Cyber threats, such as data breaches and DoS (Denial of Service) attacks are becoming more frequent and involve a myriad of legal issues for which companies should be prepared well in advance. Attorney Turo Sumu responds to five questions about cyber threats.

Why should a company also engage a lawyer for preparation against cyber threats?

Various cyber threats are becoming globally more frequent, also in Finland. For example, data breaches may give rise to claims for damages and other liabilities, damage to reputation, and may even compromise all the business of a company. Aside all the technical and other ways of preparation, the legal aspects should be borne in mind. Preparation for cyber threats forms part of diligent organisation of a company’s business.

The preparation for cyber threats, as well as investigations after the event, involve several legal issues, which usually require knowledge of for example data privacy and questions related to liability for damages. It is vital to reflect on these issues before it´s too late.

What sort of issues can a lawyer assess during the preparation phase?

We can help identify risks and with risk management, for example in relation to the company’s contracts and codes of conduct. Such preparation may turn out to be surprisingly valuable to a company. On the other hand, it is important to understand that, for example, contractual limitations of liability also have their own restrictions, for example in relation to mandatory law.

What sort of contractual challenges may rise during assessments?

Obligations and liabilities in the processing of personal data are one aspect. This is a regulated area, which presents procedural obligations and possibly notable liabilities.

In addition, there can be a situation where company’s contracts contain a type of “liability trap”. This might occur for example in a situation where a sub-contractor of company A is faced with a cyber threat causing delays in sub-contractor’s performance and thereby causing problems in company A’s deliveries to its customers. Company A’s liability to its customer might amount to EUR

1 000 000, but the liability of the sub-contractor might be limited to EUR 10 000. In this case, the liabilities are manifestly imbalanced and company A might face a liability of EUR 990 000, which cannot be “passed on” to the sub-contractor.

Why is it necessary to have knowledge of different areas of law in these situations?

Liability issues concerning cyber threats can be complex. These events may affect the continuity of a company’s contractual relations, damages might occur to the counterparty of a contract and to third parties, the issue might concern the liability of the management, criminal liability and so forth. On the other hand, cyber threats can surface in problems in the target company after an M&A transaction.

Further, there may be disagreements regarding insurance policies, such as cyber insurance policies – what is covered under the insurance and what is not. In this case, knowledge of insurance law is paramount.

It is important that the case is dealt with, depending on the particularities of the case, by experts well suited and equipped to deal with the case.

Logistics often surfaces in these discussions. Why?

Digitalisation has increased in the area of logistics. Supply chains are often carefully configured and schedules are tight. If a cyber threat poses a problem on the logistics chain, significant damages might occur.

These are not just theoretical threats, but there has been public coverage on cases, which have caused significant damage.

An interesting addition to liability issues and cyber security in the logistics industry are remote-controlled, self-steered and other autonomous vessels and vehicles, which with all likelihood will become more and more common.

Three points:

• Cyber threats are increasing fast and cause even greater liabilities
• Identify the legal risks of cyber threats and plan the management of cyber threats well in advance
• If a crisis emerges, engage a professional to help manage the situation at as early stage as possible