Hamburger Evron & Co.

  • 14.09.2014 Directors' Liability In The Cyber Age, Haaretz
     

Directors’ exposure to legal liability in the cyber age is not limited only to risks related directly to the results of cyber security violations, but also extends over potential exposure based on the manner in which the company responds to violations. These are our recommendations.


Adv. Yaron Sobol & Adv. Shany Winder

Cyber security risks top the list of global threats. Corporations and other entities in the market are frequently exposed to complex and sophisticated attempted attacks causing immense damage. Cyber security threats come from various types of potential “players”, such as employees of an organization having access to sensitive information, hackers, social activists, criminal elements, terrorist organizations, corporations, and even countries. Cyber security attacks are carried out for political and protest reasons, for obtaining strategic commercial information, for stealing intellectual property and trade secrets, for espionage, or for terrorist activity.

In recent years there is increased awareness and involvement of countries towards the subject of cyber security, and acknowledgement of the fact that cyber attacks pose a principal threat to state security, to national economies and to critical national infrastructure.

On the international level, the Budapest Convention on Cybercrime came into force in 2004. The Convention requires member states to update and harmonize criminal legislation against cyber crimes.

DEVELOPMENTS AND UPDATES IN ISRAEL

Albeit the State of Israel’s acknowledgement of the national importance of cyber security, we still lack specific and updated laws regulating this area. The relevant laws are the Protection of Privacy Law, the Computers Law and the Regulation of Security in Public Bodies Law.

In 2011 the Israeli Government resolved to “promote national capabilities in cyberspace”, which was the basis for establishing the National Cyber Bureau. Additional authorities operating in this area are the Israeli Law, Information and Technology Authority (ILITA) at the Ministry of Justice and the Government Information Security Authority. Nevertheless, existing regulation on cyber security is limited.

With respect to dealers and brokers, the Israel Securities Authority issued a directive to the licensed corporations with respect to the obligation to set forth procedures pertaining to their manner of operation and management, whereby licensed corporations - which are corporation holding a license under the Portfolio Management Law - must set forth procedures with respect to information security. Similarly, the Bank of Israel plans to increase the involvement of the Bank’s board of directors and management on such matters, including outlining strategy, supervising implementation and receiving periodic reports.

DEVELOPMENTS AND UPDATES IN US LAW

In spite of the legislator’s attempts in recent years to promote specific cyber security enactment, US legislation on cyber security is also outdated. In most US States there are state laws requiring the issuance of reports on infringement of private information, i.e. unauthorized access to protected information. Pursuant to such laws, many people have received notice regarding breach of their private information.

In the absence of coherent and comprehensive legislation, US regulators have begun acting vigorously and aggressively in recent years in the area of cyber security. For example, the US Securities and Exchange Commission (SEC), regulator of publicly traded companies, published in 2011 a directive regarding disclosure of risks and events of cyber intrusion. Said directive is not mandatory, however many companies have made adjustments to comply with it. In addition, in February 2013 US President Barack Obama issued an executive order calling for “improving critical infrastructure cyber security” addressing two principle issues.

First, information sharing between the government and the private sector. Second, protection of privately held critical infrastructure. The executive order promotes voluntary efforts of cooperation between federal authorities and the owners and operators of critical infrastructure, such as the chemical, electric and finance industries, water supply and transportation.

CORPORATE AND DIRECTORS LIABILITY

Even in the absence of specific legislation or regulation on cyber security, failing to take measures for preventing cyber attacks may give rise to liability due to breach of duty of care towards the injured parties. Possible grounds for tort claims against a company include negligence, in the event it is proven that the company is in breach of its duty of care due to failure to protect its Information and Communications Technology (ICT) systems against anticipated risks. In addition, it may be possible to file claims against a company on contractual grounds, in the event breach of contract can be argued under agreements between the company and its clients, unless such situations are excluded in construction of the agreements.

Board of directors’ liability for cyber security intrusions is a new legal discipline gaining speed. Recently, even derivative action has been filed against directors on the grounds of breach of fiduciary duty.

As part of the director’s supervision duties, he must take reasonable measures to protect the private and financial information of the company’s clients. The directors’ exposure to legal liability includes not only risks related to cyber intrusions themselves, but also potential exposure based on the manner in which the company reacted to the intrusion and handled the affair “after the fact”. The problem is that cyber issues are new for most directors, while most of them lack the experience and knowledge required in order to adequately discharge their duties and protect the digital assets of the company. Nevertheless, the board of directors is required to present difficult and complex questions to senior management and ICT personnel and to consult advisors and experts. These are active duties, as opposed to passive policy of restraint. The importance of advance planning before an event of cyber intrusion cannot be overestimated, as opposed to futile attempts at handling crisis after the fact.


RECOMMENDATIONS FOR BOARDS

Hereunder is a non-exhaustive list of issues on the subject of corporate cyber governance that directors can consider upon examining company policy on cyber security:

  • Determining the factors within the board responsible for examining cyber risks.

  • Identifying risks, estimating costs and response times.

  • Preparing a cyber intrusion response plan and cyber disaster recovery plan, as well as plans for handling clients, regulators, shareholders and the media in the event of cyber risk realization.

  • Making a point of updating the board and senior management regarding cyber risks, cyber security policy and procedures.

  • Examining company reports under existing and anticipated regulation and legislation.

  • Cyber security training for employees and application of internal access classification.

  • Inquiring whether the company conducts cyber security scans of its third party service providers.

  • Inquiring whether the company requires “full disclosure” with respect to cyber security and at what level, when planning its mergers and acquisitions.

  • Examining the level of the company’s level of security with respect to the products and services it provides, are there loopholes and is the company correctly choosing technologies.

  • Top-down obligation to cyber security, including creating an organizational structure that allows reporting security issues to an independent and objective entity in the company.

  • Employing a qualified ICT team and external independent expert advisers.

  • Updating procedures, evaluating effectiveness and ability to implement the plans, maintaining sufficient documentation.

  • Receiving legal advice from a law firm specializing in the field of cyber security.

  • Purchasing insurance against cyber liability in order to minimize losses that may be caused by cyber security events. Cyber security events may cause loss of sales, prejudice to good will, litigation expenses and settlement costs, regulatory fines, costs of providing notice and defending against state authority inquiries, repairing system impairments and liability to compensate for damages.


REQUIRE REPORTING DUTIES

Another recommendation comes in the field of public company regulation. It is time the Israel Securities Authority determines reporting obligations, to be included in the supervised entities’ periodic reports, on cyber risks to the company and on relevant company policy. Such transparency shall enable the public to correctly estimate the risks of investing in company stock. Regulation 10 of the Securities Regulations (Periodic and Immediate Reports) determines a list of matters to be addressed in the board’s report. Said regulation does not relate to cyber security, and we propose explicitly adding such aspect to the Regulation.

In conclusion, an unprecedented wave of cyber security regulation has hit the US. Despite political and legal difficulties hindering coherent and comprehensive cyber security legislation, the US administrative authorities are not refraining from action, and taking a range of actions to secure cyberspace on the state and civil-business levels. Even if US regulation does not directly apply to Israeli companies, in a world of robust global and international ties, companies wishing to remain relevant or maintain business ties with US companies, are required to adjust themselves to the new and evolving rules.

Israel too is witnessing material changes to existing regulation, which is expected to develop and grow. US regulation is anticipated to continue affecting the conduct of Israeli companies in cyberspace, both as an indicator and catalyst for the Israeli legislator and regulator as well as for companies with international business ties, owning and operating branches in the US, or serving as suppliers or subcontractors of the US Department of Defense. Therefore, thought and strategic planning should be paid towards risk management and conduct of the company and the board, while receiving close counsel.


-------------------------------------------------------------------------

Adv. Yaron Sobol is a partner in Hamburger Evron & Co, chairs the firm’s technology and cyber practice; Adv. Shany Winder is an associate in the technology and cyber practice of Hamburger Evron & Co.

--------------------------------------------------------------------------

This article does not constitute legal advice of any kind and is solely an expression of the authors’ opinion. Seeking suitable and specific legal advice per the case at hand is recommended.