to incidents: it has to be guaranteed
via a continuous process in which an
organization can reduce risks to an
acceptable level. This could be, among
other things, by drafting a personnel
handbook including guidelines on
internet usage, emails and passwords.
Further, it should be clearly defined
that employers have to report abuses,
how they have to be reported and what
the time limit is. Otherwise, companies
would have to depend on the reasonable
conduct of their employees instead of
being able to require such conduct.
ICT contracts, it is important to distribute
responsibility and limit liability. After all,
your company is responsible for the ICT
you use. This does not change if your ICT
only has a supporting function or if you
have not developed the ICT yourself.
Check for instance your General Terms
and Conditions, where liability can be
excluded, limited or transferred to a third
party but also concrete arrangements
such as Service Level Agreements
(SLAs). The scope for agreements will
be more limited if the counterparty
is a "consumer." A provision in the
General Terms and Conditions of an
agreement has no legal consequences
(it is "voidable") if it is extremely
disadvantageous ("unreasonably onerous")
for the consumer. A provision stipulating
that your company has no or limited
obligations in the area of cybersecurity
will probably be unreasonably onerous.
Besides, arrangements agreed upon
concluded the agreement with.
It is crucial to phrase agreements
clearly. Vague agreements bear the
genuine risk that a court will interpret
provisions, at least in the event of a
conflict, to the detriment of the company.
Suppose that your company determines in
an agreement that it shall not be liable if
a cyberattack causes its being too late in
fulfilling its obligations. Without a more
detailed description of this term, a conflict
could arise on the question as to whether
a certain kind of malware would constitute
a cyberattack.
Your company can lastly not exclude
all liability. Obviously, hardware and
software, apps and web-based tools must
comply with the latest requirements in
the fields of security. Therefore, despite
exoneration clauses the company remains
liable regarding, for instance, if it uses,
with the knowledge of the management,
ICT whose cybersecurity falls short. A
company using obsolete software to save
costs and not taking measures to protect
its computers and networks will probably
not be able to invoke a stipulation
excluding liability if a lack of security
causes damage.
If legal means are not sufficient to
limit the liability of a company and
directors, the financial consequences
can be limited by cyber insurance and
directors' liability insurance.
underlined by the privacy laws and high
penalties for infringement on privacy.
Personal data is usually processed
by means of ICT. In Europe, strict rules
worldwide. The basic principle of
the regulations is that they apply to
the processing of personal data from
Europeans even if the processing takes
place outside Europe.
A breach of the security obligations
has severe financial consequences.
The Dutch Data Protection Authority
(Autoriteit Persoonsgegevens; AP) can
currently impose a maximum fine of EUR
820,000 per breach or 10 percent of the
annual turnover.
As of May 25, 2018, the AP will be
able to impose a maximum fine of 20
million euros or a fine of 4 percent of the
worldwide annual turnover should this
amount be higher.
responsibility for cybersecurity and can
be held personally liable in the event
of breaches. The board has to examine
the organization and (ICT) company
processes for compatibility with the
existing regulations. In addition, the board
has to make sure that both managers and
supervisors have expertise in this area, for
instance by appointing a chief information
officer to the board. Employees must be
familiar with the cybersecurity policy,
for instance via the staff handbook or
internal training. In contracts, liability for
cybersecurity problems can be limited
to the greatest extent possible. Should
this not be enough, insurance can also
be a solution.