Cybersecurity, like money, is one of those things that become screamingly important when there is a lack of it. Compliance is widely recognised to be a critical component of cybersecurity. This article considers how an in-house counsel and other legal practitioners can support a corporate client in pursuit of better compliance in cybersecurity.
A number of large, well-publicised data breaches were reported in 2016–17. Some were the result of non-malicious employee error (for example the Commonwealth Department of Health’s publication of confidential information on its public portal), whilst others were the result of organised cyberespionage. An IT contract should provide for all eventualities.
Technology contracts often deal with cybersecurity by imposing obligations and liabilities to keep networks, software and digital assets secure. The scale and significance of more recent data breaches has led to a new focus on supply chain security. Risks and vulnerabilities are more likely than ever to be introduced into your client’s technology by a malicious act, impacting not only their operations but those of their contractors, subcontracts, third party suppliers and so on.
In April 2017, security researchers published a report1 into a long-term international cyberespionage campaign. The security threat was dubbed ‘APT10’ and researchers released the report in order to raise awareness so that prevention and detection capabilities could be put in place. As commercial lawyers advising in technology deals, we should be aware of vulnerabilities such as APT10, and recognise that to some extent back-to-back agreements and contractual visibility of primary service providers and their main subcontractors may not adequately deal with today’s risks and the complex liability issues that arise.
APT10 impacted managed service providers in Australia, the UK, the USA, a number of north European nations, South Africa, India, Thailand and South Korea. However, Managed Service Providers (MSPs) were not the intended victims. MSPs were compromised in order to infiltrate the networks of their clients, covering a diverse field, including: engineering, manufacturing, retail, energy, pharmaceuticals, telecoms and government agencies. Interestingly, APT10 did not initially target mission critical technology. Malware was installed on non-critical machines, which were then used to move laterally into the targeted technology. Remote desktop protocols were used to steal data, which was then collated, compressed and sent from the MSP’s network to infrastructure controlled by APT10. It is worth noting that the security researchers indicated that they had observed APT10 since 2013. The report does not disclose how much data or the types of data that were compromised by APT10.
From a commercial lawyer’s perspective, at a basic level, cybersecurity is about trying to maintain confidentiality. At a more sophisticated level, a commercial lawyer can assist clients by fully understanding the commercial arrangement and helping the client to protect itself against a known cybersecurity risk.
If your client is involved in a data breach it is not only commercially sensitive information that will be compromised; they are likely to face the disclosure of personal information affecting hundreds of thousands – if not millions – of people. In the face of high reputational risk and other liabilities, a well-constructed commercial deal containing a clear framework with agreed rights, roles and liabilities can go a long way towards (ideally) preventing as far as possible a cyberattack, and minimising its impact should one occur. While transfer of risk is a valid risk minimisation strategy, it is not possible to contract out of regulatory data protection and data compliance obligations.
Issues for consideration when drafting or negotiating contracts:
Definition of confidential information
Contractual obligation to maintain confidentiality
Note that if a data breach is the supplier’s fault, the customer may have a common law action for breach of confidence available. Such an action could lead to an award of damages, an accounting of profits, a constructive trust, injunctive relief or restitution, for example:
Both parties should conduct due diligence on how data will flow from one party to another
Should your organisation or client then be affected by a data breach (either as a victim, as an organisation targeted by a hacker or as an organisation that has subcontracted where the subcontractor is the target of a cyber attack) the contractual framework should be clear. Most importantly, the contractual framework should clearly describe each party’s obligations in relation to a data breach, notification steps, timelines, which party is responsible, liability and the handling of claims by third parties.
Loss of data is becoming an increasingly contested negotiation point in the context of indirect/consequential loss. While it is not uncommon for indirect/consequential loss to be excluded from an agreement, we recommend close consideration be given to treatment of data (and loss of data). Where relevant, loss of data should be expressly acknowledged to be a direct loss, so as not to be captured in any exclusion of indirect/ consequential loss. There is always middle ground which can be negotiated, such as treating loss of data as a direct loss only if agreed security measures and data back-up systems are implemented to limit the risk of loss to data.
From a customer perspective, consider negotiating a limitation on the supplier’s ability to subcontract and require prior written approval. If a customer has the right to give their approval prior to subcontracting, there is an opportunity for the customer to vet subcontractors from a cybersecurity perspective.
Additional provisions for consideration
Rights to access and audit
Even if a technology contract does not give a third party the right to access your client’s information, many practitioners also look to include an unfettered contractual right for the owner of the data to conduct independent checks of the security measures in place. You should also consider the terms of technology contract to ensure that your client will not be in breach of contract if they decide in the future to engage a third party to monitor the technology to ensure a supplier’s staff or a third party are not stealing or making unauthorised modifications to your data.
Cyber insurance will afford an additional level of protection should an adverse event arise. Once again though, the agreement should identify who is responsible for taking out insurance and for what, also considering whether the interests of other parties should be noted.
At the end of the day, compliance is a level of protection but not a guarantee of security. Compliance as a line of defence will only be as strong as your weakest link. In that context, the supply chain and procurement practices represent risks often not identified when the compliance focus is inward facing. Cyberspace represents a clear and ever present danger to organisations of all types and sizes, so don’t let your client’s weakest link be their downfall.
This article was first published in Australian Corporate Lawyer, Autumn 2018 and is reproduced with permission.
 Operation Cloud Hopper—exposing a systematic hacking operation with an unprecedented web of global victims, April 2017, www.pwc.co.uk/cyber.
 Maggbury Pty Ltd v Hafele Australia Pty Ltd (2001) 210 CLR 181.