The effect of COVID-19 on cybersecurity and cyber breaches July 2020

By DARIO MILO, KIM REW, CAROLINE THEODOSIOU, PRIYESH DAYA, LISA SWAINE, KARL BLOM AND WARREN HERO, Published in COVID-19 Cyber Law

With more employees working from home during the COVID-19 pandemic, the risk of cybercrime has escalated, and the need to have proper systems and procedures in place has become even more important.

rgad

While cybercrime is a constant threat to businesses and governments, the threat has escalated with an increase in remote working. Businesses must manage these risks by implementing adequate security measures and keeping privacy, data protection and insurance considerations front of mind.

Several factors may explain the increase in cybercrime during the COVID-19 pandemic. First, businesses need to rely on the home security of individual employees, which may be less effective than the systems implemented by their employers. Second, in an effort to hastily equip employees with the means to work remotely, connectivity is often prioritised over security. With many children being taught online, sharing of work devices between numerous family members is sometimes unavoidable. The bombardment of content, news and information during this unprecedented time, dubbed an "infodemic", becomes easy bait for cybercriminals and scammers to exploit individuals. Because movement is restricted, many individuals are also spending increased time on their devices, which, in turn, creates more opportunities for them to fall victim to cybercrime.

In establishing and implementing technological security safeguards, it is vital to set up Virtual Private Networks (VPNs) and have adequate security safeguards in place. Having procedures in place that detect intrusions, and which respond to and protect against them, is imperative in defending a business from cyberattacks. Making use of Artificial Intelligence (AI) to understand attack factors and mitigate them is also an extremely useful tool. However, all of these measures would be of limited efficacy without adequately educating and training staff and stakeholders. Education is at the core of cybersecurity.

From a legal compliance perspective, businesses need to be aware of their obligations under the Protection of Personal Information Act (4 of 2013) (POPI), as well as contractual obligations. In addition to technological security safeguards, companies must be mindful of organisational security safeguards. Businesses must establish an employee policy that explains how to report a data breach if it happens, so that these issues can be escalated and handled expediently and effectively. Although POPI is not yet fully in effect, responsible service providers and individuals or businesses that deal with personal information should be POPI compliant already. Beyond mere legal compliance, businesses should also strive to meet customers' expectations of proper processing of data.

Reputational harm may be more damaging than legal consequences. If customers or suppliers get the impression that a company is reckless with the data in its possession, they will lose trust, and may take their business elsewhere. Companies and boards have an obligation to take reasonable steps to guard against cyber breaches. Unfortunately, cybercrime is often perpetrated by sophisticated criminal syndicates and so, sometimes, regardless of how reasonably the business has acted, a breach may occur. What is important is that businesses have systems in place and actively take steps to deal with problems as they arise. It is imperative to have an immediately accessible crisis response team that consists of legal advisers and communications and information technology experts. Businesses must be as transparent as possible with stakeholders when it comes to cyber breaches and, when POPI comes fully into effect, parties that deal with data will have a duty to inform relevant parties.

Parties that handle data can obtain different types of cyber insur-ance. A standalone cyber insurance policy generally provides comprehensive cover and is industry-specific. It usually covers costs associated with the initial response to a breach, notification obligations and liability towards the regulator, costs of restoring the system, business interruption, and, potentially, reputation management, notification to employees, clients and the press, and liability cover for third parties. A cyber extension can also be obtained for an existing equipment-type policy. Directors and officers policies can be obtained in addition to a standalone policy, to cover the liability of directors. Generally, cyber insurance policies are not location-specific, so policies should cover cyberattacks and/or breaches at employees' homes while they are working remotely. However, policies may have conditions, for example that a user's passwords must be changed on a regular basis, or that employees need to have undergone a certain number of hours of training. Failure to do so may invalidate the insurance policy. For this reason, it is vital to check the wording of the policy. Businesses must also be mindful of the overriding obligation to take reasonable steps to prevent loss and risk, which can be expected by an insurer.

Companies affected by a cyber breach have civil recourse through instituting proceedings for damages and/or Anton Piller proceedings when needing to preserve evidence. Businesses must draft a report that explains how the breach happened and identifies the perpetrator, if known, and can then initiate the action for damages by way of a summons. If the perpetrator is found to be a former employee, the business can simultaneously invoke a restraint of trade. Businesses also have criminal recourse. They can lay a criminal complaint with the cyber-forensics unit of the South African Police Service and hire an independent forensic expert to write a report. When there is a potential loss of more R100 000 to fraud or corruption, companies are legally obliged to report this. Prospects of success in both forums depend largely on the availability of evidence and whether the identity of the perpetrator(s) is known.

Businesses, brands and bottom lines depend on the trust that companies build with their customers. Managing cyber risk effectively is the way to protect all three. Cyber risk is high risk, even more so during the COVID-19 pandemic, and managing this risk has become ever more important.

rgad

Daya, Milo, Rew, Swaine and Theodosiou are Partners, Blom a Senior Associate and Hero Chief Information Officer with Webber Wentzel.