Further cyberattacks on major Polish companies have been reported recently, targets include Plus Bank and LOT Polish Airlines. The criminal liability for such attacks is obvious, and it is hoped that the law enforcement authorities will bring those responsible to justice. It is estimated that the growing losses due to cybersecurity incidents in Poland alone are worth billions of euros per year. So it is becoming increasingly important to understand who is responsible for assuring cybersecurity, and what liability you are exposed to in case of failing to comply with your cybersecurity obligations.
A wide range of regulations
Although Polish law does not expressly refer to cybersecurity, a number of regulations already apply in this regard. These include: the Personal Data Protection Act, Act on Crisis Management, Telecommunications Act, Corporate Criminal Liability Act, and of course the Criminal Code. Guidelines can also be found in such documents as the Cyberspace Protection Policy of the Republic of Poland, Cybersecurity Doctrine of the Republic of Poland, Polish National Security Strategy, and the draft “Cybersecurity Directive”. However, the most practical are Recommendation D and Recommendation M of the Polish Financial Supervisory Commission.
Liability for cybersecurity assurance
Cyberattacks, like the one which hit Plus Bank, immediately raise questions of who is liable for ensuring cybersecurity, and what type of liability are we dealing with.
When it comes to civil liability, an organisation in which cybersecurity negligence has appeared might be held liable based on contract or on general or unfair competition tort (as negligence will be presumed). Due to employment law constraints and for practical reasons, civil liability will not be passed onto the individuals responsible. However, administrative sanctions, such as fines may be imposed, especially on individuals in executive roles. In each case, those supposedly responsible for cybersecurity may be exposed to criminal liability. Most of us do not realise that we may be accused of committing an intentional crime even if we do not really intend to cooperate with hackers. If you are responsible for cybersecurity, security of information, IT, data protection compliance or generally compliance, you had better not delude yourself that criminal law will not come into play.
Liability for lack of appropriate response
When you are under a cyberattack there is no time for procurement procedures or negotiating prices. You need to defend and respond to the situation promptly. Giving up on computer forensics is unforgivable. For example one Polish financial institution focused on negotiating commercial terms with cybersecurity and computer forensics providers for several months, instead of taking immediate defensive measures. In this case, there may even be grounds for criminal charges against those responsible for setting such priorities.
Liability of the system owner
There are several issues worth considering in relation to the alleged attack on the IT systems at LOT Polish Airlines. LOT has said that they have security measures comparable to those of other airlines. The key question is whether the cybersecurity standards commonly used by the airline industry are really adequate for today's cybersecurity challenges. This also raises the question of who is liable for ensuring IT security – the system provider or the organisation in which the systems operate and controls the network. This might be a complex issue. However, ensuring cybersecurity is the duty of the organisation controlling a particular network and systems in that network, as this organisation controls access barriers and means of authentication.
Real losses from virtual attacks
A comprehensive approach to cybersecurity would consist of at least a dozen actions, structures and procedures. According to scientific studies sponsored by McAfee, global economy losses related to breaches of cybersecurity range between approx. USD 400 and 600 billion (similar data presented by PwC - USD 500 billion), with losses related to personal data breach estimated at approx. USD 150 billion. As for Poland, according to Symantec, 15 people became victims of cyber attacks every minute in 2011, and losses related to cybersecurity breaches amounted to PLN 13 billion.
Cloud computing – a solution to liability?
Paradoxically, cloud computing may provide a solution to cybersecurity risks and liability for cybersecurity assurance. Professional cloud computing services rely on infrastructure ensuring the highest level of security and business continuity. Cybersecurity budgets of cloud providers often repeatedly exceed the total IT budgets of their clients. Therefore, delegating cybersecurity assurance to professional cloud providers may be a way to outsource liability for this area.
The liability of cybersecurity assurance was the subject of Maciej's Gawroński presentation at the CyberGov conference organised by the Polish Ministry of Administration and Digitization held on 18 June 2015. We will further present our cybersecurity expertise both in publications and future events. Bird & Bird Warsaw office's first seminar dedicated to liability for cybersecurity takes place on 14 July 2015.