This article was written in co-authorship by Inês Antas de Barros, Managing Associate at Vieira de Almeida, and by Joana Neves, Managing Associate at Vieira de Almeida.
Cybersecurity is increasingly relevant as cyberattacks continue to rise: the transition to the digital economy, together with the impacts of the Covid-19 pandemic, are spurring cyberthreats.
2020, as well as the first months of 2021, was infamous for its high-profile cyberattacks, with malware attacks to have emerged as the most relevant cyberthreat in the EU and with phishing, identity theft and ransomware to have substantially increased.
The growth of digitalisation, automation and connectivity spurred by COVID-19 and 5G/IoT increase cybersecurity vulnerability. According to Gartner, 52% of legal and compliance leaders are concerned about cyber risks due to remote work. In addition, IoT devices, spurred by 5G, are particularly vulnerable to cyberattacks, with the World Economic Forum foreseeing that the global number of connected devices will reach 41,6 billion by 2025. The widespread use of Artificial Intelligence (AI), machine learning and cloud services brings new cyber risks as well.
THE EU CYBERSECURITY STRATEGY
It is not surprising that Europe is especially focused on cybersecurity, having approved, at the end of 2020, a new EU Cybersecurity Strategy. This strategy focuses on building collective capabilities to respond to major cyberattacks while it outlines how a Joint Cyber Unit can ensure the most effective response to cyber threats using the collective resources and expertise available in the EU and Member States. Moreover, the strategy includes a proposal for the revision of the Directive on security of network and information systems (NIS2 Directive). Together with the Cybersecurity Act (Cybersecurity Act) and the envisaged new certification scheme these initiatives aim to strengthen Europe’s stance on cyberthreats.
These initiatives focus on specific sectors (such as health, transport, banking and financial market infrastructure, energy, digital services providers, space, postal and courier services and public administration) and will entail the need for organisations to adapt their procedures, policies, agreements and behaviours so as to comply with demanding cybersecurity obligations arising from this new framework. These include not only organizational and security measures such as security assessments, risks reports, due diligence to third parties, penetration tests, but also the notification of incidents to cybersecurity authorities and registry of incidents.
Security and organizational measures have been on the top of the agenda of European legislator for a while. The General Data Protection Regulation (GDPR) innovatively included a set of obligations on this matter. Apart from the need to carry out a risk assessment to determine the adequate measures that must be implemented, organizations are required to notify a data breach to the data protection authorities and, in some circumstances, to the affected data subjects. During 2020, 331 data breach notifications were issued per day across Europe.
These obligations pose serious challenges to organizations. When a breach occurs, organizations are required to trigger internal procedures and mechanisms to address the incident, including compliance with various notification obligations. With the new framework on cybersecurity, additional obligations will apply.
Businesses’ cybersecurity policies and strategies shall therefore consider and anticipate all potential consequences of cybersecurity breaches and address the impact arising therefrom on relationships with all parties and stakeholders potentially involved, such as clients, employees and public authorities. It is particularly important for businesses to anticipate the real risks of potential investigations from data protection authorities and/or civil litigation with data subjects.
Recent court cases triggered by cyberattacks and notifications issued thereafter are important examples of the actual litigation risks that business can face.
LITIGATION RISKS ATTACHED TO CYBERSECURITY BREACHES
Following a cyberattack that exposed personal data (including names, addresses, emails, payment card and CVV numbers) of more than 400 thousand British Airways customers and employees, a group of individuals filed a collective action in England against British Airways seeking compensation for damages under the GDPR. According to the leading lawyers acting for the claimants, based on an estimate £2,000 individual compensation, British Airways could face a total claim of £ 800 million if every victim came forward. All clients that had been notified by British Airways of the cyberattack in September 2018 are being encouraged to join the action to claim compensation. The case is being handled on a “No-Win, No-Fee” basis meaning that legal fees will only be charged if the claim is unsuccessful.
More recently, the same law firm filed similar collective redress proceedings against EasyJet following a cyber breach announced by the airline group in May 2020.
The hotel group Marriott International is also facing in England a collective action under the GDPR for alleged failure to secure and keep control of the personal information from a cyberattack that affected an estimated of 340 million guests booking online. The lawsuit was filed by the journalist and founder of the technology and media consultancy Big Revolution, Martin Bryant, on behalf of the proposed class of individuals. The lawsuit is being funded by Harbour Litigation Funding, an international litigation funder.
In all cases, parallel investigations were promoted by the UK’s data regulator who imposed a £ 20 million fine to British Airways and a £ 18.4 million fine to Marriott International for failure of these companies to put in place the appropriate technical and organizational security measures.
These examples expose the growing risks and trends arising from cybersecurity breaches and data incidents.
In addition to stronger and harmonized substantive protections arising from the GDPR and the increasing European regulations on cybersecurity, individuals are much more conscious of their privacy rights and prepared to exercise them.
Improved procedural mechanisms aiming for collective redress in the European market are encouraging professional litigation funders and fostering the emergence of several representative entities and claimant-focus law firms acting for multiple claimants. This trend can also be seen in Portugal where a new consumer protection association was recently created and is filing major actions under the Portuguese Law no. 83/95 of 31 August (Law of Popular Action) entirely financed by international litigation funders who pay all legal and operating expenses and bear the risk of the lawsuit.
While Article 80 of the GDPR allows non-profit bodies or similar organizations to lodge claims on behalf of multiple data subjects, collective redress mechanisms available in the Member States are still significantly different. With the adoption in November 2020 of Directive (EU) 2020/1828 on representative actions for collective interests of consumers, all Member States shall introduce or revise national law to ensure that at least one procedural mechanism is in place to allow qualified entities to bring collective actions on behalf of multiple consumers. When facing cross-border infringements affecting consumers in different Member States, each Member State is required to allow qualified entities from other Member State to bring actions before its own courts. The Directive (EU) 2020/1828 also requires Member States to address in their national legislation major topics such third-party funding, allocation of costs (favoring a “loser pays” principle) and the effects of final administrative decisions. Data protection is one of the areas specifically covered in the new Directive.
In this context, civil litigation and more specifically collective litigation arising from cyberattacks is expected to rise. Large, international and profitable business are the most likely to be sued.
BUSINESSES’ CYBERSECURITY POLICIES AND STRATEGY – A HOLISTIC APPROACH
Organizations must proactively develop and implement a cybersecurity strategy under the principles of prevention, reaction and monitorization.
The implementation of such a strategy necessarily entails a holistic approach and analysis as to identify and better address all legal, operational, economic and reputational risks that may arise at all stages and levels, including the increasingly higher litigation risks.