to incidents: it has to be guaranteed via a continuous process in which an organization can reduce risks to an acceptable level. This could be, among other things, by drafting a personnel handbook including guidelines on internet usage, emails and passwords. Further, it should be clearly defined that employers have to report abuses, how they have to be reported and what the time limit is. Otherwise, companies would have to depend on the reasonable conduct of their employees instead of being able to require such conduct. ICT contracts, it is important to distribute responsibility and limit liability. After all, your company is responsible for the ICT you use. This does not change if your ICT only has a supporting function or if you have not developed the ICT yourself. Check for instance your General Terms and Conditions, where liability can be excluded, limited or transferred to a third party but also concrete arrangements such as Service Level Agreements (SLAs). The scope for agreements will be more limited if the counterparty is a "consumer." A provision in the General Terms and Conditions of an agreement has no legal consequences (it is "voidable") if it is extremely disadvantageous ("unreasonably onerous") for the consumer. A provision stipulating that your company has no or limited obligations in the area of cybersecurity will probably be unreasonably onerous. Besides, arrangements agreed upon concluded the agreement with. It is crucial to phrase agreements clearly. Vague agreements bear the genuine risk that a court will interpret provisions, at least in the event of a conflict, to the detriment of the company. Suppose that your company determines in an agreement that it shall not be liable if a cyberattack causes its being too late in fulfilling its obligations. Without a more detailed description of this term, a conflict could arise on the question as to whether a certain kind of malware would constitute a cyberattack. Your company can lastly not exclude all liability. Obviously, hardware and software, apps and web-based tools must comply with the latest requirements in the fields of security. Therefore, despite exoneration clauses the company remains liable regarding, for instance, if it uses, with the knowledge of the management, ICT whose cybersecurity falls short. A company using obsolete software to save costs and not taking measures to protect its computers and networks will probably not be able to invoke a stipulation excluding liability if a lack of security causes damage. If legal means are not sufficient to limit the liability of a company and directors, the financial consequences can be limited by cyber insurance and directors' liability insurance. underlined by the privacy laws and high penalties for infringement on privacy. Personal data is usually processed by means of ICT. In Europe, strict rules worldwide. The basic principle of the regulations is that they apply to the processing of personal data from Europeans even if the processing takes place outside Europe. A breach of the security obligations has severe financial consequences. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens; AP) can currently impose a maximum fine of EUR 820,000 per breach or 10 percent of the annual turnover. As of May 25, 2018, the AP will be able to impose a maximum fine of 20 million euros or a fine of 4 percent of the worldwide annual turnover should this amount be higher. responsibility for cybersecurity and can be held personally liable in the event of breaches. The board has to examine the organization and (ICT) company processes for compatibility with the existing regulations. In addition, the board has to make sure that both managers and supervisors have expertise in this area, for instance by appointing a chief information officer to the board. Employees must be familiar with the cybersecurity policy, for instance via the staff handbook or internal training. In contracts, liability for cybersecurity problems can be limited to the greatest extent possible. Should this not be enough, insurance can also be a solution. |