With this growing concern, there is often a demand for governments to step in and legislate to reduce the increased risks. In the case of Fiat Chrysler, there have been calls in the US for legislation to impose standards for vehicle security.
Whether such legislation will have any viable effect is not the subject of this article. However, the legal ramifications are very much the focus here. If preventative measures do not work – then the business and general community will look to remedies of compensation and punishment.
It helps to be clear on the sorts of predicaments we are talking about here. There are two broad areas to consider. The first is where an organisation has its own systems and does not rely on any third parties. In such situations, the company has no third party to look to for being at fault where a security breach occurs and a loss is suffered.
In that scenario (and indeed in the second scenario as well), what may be a major issue is the responsibility of the directors and corporate managers. Under Australian corporate law, directors and managers must exercise “care and diligence” in carrying out their duties – when the stakes get high, the proper discharge of this responsibility may be called into question if the company’s IT systems are breached and there is a major loss.
The second broad area to look at is where a company relies on third parties for some or all of its IT and security systems or IT services. There are so many possible combinations of own resources and/or systems, and third party suppliers, it is not possible to list even a substantial number.
Let us look at just one as a typical example. A company owns much of, but not all the hardware that comprises its entire IT system. It has licences of various third party software on this hardware, and that software manages the majority of (but not all of) the data the company generates and collects.
The company also has a managed services provider who oversees and controls the majority of the system, and it has a cloud provider.
The company’s business includes the gathering and creation of high value data, whether it be financial, personal or some other combinations. What happens if a major security breach of its systems occurs and large scale losses are suffered by it and its clients? In such a situation, a great deal of time and money may be spent trying to isolate who, if anyone, was at fault, and how fault might be apportioned.
I am confident that more and more, certain key areas of law will come under pressure to embrace technological advances, and failures. In the scenario I have suggested, the first two areas of law that come to mind are contract law and the law of tort. The latter is a body of the common law that is built on duties of care.
Sign up for CIO Asia eNewsletters.