Should individual and corporate liability be invoked in cybersecurity issues?
25 09 2019
In cases of data theft or leaks, liability – as applied to individual employees, directors or the company itself – is increasingly being presented as a regulatory tool. So will the war against poor digital hygiene soon be waged with mandatory sanctions?
Does the name “Equifax” ring any bells? In July 2017, it was publicly announced that this US credit rating and analysis company had committed serious breaches of its cybersecurity obligations. A hack against the company had resulted in the leaking of the personal data of 143 million Americans. And this negligence wasn’t even the company’s first time. The year before, in 2016, the company had already been issued a warning for insufficient guards against cyber risks.
The risks of poor digital hygiene
It cannot be stated often enough: threat levels have never been so high. Nor has the need to instil a genuine cybersecurity culture at corporate level been so critical. Indeed, the Moody’s rating agency, known as a major influencer in market capitalisation, has chosen to incorporate a cyber risk component into its evaluation criteria. In fact, it is now given as a rating criterion. In other words, companies without sufficient protection against this threat might potentially see their scores lowered – or could even be held liable for their failings, as was the case with Equifax.
At the same time, France’s Cour de Cassation appeals court had already given a verdict in March 2018 regarding the liability of a customer in respect of a phishing email. Citing “the customer’s serious negligence in retaining and conserving data”, the French Court of Justice declared that the individual was liable, and quashed their claim for damages.
Although these two cases – one of which held a company to be liable, while the other found against an individual – are still fairly isolated, they can nonetheless be seen as a weak signal. Are we heading towards a world in which poor “digital hygiene” could result in mandatory sanctions?
Sanctions provided for under the GDPR
Since May 2018, the General Data Protection Regulation (GDPR) has provided a framework for an arsenal of sanctions which can be applied to companies and public bodies in the fight against compliance failures. Article 58 of the European Regulation gives France’s CNIl data protection authority the power to implement such deterrents, and Article 83 lists the conditions under which it could apply an administrative sanction - of up to 4% of world turnover.
And some companies are already paying the (high) price. In France, the CNIL also imposed an administrative sanction of 50 million euros on Google in January 2019, while in the United Kingdom, the Information Commissioner’s Office (ICO) data protection authority announced its intention to sanction the airline British Airways with a fine of over 200 million euros. And others will no doubt follow.
The less well-known Article 84 of the GDPR also provides for the application of criminal sanctions – although to date, this remains theoretical only…
Prevention mechanisms still weak
To avoid such possible scenarios, companies already have access to a variety of tools. “Systems are already being put in place to protect access to networks, messaging services, web browsing and workstations and mobile devices,” emphasises Matthieu Bonenfant, Stormshield’s Marketing Director. But this is not enough. “More than ever, with new, disruptive changes such as the increase in teleworking and mobility, the weak link is now the employee, especially in cases where those employees are using business devices outside of the company’s scrutiny. Regardless of whether they believe they are harming the company.”
In addition to purely technical solutions, another critically important factor is that of educating staff and raising their awareness. And this involves the use of significant legal tools. Such as electronic charters, for example, which are intended to provide a framework for best practice and identify “the fundamental rules of appropriate behaviour to be adopted by all users when using computing and electronic communication resources and, therefore, their own rights”, says Sylvie Blondel, HR Director at Stormshield. But all too often, such charters, rules of conduct and digital hygiene guides no longer seem to suffice. If you want proof, consider the fact that ransomware is doing a roaring trade. Phishing attempts are paying off handsomely. And cybercrime is becoming more and more costly for organisations... and their leaders. So what if, along with stepping up our awareness campaigns, we also decided to crack down harder with potential sanctions?
More frequent use of individual sanctions?
In 2014, having been held responsible for the massive data leak that affected his company, the manager of the Target company was promptly given his marching orders. More recently, the director of Equifax was also dismissed by the company’s shareholders. And the reason for this punitive action? The scale of the damage inflicted and the impact on the brand provided justification for invoking the director’s personal liability on behalf of the company he represented.
The use of such sanctions for negligence, irresponsible actions or poor digital hygiene could increase in the years to come. And they could be aimed at any employee, regardless of status in the company. In March 2018, the financial director of the Netherlands subsidiary of the Pathé Group was dismissed after falling victim to a high-level scam. “Depending on the case, penalties could range from suspension or termination of employment through to criminal proceedings,” points out Matthieu Bonenfant. “But it would be the employer’s responsibility to assess the wrongdoing and its severity in respect of its own business activity and the employee’s level of responsibility, experience and any other prior incidents,” says Sylvie Blondel. And in the event of any criminal action, the employer could join the proceedings as a private party, attempt to prove the harm suffered and assert its rights. ”
Framework, case law and regulation
As we have seen, a company can be held liable for offences committed on its behalf, and it can itself even invoke the liability of any of its employees or directors. But a number of unknowns remain: what about the liability of subcontractors in the event of negligence or fault? Or supplier liability?
Today, there is still a lack of evidence to allow us to assess such legal questions. But it is safe to assume that regulatory frameworks, legal theory and the law will see major changes in coming years. Do desperate times call for desperate measures?