This guest post is by Dr Karsten Krupna at Esche Schümann Commichau, part of the LAW international network)

Cyber-security is high on the agenda for businesses, particularly in the wake of high-profile data breaches such as that suffered by TalkTalk (recently fined £400,000 for loss of customer data). We look at what businesses can to do to protect themselves against cyber-attacks.

IT security measures

IT security measures are a key factor in protecting against cyber-attacks. It is an unfortunate fact of life, however, that there is no such thing as 100% protection. The objective must be to maximize protection as far as possible.

There is no one-size-fits-all solution. Cost alone will often prohibit smaller companies from implementing the same technical measures as large or international corporations.

Each business must therefore consider what security measures are appropriate in light of the type, size and resources of the business. The type and amount of data that the business processes also must be considered. If the data are especially sensitive, a higher standard of IT security will be needed.

Organisational measures

IT security measures should be complemented with additional organisational measures to ensure that hacker attacks are dealt with in an efficient and legally-compliant way.

Businesses may want to establish a “cybercrime prevention team” to review their existing approach to countering cyber-attacks, adjust it as necessary, and keep it under regular review. Reviewing existing insurance contracts and the cover they provide is strongly recommended, and businesses should consider taking out specific cyber insurance, which is increasingly widely available.

Businesses looking to minimise the risks of cyber-attacks should consider the following practical steps:

  • Review data processing processes, to ensure compliance with data protection and privacy laws;
  • Identify whether sensitive data may be at risk and take steps to reduce the risks;
  • Update the business' IT policy and provide training for all employees on data and cyber security;
  • Review current insurance policies and establish whether additional insurance is needed;
  • Establish a crisis unit to respond to cyber-attacks and agree a plan of action for responding to such attacks;
  • Ensure that the organisation learns from its mistakes: review existing procedures whenever an attack or data loss occurs.

Crisis response

If a cyber-attack takes place, in addition to any IT security response, the business will need to work through various practical steps to minimise commercial, legal and reputational risks.

  • Identify and ensure the business complies with any legal obligations to notify regulatory bodies, public authorities or clients;
  • Plan a public relations response, with input from external lawyers or in-house counsel;
  • Notify insurers, ensuring that any time limits for doing so are observed;
  • Assess the risk of claims being brought against the business as a result (e.g. for breach of data protection requirements);
  • Consider whether the business has potential claims against third parties, such as IT security providers (e.g. claims for breach of contract);
  • Consider reporting the matter to the police; and
  • If the perpetrator is identified, consider the pros and cons of pursuing a damages claim against them.