Cyber liability, cybersecurity and information governance are terms that directors are becoming more aware of due to high-profile data security breaches. Mason Hayes & Curran covers the critical questions these companies need to be asking.
In an increasingly interconnected world, with the expansion of the internet and development of the internet of things (IoT), there has been a corresponding increase in the vulnerability of information systems to attack.
In order to assist company directors in understanding their key responsibilities in the areas of cyber liability and cybersecurity, we have launched the Cyber Security for Directors app with the Institute of Directors in Ireland.
The app details the various types of cyber liability and cyber risks, while drawing together the key areas for directors to consider. It also outlines both proactive and reactive strategies to manage cybersecurity. The app is now available for both Android and iOS devices.
The reliance we place on information systems, both for storage and transmission of data, is making data security breaches all the more damaging to organisations. It has never been clearer that companies and organisations need to have data security policies in place and good information governance. Failure to do so inevitably leads to the cyber liability that can put any company at considerable risk.
Where there is liability, there is a corresponding responsibility for that liability. As the duties of directors come increasingly under the microscope, it is clearly in the interests of directors to ensure that they understand their responsibilities in this area.
Below, we have outlined the key questions that directors should ask in relation to the collection and processing of data
1. Are we being transparent?
Data must be obtained fairly and the company must be transparent about the reason the data is being collected and the purpose for which the data will be used. Data must not then be put to a further incompatible use.
2. Do we have consent?
Consent is usually, but not always, required. If the information is non-sensitive, there can be implied consent. If the information gathered is sensitive (such as relating to an individual’s health, race, sex life, religious beliefs or trade union membership) then there must be explicit consent.
3. How long are we retaining data for?
Personal data can only be stored for as long as is necessary. There should be no retention of data ‘just in case’.
4. Are we collecting unnecessary data?
Data should only be collected if necessary. There are PR risks to any company if data is collected and stored unnecessarily.
5. Are we keeping the data secure?
You must have appropriate security measures to protect any data you are storing. Take into consideration the state of the technology you are using, the cost of implementation and the nature of the data and potential harm if a breach occurs.
6. Are we giving the data to third parties?
Are the third parties controllers or processors? In other words, on whose behalf will they use the data? If they are controllers, you will likely need consent for collection. If they are processors, special written contract terms are required.
7. Is the data leaving Europe?
If collected data remains within the European Economic Area (EEA), transfer issues do not arise. If the data is to be transferred outside the EEA then safeguards are required unless it is an approved country, eg Canada.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.
Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.
Security questions image by hidesy via Shutterstock
