This Week in Data/Cyber/Tech: Lessons From the Ministry of Defence's Data Breach; and the Cost of Avoiding Cyber Incidents.

There's rarely a quiet week in data protection — and this one was no exception. Below are two developments from the past seven days that caught my eye.

Story #1: Lessons from the Ministry of Defence's data breach

I’m in Washington this week, but news of the massive Ministry of Defence data breach has followed me across the pond. (Whether that’s the work of the algorithm, or my own rather predictable viewing choices, remains to be seen.) 

It’s a fascinating, and troubling, development. And although most businesses are unlikely — touch wood — to be caught up in a nation state attack, the story is relevant for all organisations, for two reasons. 

*****

Firstly, it bears repeating that no one is safe from bad actors.

We regularly see cyber-attacks against schools, hospitals and other institutions that process personal data about vulnerable individuals. Although one might think that such targets would be off limits, clearly that’s not how it works in practice.

There’s also an interesting paradox here.

In cases where a ransom is demanded, upon payment the attackers almost always do as they promised. Reneging would threaten their reputation for fair dealing, such as it is, and thus would be bad for future business.

*****

Secondly, the MoD looks to be ascribing blame for the attack to a third-party contractor. Although a common tactic, it’s rarely as simple as that — whether or not your business involves national security.

Have you conducted diligence on your processors — if not all of them, at least those that handle your important and sensitive personal data? And what does your diligence process look like? Questionnaires? A review of the vendor’s standard security terms? Something else?

Next, what data protection and security terms do you have in place? When were they last reviewed? Have you ever audited the vendor? Has it previously reported breaches to you — and is there a pattern to those incidents?

In the event of a reportable breach, particularly those involving a third-party vendor, most data protection regulators will want to understand how your relationship with that party met the relevant legal requirements — and tick-box compliance usually won't be sufficient to close off this line of questioning.

As we've seen repeatedly in data breach-related GDPR enforcement, it’s rarely a complete defence for controllers to outsource liability to their suppliers. So whilst you may not face the same risks as the MoD, it's nevertheless a good time to take stock of your current vendor arrangements. 

Story #2: Does it pay to avoid cyber incidents?

Executive compensation typically consists of several components: salary, short- and long-term incentives, and benefits, among others. Is it time to add cybersecurity to that list?

*****

A leading technology firm put out a blog last week in which it said that compensation for its senior leadership team would be based, in part, on the company’s progress in meeting its security plans and milestones.

This comes at a time when cybersecurity is close to, if not actually at, the top of the agenda for organisations and governments (and others). 

In the U.S., personal liability for cyber incidents has become a source of deep concern for chief information security officers. 

Meanwhile, two of the EU’s upcoming cyber-related laws — the Digital Operational Resilience Act and the NIS2 Directive — impose (i) obligations on a company’s senior management to ensure that it implements appropriate risk management measures, and (ii) direct liability on senior managers for their failure to do so.

*****

Will all companies follow the compensation trend? Perhaps not — or not immediately, at any rate. 

But just as executive compensation rewards positive actions (e.g., a rise in share price), it'll be interesting to see whether steering the organisation clear of cyber incidents develops into a similar norm. I suspect that it will.

Subscribe to Ropes & Gray Viewpoints by topic here.