Cyber litigation: Business protection, third party claims and recoveries
by Carlyn Weale
Cyber-attacks against businesses worldwide show no signs of abating. According to figures recently published by the UK Government Department for Science, Innovation and Technology, in the UK alone, just over four in ten businesses (43%) reported having experienced a cyber security breach or attack in the last 12 months. The real figure is likely to be significantly more.
Business protection and risk management
While large-scale ransomware attacks on national retailers and multi-national corporations make the headlines, businesses of all sizes are vulnerable to attack unless they take adequate steps to protect themselves. It is critical for businesses to have a structured risk management strategy in place to mitigate the damage caused by a cyber-attack.
Risk management should focus on prevention, detection, response, recovery, and the legal framework underpinning these areas. Clearly drafted contracts, robust dispute resolution clauses, warranties and indemnities, alongside cyber insurance policies, can provide a business with options to pursue claims in damages against third parties in the event of a cyber breach.
Third party claims following a cyber attack
Often, cyber-attacks are carried out by professional threat actors who are impossible to trace. Consequently, it is very difficult to pursue any kind of compensatory remedy against such parties. While a business may have a cyber insurance policy in place, there is no guarantee the policy will provide coverage for losses incurred as a result of deficiencies in the business’s supply chain or from services provided to it by third parties.
Where the breach or failure can be attributed to a third party, which can be established by employing specialist cyber-security firms, it might be possible to pursue a claim against that third party. This may be pursuant to the terms of a contract, or other legal avenues such as in cases of negligence, misrepresentation, or breach of confidentiality.
For example, a claim for breach of contract might arise due to the failure of the third party to meet agreed cybersecurity terms, warranties, or service level agreements. Alternatively, failure by a third party supplier to exercise reasonable care in handling or securing data systems could result in a successful negligence claim against it.
Remedies against third party suppliers
Ultimately, while never a guaranteed route to the recovery of what are likely to substantial losses, a business is more likely to recoup some or all of its losses by pursuing a claim against a third party supplier where it can be shown that the third party was at fault, than against an unknown threat actor. Alternative remedies, such as rescission, might also be available to the business where the very premise of the contract is flawed – for example, where it transpires the third party misrepresented its security capabilities or compliance status.
Carlyn Weale, Partner, Commercial Dispute Resolution at Ward Hadaway, is an experienced commercial litigator and an astute tactician, described by the UK Legal 500 as a “superb litigator”. Carlyn has many years of cyber litigation experience, including third party recoveries following cyber-attacks and loss of funds.
/https://storage.googleapis.com/ggi-backend-prod/public/media/6810/d68de958-b803-45ec-a40b-fadf5c9498c9.jpg)
/https://storage.googleapis.com/ggi-backend-prod/public/media/125/Ward-Hadaway_Logo-New_May-2021.jpg){kind=logo}
/https://storage.googleapis.com/ggi-backend-prod/public/media/6804/d72a8f57-b2aa-41c4-be44-7e1a97917c1a.jpg)
/https://storage.googleapis.com/ggi-backend-prod/public/media/3209/serverroom-a619084009.jpg)
/https://storage.googleapis.com/ggi-backend-prod/public/media/3403/reggio-emilia-a212992690.jpg)