The strategic framework maps well to New Zealand, to what other cybersecurity specialists are doing, and to what senior managers and boards are or should be doing.
It is good stuff too to help get the attention of CEOs, boards and lawyers: although they know cybersecurity is an issue, they don’t necessarily have all the tools and detail on these increasingly bet-the-bank issues, as we outline here.
The report, Cyber security law and practice, was produced by the GC100, the association for GCs of the UK’s largest 100 companies.
Much of the legal exposure is reduced or eliminated if best practice procedures are used to reduce or eliminate cybersecurity risk.
It tracks the legal risks – we outline some of these below – and lists recommendations for a framework for handling the issues, including:
Read more: The untrammelled rise of the cyber security professional
• Understand the legal framework, which is made up of multiple aspects, both domestically and internationally;
• Apply best practice cyber security standards;
• Build a “defensive shield” against regulatory action and litigation:
Read more: Does your Board paper have a section on cyber risk?
That “defensive shield” is at the heart of the framework and can integrate well with what other experts are doing. The report notes:
“Organisations that track regulatory guidance, regulatory enforcement actions and court cases relevant to cyber security will be able to use their knowledge to construct a strong “defensive shield” against regulatory investigations and litigation arising from security breaches.”
Much of the legal exposure is reduced or eliminated if best practice procedures are used to reduce or eliminate cybersecurity risk. For example, the law of negligence and under the Privacy Act generally does not require more than best practice: 100 per cent protection is not expected (and can’t be achieved anyway of course). As with good IT practice, the level of protection will closely relate to the sensitivity of the information (John’s online pizza order is not particularly sensitive: his chlamydia history is).
There are multiple ways in which organisations can be exposed and that can be domestically and internationally.
Read more: NZ and NY Police target technologies of interest
Exposure can arise under the Privacy Act, and this is increasingly a big area, illustrated by the Privacy Commissioner’s recent decision to name and shame wayward companies rather than hold back as the Commissioner has in the past.
The law of negligence and duties as to confidential information can raise issues as can the law as to IP. Something particular to watch for is getting contractual buy in to cyber security obligations from suppliers and also watching out for downstream contracts which may extend cybersecurity duties to a 100 per cent requirement to ensure no breach.
All these need tomesh with IT, communications and governance strategies.
In the end, it is that defensive shield concept of keeping on top of the issues that is key, having established the approach initially. The report provides a framework to achieve this.
Read more: Inside the modern battleground
Michael Wigley is the Principal of Wigley + Company, a law firm specialising in ICT. He can be reached at michael.wigley@wigleylaw.com.
Send news tips and comments to divina_paredes@idg.co.nz
Read more: The top cyber risks for NZ in an interconnected world
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Sign up for CIO newsletters for regular updates on CIO news, views and events.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.