Defeat cyber risks, use the Force

Cyber risks are a real and present danger. They are often hidden and misunderstood so I wrote this article just for you. I’m also a Star Wars fan and couldn’t resist the Force.

When I think of the words “cyber risks”, I don’t think of anything immediately tangible nor anything immediately threatening. What those words, (especially together) mean to me is far more ethereal and a lot more entertaining…

My thoughts digress to a Jedi fighting a Sith, Ewoks and Jabba the Hutt. I think of Darth Vader – the famous “I am your father” scene. All very “other wordly” and “galactic”. Something a true Star Wars fan can fully and truly appreciate. But this is not Star Wars and I am no Princess Leia.

“Luke, I am your father”

Just like the “Luke I am your father” scene inevitably shocked Luke into a new reality, growing Cyber Risks are doing the same for businesses across the Globe. And that is actually my point – Is Cyber Risk really in a “Legality” far, far away or is it closer to home than we think?

What do I mean? Well I will give you some examples.

In the Price Waterhouse Cooper’s January 2016 Top Issues publication, the following was outlined

“The biggest challenge for insurers is that cyber isn’t like other risks. There is limited publicly available data on the scale and financial impact of attacks and threats are very rapidly changing and proliferating. Moreover, the fact that cyber security breaches can remain undetected for several months – even years – creates the possibility of accumulated and compounded future losses.”

And

“Cyber risks are increasingly frequent and severe, loss contagion is hard to contain, and risks are difficult to detect, evaluate, and price.”

On the Freshfields, Bruckhaus, Deringer website, a world-wide legal practice on their “Cyber crime can derail your company” page, they state the following:

“Whatever your industry, cyber security is a worldwide concern. As you hold more data, and your staff use their own devices, you can become more vulnerable to security breaches.

Those breaches can have significant legal and reputational effects upon companies. As shown by recent data breaches, and related litigation, this is not just an IT issue.”

There has even been a full article written on the Hedgeweek website entitled “Cyber security – a Global Persceptive” ,(the title alone has a sense of doom and seriousness about it). This article sets out the lengths the US Legislature is taking to ensure the protection of companies against cyber-crime, which includes the House of Representatives passing a new cybersecurity bill –

“the Protecting Cyber Networks Act (PCNA) – to allow file sharing between government intelligence agencies and private companies and raise the overall awareness of hacking.”

Cyber Risks – a clear and present danger

If it is not clear already, let me spell it out for you – cyber risks are here. It is a risk that is not only very real but one that can be truly devastating to a company should their systems and data be hacked thereby revealing company trade secrets. Can anyone say “huge liability claim”?

boss-fight-free-stock-images-image-photos-photo-photography-pie-cafe-coffee-milk-cream
Source: Boss Fight

Speaking of huge liability claims, Insurers and Re-insurers are discovering that there is a growing and real need to insure Companies across all industries against these potentially devastating risks and that means increased premiums for those Insurers and Re-insurers eager to tuck into a slice of the proverbial cyber pie. According to PWC –

“Cyber insurance is a potentially huge but still largely untapped opportunity for insurers and reinsurers. We estimate that annual gross written premiums will increase from around $2.5 billion today to $7.5 billion by the end of the decade.”

But thats Insurance and therefore inevitably a safety net should things go awry but where Law is concerned, prevention is often better than the cure.

Understanding leads to prevention

In order to even start combating Cyber Risk, we first need to understand what it actually entails. According to Kennedy’s “Cyber risks – an insurance perspective” article  cyber risks can be understood quite simply:

“Two of the most common forms of cyber risks are Cyber-attacks and data breaches. Cyber-attacks can take many forms:

Hacktivism – where a company’s website is hacked into and used as a platform to promote views.

Denial of service attacks (DoS) – when a site is bombarded with millions of emails from a bogus source, thereby blocking access to the site by legitimate users. This happened to the Amazon and PayPal sites recently, when they were forced to stop online trading as a result of DoS attacks by people protesting against the arrest of Julian Assange.

Cyber-extortion – where attackers threaten to carry out a DoS attack or to implant viruses in a company’s website or network.

Data breaches can occur as a result of human error – for instance, unencrypted data is lost or sent to the incorrect recipient – or by hackers, employees or others stealing or otherwise gaining access to sensitive data.”

A call to arms

black-and-white-sport-fight-boxer
Source: Pexels

What is abundantly clear is that this is not just an IT issue, something you can “dial a nerd” for and consider your job done. What this is, is a global risk. Something as legal practitioners we need to get ahead of. It is all well and good to have the insurers and reinsurers making their mark in this currently untapped risk market but we need to prevent the risk from happening in the first place. A seemingly daunting and almost impossible task to be sure. However with everything, you can tackle this “one bite at a time”.

With that in mind, how do we fight Cyber Risks?

  1. Identify the specific risks to the business and what needs the most protection. For example, in a company like Coke, intellectual property might be the most important asset which is vulnerable to cyber attack. For Bid or Buy, the stability of online platforms and the security of customers’ personal data may be paramount.
  2. Assess the potential consequences of the various types of possible attack. Essentially, what would the impact to the company’s reputation be, to its share price, to its goodwill? What is the litigation risk? What would be the impact on the business be if its activities were disrupted for a short or for a sustained period of time? How much risk can the business accept? This is a really important balancing act and from a legal perspective will need some risk management. For example, ensure senior management in all areas of the business are fully aware of the IT security and all the risks that potentially exist.
  3. Devise a strategy to address the identified cyber risks. This is likely to involve preparation of both a cyber risk management plan and an incident response plan. A cybersecurity review is vital.
  4. Ensure that the systems and security measures are properly and regularly tested (here you can most certainly get a hold of “dial a nerd”),
  5. Implement appropriate staff training and education. Many attempts to compromise information involve what is known as “social engineering”, which is effectively the skilful manipulation of people and human nature to trick information out of a company. Online social media platforms need to be properly monitored and staff trained here according to what they can say and what they can’t say with regards to the company online. A social media policy will most definitely be needed. Proper training can help reduce or prevent completely this type of risk.

Clearly, cyber-security is more than just tightly worded policies and endless procedures. It is a legal risk management exercise which undoubtedly entails keeping your eyes wide open, ears to the ground and your paper trail well and truly up to date -if there is any significant attack, the legal team needs to be properly armed with their trail of governance to ensure real combative steps are taken.

“May the force be with you” indeed does come to mind.

Featured image credit: Paul Jacobson, licensed CC BY NC SA 2.0

You agree to online contracts all the time

You sign online contracts every time you browse the Web, install some application or do just about anything on your devices. This is how it works.

How many online contracts did you agree to, today? Everything in this day and age is done online – whether it is shopping, browsing Wikipedia, sharing your thoughts on twitter or posting pictures on Facebook. In fact it has become so prevalent that people of absolutely all ages are occupied almost throughout the entire day with updates on their phones, tablets, laptops and PC’s. We are always connected and with that comes its own quagmire of “what am I actually agreeing to?”.

How you agree to so many online contracts

During your online shopping spree or when uploading a picture of yourself and your beloved feline companion, you have almost certainly come across an “I agree” button. Whether it is agreeing to provide a website with your location and/or email address (for location accuracy purposes) or whether you are agreeing that you are actually entitled to upload the picture, you are agreeing to “something”. That “something” is typically an online contract.

And, instead of fully understanding what we are agreeing to, we have simply become a species of “yes people”, only to happen to click the “I agree” button just to get your music download or complete your purchase. But what does that actually mean? By clicking on that ever increasingly intimidating “I Agree” button, we as online users may be binding ourselves to legally enforceable contracts with the online service provider. And I don’t know about you, but that really scares me.

But did we, as online users, actually “agree” to anything, really? As with any legal agreement, both sides, including the user, must agree to the online contract in the form of the terms and conditions being offered by the relevant online service you are currently using, whether it is Facebook or eBay, in order to create a legally enforceable “agreement”.

Understanding the difference between click-wrap agreements v.s browse-wrap agreements

Some service providers ask for your agreement by requiring you to click the “I Agree” or “Accept” button after being shown the agreement (i.e. a “click wrap” agreement). A common example of a click-wrap agreement is where a consumer is transported, usually by clicking a hyperlink, to a webpage containing terms and conditions which will be included in the agreement, where there is normally (at the end of the page) a button with the phrase “I agree” or “Accept” printed on or next to it.

I agree Screenshot - WTL blog post

As its name suggests, a click-wrap agreement requires a positive act from a consumer, still other service providers, try to characterise your simple use of their website as your “agreement” to a set of terms and conditions buried somewhere on the site, a sort of “what agreement are you talking about” site (i.e. a “web-wrap” or “browse-wrap” agreement). The browse-wrap is similar to the click-wrap agreement, and is often used under similar situations, except for one rather important difference.

Not all online contracts behave the same way. Where a click-wrap agreement actually requires a positive action to indicate agreement, a browse wrap agreement does not. It is sneaky that way.

Sometimes the terms will be displayed on the web page being used and other times it will not. A kind of “out of sight out of mind” scenario. An online user is not required to click on the terms and conditions if it is provided via a hyperlink, and there are very few ways to actually ascertain whether or not such a user was made aware of the terms and conditions. There are other similar themes as the click wrap or browse wrap, such as mandatory checkboxes (“check this box to indicate your agreement to our terms and conditions”) or email notices (“by continuing to use our service, you agree to the recent modifications to our terms of service”).

But thankfully not all methods, be they click-wrap or browse-wrap, are good enough to create “legally binding contracts”. I sense a collective sigh of relief.

But when are online contracts binding?

But when or how will such online interactions constitute binding agreements? The consensus here depends on which region you are in – by participating in online transactions in whichever form they are in, we can all basically assume that the interactions here will most likely be cross or trans-border.

This does create some difficulty in the sense that some territories, like The United States, are more evolved in this aspect than others. For example in South Africa there is very little to no case law on this matter. In the UK and EU they too have very limited case law or Legislation based on what binds a user to online terms and conditions except to say that they have established one rule

an online user should be provided with all terms and conditions in a manner that is readily available and easily accessible without inappropriately or irrevocably binding a consumer to terms he had no real opportunity to become acquainted with.

It seems rather polite of them and a decent way to conduct oneself when interacting online. Could one say “typical of the British”? Whereas the US have accepted as a rule of thumb, the click-wrap agreement for its obvious enablement of the user to assent to the website’s terms and conditions. In other words the user, by clicking that “I Agree” button acknowledges that they intend to bind themselves.

In South Africa we are sort of playing catch up with both the US and the UK. In this regard and with the application of our contract law as well as our Common Law, one needs to look at the intention of the parties as well as the actual agreement of the parties. With click-wrap agreements it is quite easy to ensure that the user indicates their agreement by making a mark in the relevant space.

document-428331_1920

In our Electronic Communications and Transaction Act, an electronic signature is defined as that of “data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature”. It is therefore accepted that the function of a signature is some kind of personal mark which may be used to identify a party and to convey or confirm an intention to be bound. Common knowledge, I would assume.

In this context, this “mark” as an indication of a person’s agreement is the same as a click-wrap agreement. This in essence leads one to believe that the click-wrap agreement is more than just an “I Agree” Button, but rather an “I have been shown the terms and conditions, have read them and have agreed to be bound by them” button. If you are like me, I immediately think of my iTunes account and the constant need to “accept” their terms of use when updating your version of iTunes account. If I am absolutely honest, I have never actually read the terms of use before clicking “accept”. As astounding as that sounds from someone of my vocation, all I really want to do is download my music or update my WhatsApp application.

Eeeek!

ALWAYS read the terms and conditions

Once I have finished writing this article, I think I will go avail myself (really) of Apple’s user terms and conditions and next time I click on the “I agree” or “accept” button make sure that I well and truly “Agree” or “Accept” because what I have learnt from writing this article (and which should be obvious) is that with everything, be it a written, a formal Contract or online terms and conditions – read before you click that button, it may hold more consequences than you think!

#justsaying