Europe: Cyber liability - Iberian peninsula

Over the past few months a number of high profile companies have been targeted by cyber criminals - both in Europe and the US. The focus appears to be on acquiring client email addresses, personal data and passwords as these can often unlock access to credit card and banking details.

The risks for the companies affected are hefty fines from regulators, potential law suits, client notification costs, expensive forensic IT audits, IT remedial fees, business interruption costs and significant brand reputation damage. Any company that stores customer data online either on its own system or via an outsourced data centre, is at risk.

The human factor
In addition to criminal activity there are also an alarming number of data loss cases resulting from ‘human error' - such as unencrypted data left on laptops or memory sticks.

Regulators across Europe and in the US are actively considering how legislation can protect consumers, but it is clear that there will be no single, global ‘one size fits all' solution. The result is a headache for companies trying to comply with or anticipate the law, and for regulators trying to advise on best practice and monitor compliance.

"The result is a headache for companies trying to comply with or anticipate the law."

Tangled web
So how does the law stand? From May, a new European E-Privacy Directive came into force, which rules that websites and companies operating online must obtain individuals' explicit consent to install cookies on their computers. This directive was set up to try and protect individuals' privacy, and to limit the use of behavioural advertising, which gathers data on consumers' shopping habits and remembers log-ins. Every European Union country is in charge of enacting these laws via national legislation, but interpretation and implementation is expected to vary across the EU.

Since the beginning of year, there has also been a requirement for telecom companies and internet service provider to notify clients of a data breach. Spain, Germany, Austria and Ireland have taken this directive one step further and widened the notification requirement to all ‘data controllers' - third party suppliers of data storage or management.

Spain particularly complex
Under Spain's e-privacy laws, consumers also have a ‘right to be forgotten' and there are concerns that this requirement may be replicated across Europe. Under Spanish law, individuals can request that all references to them are removed from the web. This creates an issue because it is often unclear where data is being stored or replicated.

In 2010, the Spanish state filed court orders against Google Spain on behalf of 93 individuals seeking to have information removed. Google Spain is reportedly arguing that it has no official storage business in Spain, and that it is merely the go-between for clients and Google Inc, which is a US business with no subsidiaries in other countries, and as such only subject to laws governing the state of California.

"It is often unclear where data is being stored or replicated."

Ownership question
Google also argues that the original pages that mention the individuals do not belong to it. As such, any legal cases should be brought against the original publishers of the information. Earlier this year, the Spanish data protection agency - Agencia Española de Protección de Datos - decided to pass on these cases to the European Court of Justice in case the decisions set a precedent in other EU countries - a development that will be watched with interest.

Viviane Reding, the vice-president of the European Commission, is also reviewing the issue of data protection and safeguarding, with a view to issuing recommendations later in the summer. Initial reports suggest that she will suggest that the EU should follow US practice and require the implementation of client data breach notification laws for all companies- not just telecoms or ISP businesses - within the next three to five years.

Planning for a breach
In the light of the developing legal landscape, companies that store personal data online, either on their own system or on a third party's system, should be prepared to manage data loss. Companies should have a robust and well-practised incident response plan that is understood by all the key personnel in the company, and by any supplier of outsourced data services.

It is also advisable to consult risk mitigation specialists to ensure best practice security techniques are implemented throughout the organisation and to consider purchasing tailored, global insurance policies. These policies should recognise the variances of international law, and that data breaches are not limited to electronic or Internet use only. Typical policies should offer insurance protection for data breach notification costs, IT forensics and legal fees, credit monitoring, data recovery, business interruption and other reasonable and necessary costs to minimise the impact following an actual or potential data breach.

"Companies that store personal data online should be prepared to manage data loss."

No easy solution
Given the dynamic nature of data breaches, such policies should also include broad third party insuring agreements, recognising that different and possibly expanding liability standards may apply, especially in the US.

It is clear that international e-privacy laws are not in harmony. Spain, in particular, appears to be emerging as a test case for how regulators will consider obligations in relation to enforced client notification, insistence on the right to be forgotten, and the legal problems that this causes.

Ultimately, there is no easy solution. With the rapid growth of electronic commerce, including online trading, the use of social networking, and the potential cost savings of cloud computing and other outsourced data handling scenarios - the risks are continuing to grow. Companies will need to act fast to manage the loss and work closely with insurers to ensure they have adequate risk mitigation and loss protection in place.

Paul Skinner is technology and casualty underwriter at Chubb.