With up to 90% of large organisations based in the UK and 74% of UK-based small businesses experiencing a security breach in 2015, and with the average upper cost of a single breach being £3.1 million (HMG 2015 Information Breaches Survey) it is no wonder that Orrick’s London office was filled with leading IT lawyers and barristers for this event focused on cyber related risks, liability and insurance. The emerging cybersecurity insurance market, insurance cover and related services (Matthew Webb, Hiscox) provided the backdrop to overviews from leading experts in relation to cybersecurity risks (Ian Kayne, Mason Advisory), current issues in civil litigation (Ian Helme, One Brick Court) and the relevance of the Computer Misuse Act 1990 to corporate clients (Matthew Lavy, 4 Pump Court).
Matthew Webb (Head of Technology, Cyber & Data Underwriting, Hiscox) outlined a growing demand for cyber insurance in the UK from businesses of all sizes, explaining how the cybersecurity insurance market is developing, detailing typical insurance policies and covers, giving examples of typical claims and demystifying how insurers price cybersecurity risks.
Hiscox has experienced strong growth in its UK cybersecurity insurance business in the last financial year, with customers ranging from micro-businesses to major corporate players. As reported in the press, one underlying trend has been an increase in ransomware incidents and claims. Although the average ransom payment demanded is in the $300 to $1,000 range, with an average payment of $700, the total costs of a ransomware incident can be much higher as businesses face business interruption and incur legal and consulting costs.
Structure of cyber risk insurance cover: Typically an insurance policy will be purchased, subject to an overall indemnity limit. The policy will usually include first-party cover and third-party cover. A package of cover is available from Hiscox for:
· Breach costs – practical support in the event of a claim;
· Cyber business interruption – compensation for loss of income, including damage to reputation;
· Hacker damage – costs of repair restoration or replacement if a hacker causes damage to websites, systems or electronic data;
· Cyber extortion – costs incurred in the event of a threat of damage to or disruption of computer systems or a threat of publishing information;
· Crisis containment – crafting a public relations response;
· Privacy protection – defence costs, awards and settlement following legal actions, eg for invasion of privacy or breach of confidentiality; and
· Media liability – protection if the insured mistakenly infringes someone else’s intellectual property or inadvertently libels a third party.
The underwriting process: The primary rating factor, indicating the likely size of claim payments, is typically the type and volume of records held by the insured. Secondary rating factors include how hack attractive the overall industry is, the position of the insured in the industry and features of the insured’s own operations (such as governance, industry accreditations, information and privacy policies, security controls and back-up procedures).
Ian Helme (Barrister, One Brick Court) outlined current issues and trends in civil litigation, including a trend towards liability being established for data compromise per se, rather than for subsequent data misuse and towards it becoming easier to claim damages for breach and to obtain injunctions to restrain breach.
Starting by outlining the three major causes of action (breach of confidence, misuse of private information and statutory duties around data protection), Ian Helme identified an important move towards liability being established for data compromise per se rather than subsequent data misuse across three UK cases (PJS v News Group Newspapers, Gulati v Mirror Group Newspapers and Vidal-Hall v Google). This trend combines with a general trend towards it becoming easier for individuals to sue for damages arising out of breaches, as exemplified in Vidal-Hall and Gulati. The very wide definition given to personal data and that damages for distress without loss were allowed in Vidal-Hall were both noted. Defendants, meanwhile, may be encouraged by the decision in Cartier v British Sky Broadcasting and others which confirms that the jurisdiction under the Senior Courts Act 1981, s 37(1) is wide and shows that tailored blocking injunctions against ‘enablers’ are a very real possibility.
Ian Kayne (Cybersecurity Practice Lead, Mason Advisory) provided a detailed description of current cyberattack methods, outlining weaknesses arising from ‘naive’ email technology and human behavioural issues (namely that people can be curious, obedient to perceived authority figures, culturally inclined to help and are trained to respond quickly and follow business procedures rather than spot anomalous requests).
A range of common email-based exploitation options open to cybercriminals was discussed, including social engineering (no/low tech), malware attachments (med/high tech) and malware links (low/med tech) designed to avoid cybersecurity controls. Specific attacks including spear phishing were outlined, and a ‘man in the middle’ attack was dissected in detail, identifying players and their roles with descriptions of the technologies used. $3.1 billion was lost due to business email compromise attacks from January 2015 to August 2016 according to the FBI, with over 22,000 victims worldwide. According to Microsoft, the average time an attacker stays undetected within an infrastructure is 200 days. The trend towards use of cloud-based services can increase the attack surface available to cybercriminals.
In conclusion, Ian Kayne provided four key ‘take aways’ for corporations:
· consider conduct cybersecurity awareness training;
· email is inherently insecure, trust but verify;
· don’t rely on single measures of protection, rather practice what the industry terms ‘defence in depth’ – for example, rather than one firewall, or one process for payment approval, have multiple layers or steps appropriate to the value of the assets being protected;
· don’t re-use passwords.
Matthew Lavy (Barrister, 4 Pump Court) introduced the Computer Misuse Act 1990, explained the relevance of the 1990 Act to commercial clients and explored the interpretation and application of the 1990 Act.
The 1990 Act followed hacking by persons including Gold and Schifreen (R v Gold and Schifreen [1988] AC 1063) in relation to the Prestel system in the 1980s. Essentially, the pair used Customer Identification Numbers and passwords to gain access to Prestel. BT brought an (ultimately unsuccessful) private prosecution against them under the Forgery and Counterfeiting Act 1980, s 1. The 1990 Act was passed to enable successful future prosecutions against persons who, in the words of the Court in R v Gold and Schifreen, engaged in ‘certain activities known as computer hacking’. The 1990 Act criminalises certain activities and s 1, in particular, arises in commercial cases. It reads:
Unauthorised access to computer material.
A person is guilty of an offence if-
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;
(b) the access he intends to secure, or to enable to be secured, is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
In relation to s 1(a), the term ‘computer’ is not defined, leading Lord Hoffman to define the term as a ‘device for storing, processing and retrieving information…’ (DPP v McKeown [1997] 2 Cr App R, 155, HL at p 163). It is important to note that any computer (including the computer performing the relevant function) is covered by the section. The term ‘intent to secure access’ is defined in s 17(2) and is very broad. The result is a wide ambit of applicability. For example, see R v Crosskey [2013] 1 Cr App R (S) 76, where the appellant hacked the Facebook account of Selina Gomez, posting messages about her then boyfriend Justin Bieber.
Turning to s 1(b), access must be ‘unauthorised’, which is defined in s 17(5), reading in part ‘Access of any kind by any person to any program or data held in a computer is unauthorised if— (a) he is not himself entitled to control access of the kind in question to the program or data; and (b) he does not have consent to access by him of the kind in question to the program or data from any person who is so entitled…’ The question of the meaning of the phrase ‘of the kind in question’ went all the way to the House of Lords in R v Bow Street Magistrates’ Courts and Allison (AP), ex parte Government of the United States of America [2002] 2 AC 216, where it was argued that, as an employee had general permission to access records “of the kind in question” (although not the specific records), her activity was not covered by s1. This argument was given short shrift by the House of Lords; their lordships additionally confirmed that s 1 is not about just hacking per se but covers any unauthorised access.
To illustrate remaining uncertainties in interpretation and application of the 1990 Act, Matthew Lavy concluded by posing a number of scenarios to the audience and asking whether an offence under the 1990 Act had been committed in each of them.
Conclusion
This is an interesting area of law currently undergoing relatively significant and rapid development, in part driven by increasing levels of cybercrime activity. The last several years have seen an increase in the number of cyber attacks and in the prevalence of companies taking out (and claiming against) cyber risk insurance policies. Recent court decisions show trends towards liability being established for data compromise per se, rather than for subsequent data misuse. There are also trends towards it becoming easier to claim damages for breach and obtain injunctions to constrain breach. Bringing prosecutions under the Computer Misuse Act 1990 is a work in progress by investigative authorities and the CPS (see, for example, the latest relevant CPS guidance); and the interpretation of the Computer Misuse Act 1990 is likely to be further refined by the courts.
Quentin Tannock is a pupil Barrister at 4 Pump Court.