Cyber Security
8.
collaboration with experts with appropriate skills and expertise. When there is a security incident, involve lawyers early on and include them in communications. By adding legal stakeholders, you establish legal professional privilege and protects relevant communication from disclosure in court.
Internal Security Staff You do your job well, think outside the box, and you’re possibly encouraged to think like a hacker in uncovering potential security exposures, before coming up with innovative solutions. You’re an employee, so you consider your company liable for everything that you do. Yet, as an employee, you are still exposed to personal liability in certain situations (although this is rare). This could be liability to your company, for example, by accessing, copying, using or disclosing information without the company’s consent, as this could lead to you breaching your duty of confidentiality under your employment contract, infringing intellectual property rights, or misusing your position or information obtained by reason of holding your position. You may also be liable to third parties if lines are blurred and you end up going beyond the scope of your instructions, are negligent and that negligence is the result of severe or wilful misconduct which causes damage, or if your actions did not occur in the course of your employment. Your best course of action is to understand your employment contract and obligations, and also to record and follow your instructions carefully (particularly in situations where you are asked to find your company’s security exposures).
External Security Product and Service Providers We are all working on a customer’s cybersecurity to protect them from threats. However, when customers suffer security incidents, they will not just look internally at their staff, but will also look at external providers to share in their liability. We know that customers look to us for our expertise and products, but did you know that this is part of their risk allocation strategy to spread the risk and liability to their external providers? It is common for potential liabilities in service agreements to be tens of millions of dollars. Having reviewed numerous external security providers’ terms and conditions (including those in Defence), it is alarming how exposed providers are from a risk and liability perspective. If you are a service provider who also undertakes red teaming and penetration testing, then you should be aware that you need unambiguous and express consent, authorisation and approval for you to undertake such activity; otherwise your actions are likely to be illegal and could expose you to a range of criminal charges and penalties. You need to review your T&Cs and see whether it deals with these problematic areas, which can lead to significant liability:
48 | Australian Cyber Security Magazine
1.
The parameters around the information and access granted to you; 2. How the information that a customer provides to you can alter the service/advice you give; 3. The extent of the customer’s reliance on your services, products and deliverables; 4. What representations and warranties you are required to provide; 5. Whether you have restricted the use of your deliverables and the reliance by third parties; 6. Whether you have been given express consent, authorisation and approval for the activities you undertake; 7. What your obligations are with accessing confidential information and what are the limitations on disclosure; 8. How you have limited or restricted the use of any of your intellectual property rights in the services, products and deliverables you provide; 9. The consequences of any variations to your engagement or scope of services; 10. The extent of any limitations and exclusion of your liability; 11. The extent of any indemnities that you are required to provide to cover your customers’ liabilities (which can be significant). You’re busy growing your business and managing your customers’ cybersecurity risks and liabilities, and that’s great. But it would help if you focused on your liability. You do so by having comprehensive and detailed T&Cs that have been properly drafted and reviewed, and by having specific instructions and scope of work which is appropriately updated to accommodate variations. You also need to ensure that your business insurance policies adequately cover you for all of the work that you undertake, and the potential liabilities that you can incur. About the Author Jen is a recognised senior cyber security lawyer who has spoken on numerous panels and presented on key legal issues in cyber security around Australia. She assists security providers with their legal needs at every stage of their business (from capital raising, structuring, contracts, to risk management and insurance policy review), and also collaborates with them in providing a comprehensive service to customers by combining the technical and legal aspects of cyber security (such as in incident response management plans). She also acts for senior executives in managing their personal liability, and regularly advises ASX listed public and private companies with their legal obligations under the Privacy Act, the GDPR and on their contractual cyber risks and liabilities.
