In this article, Daniek Regterschot answers the question: who can be held liable for damages caused by security breaches? She also provides 5 tips for preventing cybercrime within your company.
Date: Oct. 25, 2023
Modified February 08, 2024
Written by: Daniek Regterschot
Reading time: +/- 2 minutes
The month of October nationally is dedicated to (the importance of) cybersecurity. At a time when virtually all information and data is exchanged digitally, the risk of its misuse has also increased enormously. Systems that fail, attacks by viruses or phising but also direct hacks occur daily. Cybercrime has also had its effects on the production industry in recent years.
In the spring of 2021, for example, there was no cheese on the shelves at Albert Heijn, due to a hack at the supplier. And more recently the deposit machines in many supermarkets were down due to a hack at the operator of these machines. Despite the fact that this mainly causes a lot of inconvenience for the retailer, it can also lead to liability of the supplier, in connection with lost profits by the vendor, for example.
In this article, Daniek Regterschot answers the question: who can be held liable for damages caused by security breaches? She also provides 5 tips for preventing cybercrime within your company.
We previously discussed in this blog that an IT vendor can be held liable for a ransomware attack. That, on the other hand, does not mean that you can take the reins yourself.
In principle, every company is responsible for its own IT systems and therefore also for their security and backup. For example, the Overijssel District Court recently ruled that not the IT supplier engaged by the municipality, but the municipality itself was responsible for the damage suffered.
Whether the responsibility for protecting your IT systems lies with your company or with your IT supplier depends on the agreements made and what the parties were entitled to expect from each other in this regard. If an IT supplier is engaged, it is important that the agreements made are clear. For example, the agreement: "The IT supplier is responsible for the backups to be made" may be too vague. So additionally record who takes care of security, who makes the backups and how liability is arranged if things do go wrong.
Based on case law, the IT supplier has a special duty of care, in connection with its expertise. The degree of expertise of the customer plays a role in how far this special duty of care extends. Also important is the extent to which the supplier is involved in setting up the system. The greater the role of the IT supplier, the more can be expected of it in this respect.
In the context of cybersecurity, it is especially important for the IT supplier to explicitly and repeatedly warn the customer of risks. This warning obligation applies not only if a risk occurs, but also from the beginning and during the cooperation of the parties if it concerns a project that involves major risks.
Inadequate cybersecurity can have far-reaching consequences; from financial losses to reputation damage and security risks. Preventing cyber breaches is therefore better than a cure.
Here are 5 practical tips that will help you avoid being held liable or, on the contrary, leaving your company stuck with the damages suffered.
Handling data remains human work. A click on a wrong link is in a small corner. That's why it's important to alert your employees (regularly) about data security. Make sure they use strong passwords, use two-factor authentication (2FA) and help them recognize phishing.
In addition, it is good to work with protocols and internal policies. If things do go wrong, your employees will know exactly what steps to take.
If you are not working with an IT vendor with whom you have clear agreements, make sure you are sure your cybersecurity is set up properly. For example, use antivirus software ande-mail security.
Make sure the system is updated (automatically) and also make regular backups of the (most important) files yourself so you can keep them externally.
In addition, establish an (offline) call list so that even during a cyber incident you can get in touch with the parties you depend on or can help you further.
As indicated earlier, making clear agreements is very important. Who is responsible for what and how is that responsibility fulfilled. If you do not make (clear) agreements about this, then in principle your company bears the risk and therefore the liability itself .
Liability is often limited contractually, either in the agreement itself or through general terms and conditions. It is important, before entering into the agreement, to assess whether this limitation of liability of the IT supplier is acceptable to your company.
A cybersecurity grant is available for companies with up to 50 employees and annual sales of at least €10 million. This allows you to purchase resources that will better protect the company against digital incidents. The available budget is distributed on a first-come, first-served basis.
Check the status and availability of this grant through this page.
Do you have questions about cybersecurity in a closed or pending IT contract or would you like advice on your position in case of a cyber breach? Then contact one of our attorneys specialized in cybersecurity, they will be happy to help you!
As attorneys for business owners , we understand the importance of staying ahead. Together with us, you will have all the opportunities and risks in sight. Feel free to contact us and get personalized information about our services.