Reports last week about the hacking of the political think-tank Lowy Institute and of the question-and-answer website Quora were met with different responses by the affected parties. Reportedly, the Lowy Institute declined to comment, citing a policy of not doing so on security matters. For its part, Quora began emailing affected users the next working day after discovering the hack.
These incidents, and the different responses, are a timely reminder that information security and regulation are the “new black” in intellectual property law. Perhaps not IP law in the narrow sense, but in the sense of the ownership, possession, care and custody of the communications and systems that we all use to do business, and what those systems record. What are the rules of owning information, of having someone else’s information, and of trusting someone to look after it? Like most things these days, the government has stepped in to a degree, in the public interest. But businesses need to be protective of their own private interests as well.
In this IP Communique, Moulis Legal senior associate Sandy Zhang and lawyer Benjamin Duff look at data breach from a more commercial perspective.
Public data breach remedies are punitive rather than compensatory
Mandatory reporting of data breach – typically the “stealing” of personal information – gives transparency to web users about the hacking of their data, and allows independent mitigation to some extent. But is that good enough? It is too late to do anything much that is truly remedial after the hack has occurred and been reported. Businesses should consider contractual mechanisms to mitigate the risk of a hack and even to recover damages.
That is not to say that mandatory reporting is a waste of time. It does play its part in forcing higher levels of data protection and spreading awareness. Not every eligible data breach as defined by the Privacy Act 1988 (Cth) is considered a hack, but a successful hack will almost invariably be considered an eligible data breach (given that the target is usually sensitive information) and will need to be reported under the Act.
From the commencement of the Notifiable Data Breach scheme on 22 February 2018 until 30 June 2018 there were 305 eligible data breaches reported to the Office of the Australian Information Commissioner (“OAIC”), with 59% of these being malicious hacks.1 These reported breaches come from businesses diligent enough to understand their obligations under the NDB scheme, and should by no means be regarded as an accurate representation of the actual number of eligible data breaches in Australia within that period. Any business that has had an eligible data breach but has not reported it will be in breach of its obligations under the Privacy Act. However enforcement and prosecution remains an issue. Much like the OAIC’s prosecution of Privacy Act breaches in general, limited resources mean that only the most significant and high-profile breaches are likely to be prosecuted.
Mandatory private data breach reporting is needed too
None of this provides a business with any assurance as to the handling of information that it discloses to another business. So, our first tip is to consider including private mandatory reporting obligations in your own information-rich contracts. A business can and should be kept in the loop when it comes to the information security of its business partners. When it comes to personal information under the Privacy Act, a business may even have legislative obligations in this regard, which will not be satisfied by a simple checkbox clause stating that its business partner must comply with the relevant privacy laws. Step this up to include a contractual obligation to notify data breaches or attempted breaches, together with particular obligations as to how personal information is to be handled and secured, and your business will be much better protected.
A well drafted contract can describe each party’s information handling and incident response obligations, such as advice protocols, notification steps, timelines, responsibility, liability, and the handling of claims by third parties. A contractual right to be informed of circumstances affecting another party to a contract, which may in turn affect performance of the contract or its character and standing, is nothing new. The specific protection of rights with respect to information mishandling and hacking in the same way is, however, less common than it should be.
Everyone needs to be vigilant about data protection
Information security is not only a concern of digital business. Businesses handling and using big data are the biggest stakeholders, but these days everyone in business has to manage and use data to some extent. Although big data platforms continue to improve their defences, hackers are also improving their methods. As more and more businesses begin to use big data, there will also be more opportunities for information to be hacked. Sharing of your own business systems with contractors, subcontractors, employees, third party suppliers and so on, and the increased reliance on cloud data storage and computing platforms, creates risks and vulnerabilities for the information that can be accessed through those systems. Each access point of the digital service invites attention from hackers.
Data breach at the Lowy Institute likely involved its own work product about other people. At Quora, the data was personal information handed over by users to get access to the site, and their digital footprint when using the site. In both cases, the individuals affected were powerless to negotiate the terms on which data about them could be stored and used. However, in most commercial transactions between business partners, data owners do have bargaining power, and can seek protection.
Keep your contractual partners clever
Our second tip, therefore, is to mitigate the risk of unintentional data breaches, malicious attacks and infections by including contract clauses requiring third parties to have up-to-date security systems. Again, this should be more than just a checkbox clause stating that particular systems must be secure or must have virus protection. Different people may have different understandings of what is considered secure or a reasonable level of protection – you should try to ensure that your requirements are met to the greatest extent possible. If your information is important to your business, you should always know how it is actually secured.
It is also important to remember that “hacking” is not only what Hollywood would have you believe. Sure, computer programmers do sit around typing long strings of code in order to bypass security systems through technical means. But, as system security improves over time, hackers are more often opting for “phishing” and social engineering methods to steal legitimate account information. After all, the weakest link in a secure system is the human element. Information security training and adequate internal policies are becoming increasingly important, which is why a business exchanging information or allowing access to it should ensure its business partners have adequate information security policies and staff training in place. The most secure system in the world will not help your business if a systems administrator willingly gives out account login details to a hacker.
Data breach can be like any other contractual breach – costly!
With business communication moving from email into the cloud, data loss enforcement clauses are being more frequently demanded. A well drafted information security clause, backed by appropriate insurance, serves two purposes. Firstly, it creates awareness amongst all concerned of the singular importance of data protection, promoting good habits and enhancing the likelihood of stopping problems before they start. Secondly, by imposing obligations on the party that clearly should be responsible, and requiring warranties and indemnities in relation to information security policies and levels of protection, compensation can be demanded when such a right might not otherwise exist.
Insurance coverage obligations that accurately reflect either the cost and value of the service being provided or the damages that could be suffered are important. At the same time, contracting parties do need to be cooperative in their approach to these issues. Reasonable limits to liability can enable your business partners to get the insurance they need to sign the contract. A proper commercial balance should be the goal.
How good is your contractual information security?
“www” is an acronym for the world wide web, but it could just as easily stand for “wild west web”. The accessibility of the internet and its widespread use means that phishing, hacking and even corporate espionage can and does occur on a regular basis. The government does its part to protect information and privacy rights, but ultimately it is up to businesses themselves to safeguard their own data and its use by third parties. Carefully drafted, effective data clauses can go a long way towards achieving this objective. Identifying and stopping hacks, or being compensated for them, should be front of mind in any modern contract negotiation where electronic information is an important element of the commercial transaction. It is never too early to review and audit your contracts and information security policies.
This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.
© Moulis Legal 2018
[1] Source – The Office of The Australian Information Commissioner at https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly-statistics-report-1-april-30-june-2018
