Some weeks on from the headline-grabbing news of cyberattacks on M&S and the Co-op, anyone who still believed that cybersecurity is a technical risk would only have needed to wander into a Co-op store and gaze along its empty shelves or try to order something online from M&S to find their view altered.
These recent events underscore that cybersecurity is a critical business, legal, and regulatory issue, and the experiences of these retailers highlight the operational impact of the legal risks businesses face when managing sensitive data.
M&S faced customer data leaks and was forced to suspend online customer ordering, a valuable part of its service offer, which is still weeks away from being up and running again.
The Co-op, with its vast network of stores, closed its systems to prevent further cybersecurity attacks, impacting supply chain delivery, stock control, and employee working arrangements.
The experiences of both retailers highlight the need for robust cybersecurity measures within operational and legal frameworks to protect businesses from the shock of a cyber incident. And both illustrate the impact cybersecurity breaches can have on customer service, confidence and trust in a brand.
And, of course, it's not just larger companies that are at risk. Small and medium-sized enterprises are vulnerable to cyber threats, but often have fewer resources to mitigate the risks.
Cybersecurity failings can create severe issues both financially and reputationally, and these carry significant legal consequences. Key areas of focus for businesses include:
What are your GDPR obligations after a cyberattack?
The UK General Data Protection Regulation (GDPR) mandates stringent data protection measures for personal data, and there is a commercial expectation that SMEs can keep digital assets safe. SMEs operating digitally should implement robust security protocols as failure to do so can lead to hefty fines and legal liabilities.
Who is liable when a cyber breach involves a third party?
SMEs often outsource IT services or rely on third-party vendors for data management. If a cybersecurity incident originates from a third party, determining who does what to resolve the situation and sort out liability can be complex.
Supply chain management and incident planning are minimum benchmarks for SMEs to adopt. It is often called business continuity or disaster planning. Contracts should clearly define responsibilities and liabilities in the case of a cyber incident, and it is always useful to walk through the plans to see how they would work in practice.
How can businesses protect against IP theft and cybercrime?
Cybersecurity breaches can expose sensitive business information and trade secrets in any size of organisation. SMEs should ensure the security of proprietary information through encryption and legal safeguards.
What are the legal risks of financial fraud and transaction security failures?
SMEs engaged in e-commerce are vulnerable to fraud. Legal liabilities arise where there is a failure to safeguard consumer financial data. Learning from the incidents of large retailers and implementing secure payment processing systems and legal frameworks to prevent fraud claims is essential.
How can legal and professional support help businesses manage cyber risk?
While cybersecurity and appropriate measures to maintain it should be part of every business's management agenda and its regular reporting schedule, independent verification from professional support can play a key role in helping SMEs anticipate the tenacity of cybersecurity risks.
Legal risk experts can provide strategic and practical support and guidance on GDPR and other cybersecurity regulations, ensuring firms meet compliance requirements, avoid penalties, and have in place a working governance, risk, and compliance framework that embeds cybersecurity into a company's operations.
Legal support can also help develop training and legal awareness around (in)advertent causes of security breaches. In the event of a cyber breach, legal support can help manage incident response and crisis management, regulatory reporting, and potential lawsuits.
The scale of what is required to achieve cybersecurity and operational resilience might appear daunting for smaller businesses, but the good news is that professional support and advice are available. And the return on that investment should prove to be invaluable.
This information is for guidance purposes only and does not constitute legal advice. We recommend you seek legal advice before acting on any information given.
