Who’s Responsible? The Uncertainty of Business Liability when a Cyber Attack Strikes
First published in The Profit. Written by Leah McHardy and Tayla Westman
As technology continues to dominate everyday activity, the risk of cyber-attacks occurring also increases. Businesses, irrespective of their size, are becoming more vulnerable to the menace of cyber-attacks. Ransomware, malware, and broad sweeping data breaches are only a handful of the growing categories of cyber-attacks prevalent in today’s market.
As the threat rises, questions of business liability because of an attack on client data remain unanswered. However, the responsibility to protect client data falls on the business itself. But how can that be? Do we not consider the exploitation of the business itself as the victim of the unlawful act of an internet stranger? Unfortunately, this may not be the case and businesses can be left exposed to the possibility of being held liable in law.
The vigorous pace in which cyber-attacks have matured means that the law of business liability in this area remains unclear. How might New Zealand businesses be held liable in law when a cyber-attack strikes?
The cyber-attack on the Waikato District Health Board (DHB) in May of this year provides some insight. The malware attack on the DHB’s IT system saw the publishing of confidential patient information on the dark web, including bank details and passports. Privacy Commissioner John Edwards explained that the DHB may be at risk of claims against it if patients could establish harm resulting from the breach.
In his statement, Edwards confirmed that the responsibility of mitigating the harm of cyber-attacks on patient information fell on the DHB, explaining that an onus fell on the DHB to secure the data and communicate the privacy breach with the victims of the attack. In labelling the patients of this attack as “victims”, Edwards highlighted the seriousness of cyber security breaches.
The liability alluded to by the Privacy Commissioner is that of negligence. Businesses owe a duty of care to their clients that their information will be securely held, and liability can arise when clients become the victims of cybersecurity breaches.
For businesses, preparation is everything. To ensure you are protected from the possibility of breaching your duty of care owed to your clients, preventative action needs to be taken to mitigate business liability. One option available to businesses is inserting effective exclusionary clauses in your terms of trade. An exclusionary clause operates to protect businesses by excluding liability in the instance of a situation ordinarily considered a breach, and the clause should afford the business some protection against claims of liability in the event of a cyber-attack.
What constitutes a valid exclusionary clause is governed by the Contract and Commercial Law Act 2017, the Credit Contracts and Consumer Finance Act 2003 and the discretion of Judges in court proceedings. For businesses who have already entered contracts with clients, exclusionary clauses may still be incorporated, however, an incorporated exclusionary clause must comply with the rules prescribed in law. It is therefore critical that in drafting exclusionary clauses businesses seek expert legal advice.
The rapid expansion of technology has brought many positive impacts on businesses with it. However, as cyber- attacks continue to increase in our developing technological environments, business data becomes increasingly susceptible to exploitation. Now is the time to take preventative action and protect businesses from the uncertain liability that may attach to the offending of another.