ a CIO. This does not change anything regarding the distribution of responsibility. The management or board of directors will be ultimately responsible for cybersecurity and the application of privacy regulations and will therefore have to make sure to possess the competence required in this field.
In appointing supervisors and non-executive directors, make sure to consider people who are familiar with digital risks so that they will be able to exercise their supervisory and advisory role sufficiently. After all, it is their task to advise the management board on digital security and to control the processes within the company in this respect too. In addition, the supervisors can benefit from this knowledge as they could be liable in case of insufficient supervision.
Risks can be reduced by incorporating the development of a new product or service, such as a new app, in a separate legal entity, whether or not with a separate ICT network. If matters turn out to be undesirable, the consequences for the remaining company will be limited.
Most problems in the area of ICT arise accidentally, by human errors. All people involved in the company, employees but also contractors and agency workers, therefore have to be aware of the importance of cybersecurity. This is called security awareness. Security awareness exceeds merely reacting to incidents: it has to be guaranteed via a continuous process in which an organization can reduce risks to an acceptable level. This could be, among other things, by drafting a personnel handbook including guidelines on internet usage, emails and passwords. Further, it should be clearly defined that employers have to report abuses, how they have to be reported and what the time limit is. Otherwise, companies would have to depend on the reasonable conduct of their employees instead of being able to require such conduct.
When concluding all contracts, not just ICT contracts, it is important to distribute responsibility and limit liability. After all, your company is responsible for the ICT you use. This does not change if your ICT only has a supporting function or if you have not developed the ICT yourself.
Check for instance your General Terms and Conditions, where liability can be excluded, limited or transferred to a third party but also concrete arrangements such as Service Level Agreements (SLAs). The scope for agreements will be more limited if the counterparty is a “consumer”. A provision in the General Terms and Conditions of an agreement has no legal consequences (it is “voidable”) if it is extremely disadvantageous (“unreasonably onerous”) for the consumer. A provision stipulating that your company has no or limited obligations in the area of cybersecurity will probably be unreasonably onerous. Besides, arrangements agreed upon only apply with regard to the party you concluded the agreement with.
It is crucial to phrase agreements clearly. Vague agreements bear the genuine risk that a court will interpret provisions, at least in the event of a conflict, to the detriment of the company. Suppose that your company determines in an agreement that it shall not be liable if a cyberattack causes its being too late in fulfilling its obligations. Without a more detailed description of this term, a conflict could arise on the question as to whether a certain kind of malware would constitute a cyberattack.
Your company can lastly not exclude all liability. Obviously, hardware and software, apps and web-based tools must comply with the latest requirements in the fields of security. Therefore, despite exoneration clauses the company remains liable regarding, for instance, if it uses, with the knowledge of the management, ICT whose cybersecurity falls short. A company using obsolete software to save costs and not taking measures to protect its computers and networks will probably not be able to invoke a stipulation excluding liability if a lack of security causes damage.
If legal means are not sufficient to limit the liability of a company and directors, the financial consequences can be limited by cyber insurance and directors’ liability insurance.
The importance of cybersecurity is underlined by the privacy laws and high penalties for infringement on privacy.
Personal data is usually processed by means of ICT. In Europe, strict rules apply to this that can affect companies worldwide. The basic principle of the regulations is that they apply to the processing of personal data from Europeans even if the processing takes place outside Europe.
A breach of the security obligations has severe financial consequences. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens; AP) can currently impose a maximum fine of EUR 820,000 per breach or 10 percent of the annual turnover.
As of May 25, 2018, the AP can impose a maximum fine of 20 million euros or a fine of 4 percent of the worldwide annual turnover should this amount be higher.
The board of a company has the ultimate responsibility for cyber security and can be held personally liable in the event of breaches. The board has to examine the organization and (ICT) company processes for compatibility with the existing regulations. In addition, the board has to make sure that both managers and supervisors have expertise in this area, for instance by appointing a chief information officer to the board. Employees must be familiar with the cybersecurity policy, for instance via the staff handbook or internal training. In contracts, liability for cybersecurity problems can be limited to the greatest extent possible. Should this not be enough, insurance can also be a solution.
On 10 November 2020, the Dutch Senate adopted the bill on the management and supervision of legal entities. This affects all associations and foundations, but, above all, nonprofit organizations. As an officer of a sports club, are you now more likely to be liable? Do you have to meet additional requirements when you are a member of the supervisory board of a school?read on
If your employee reports sick, this may raise many difficult questions. What are your reintegration obligations during the sick leave period? What are you allowed to record about your sick employee with regard to the privacy legislation? We answered these and other questions during a webinar. Watch the video!read on
Proceedings do not always have to be in court. There are other ways to resolve legal disputes. An important and often also appealing alternative is arbitration. In particular if you are doing business internationally. What are the advantages of arbitration?read on
Is there already a works council in your company? Are you a member of your company’s works council? What are the advantages of having a works council in your company? Jan Dop and Priscilla C.X. de Leede explain the role of the works council and give an overview of the works council’s most important rights.read on
The Management and Supervision of Legal Entities Act will enter into force on 1 July 2021. How does this affect the articles of association of your foundation, association or cooperative association?read on
Management Boards of listed companies get a new tool to protect the company against unwanted shareholder activism or an impending (hostile) takeover. The possibility of invoking a 250-day cooling-off period is introduced. What does this cooling-off period entail exactly?read on
We have hosted a special webinar “COVID-19: Reorganization, Job Loss & Stay” in cooperation with IN Amsterdam on 23 March. During the webinar, we discussed issues that employers and international employees face due to the impact of the coronavirus. Watch the video today!read on