In this blog, we consider the legal implications for businesses suffering a cyber attack following the recent reports that Tesco customers had their accounts hacked. It has been reported that money was taken from over 20,000 Tesco customer accounts. Tesco Bank's chief executive stated that "a systematic, sophisticated attack" had taken place. After the attack, Tesco bank put in temporary measures to stop current account customers from making online payments using their debit card because of the criminal activity that had taken place. Early this year, prior to the Tesco cyber attack, the Government released the results of a survey on cyber attacks. The Department for Culture, Media & Sport and Ed Vaizey MP. The report highlighted that:
- Two-thirds of large businesses experienced a cyber breach or attack in the past year
- Nearly seven out of ten attacks on all firms involved viruses, spyware or malware.
- In some cases the cost of cyber breaches and attacks to business reached millions, but the most common attacks detected involved viruses, spyware or malware that could have been prevented using the Government’s Cyber Essentials scheme.
- Only about a third of all firms, had formal written cyber security policies and only 10% had an incident management plan in place.
If your business that suffers a cyber attack, your business could be exposed to claims from customers who suffer losses as a result of a cyber-attack taking place. Even a basic virus could result in loss of profits to a company, loss of client data, disrupt online sales and take up valuable staff time. A cyber attack can damage a business’s reputation by being reported in the press and can result in fines or prosecution. Businesses need to comply with the UK cyber security laws. These laws include:
- Communications Act 2003
- Privacy and Electronic Communications (EC Directive) Regulations 2003
- Data Protection Act 1998
- Computer Misuse Act 1990
- Official Secrets Act 1989
If your business suffers a data security breach it could lead to claims being made by customers where their personal data or confidential information has been released. This could be a claim for breach of contract for example where a business’s privacy policy has not been complied with or a claim for negligence because the business failed to put in place adequate measures to protect customer data. In addition, many commercial contracts include provisions that impose obligations on companies to comply with data protection legislation. If these clauses are breached the company could face claims for breach of contract. This could result in a claim for damages being brought and in some cases the contracts being terminated. Next steps:
- Businesses should know steps to review their cybersecurity plans. If a business does not have a cybersecurity plan, then it needs to put on in place. Many businesses are failing to protect themselves from the potential costs associated with a cyber attack and are not complying with their legal obligations under data protection and cyber security laws.
- Get a cyber essentials certificate. Cyber Essentials is a Government scheme which is said to help prevent the vast majority of cyber attacks.
Having a Cyber Essentials badge will:
- Protect your organisation against common cyber threats
- Show your customers you take this issue seriously
- Enable you to bid for Government contracts.
For more information go to: https://www.cyberaware.gov.uk/cyberessentials/
- The Government has created a new National Cyber Security Centre (NCSC) offering industry a ‘one-stop-shop’ for cyber security support. Go to the NCSC website and review the guidance sheets and technical advice sheets available. The National Cyber Security Centre (NCSC) is the UK’s authority on cyber security. NCSC is part of GCHQ. For more information see: https://www.ncsc.gov.uk/guidance/10-steps-cyber-security
If you want to speak to any of our expert lawyers about cyber protection, get in touch with us via the business legal advice portal.
