In the face of heightened public alert and greater focus on cybersecurity, the government is beginning to introduce more regulations to address gaps in New Zealand’s privacy laws. Organisations need to ensure they are aware of the legal considerations that come with being digitally connected.

Traditionally, smaller businesses believe they are not a target for cybercriminals. However this attitude puts them at greater risk of attacks as well as liability under commercial law. Cybercriminals focus not on the size of a company but rather on the data it houses.

Could a company be held liable for a cyberattack under commercial law?

What is a cyberattack?

The word circulates in the media and tends to generate fear whenever it is mentioned. However, it is important to understand that cyberattacks are better understood as a category that encompasses a number of different activities.

Generally, it is understood as an assault against a computer or system, which intends to compromise its integrity, accessibility and confidentiality. This can include remote attacks on a business’s IT system, such as what happened at Sony or Ashley Madison.

Additionally, malware is a malicious software that can be used in cyberattacks and  are used to accomplish a range of objectives. Ransomware for example locks on to a computer and demands money in exchange for access to the computer or computer system. According to Radio New Zealand, close to 108 cybercrime attacks happen every day around the country, with many of these stemming from malware and ransomware.

Another example of a cyberattack is the Denial of Service (DoS or DDoS). This attack denies access to a network, interrupting services and overloading it through the use of bot computers, or computers that have been infected by malware.

What assets do you need to protect?

Attaining access to data is the main objective of cybercriminals. Yet, some forms of data are more attractive to hackers than others. And because businesses tend to differ markedly in their operations, pinpointing the assets you need to protect can be difficult.

However, there are several key categories that people look to. They include:

  • Customer databases
  • Financial information
  • Sensitive personal data
  • Intellectual property
  • IT equipment
  • IT services
A cyberattack can lead to liability. A cyberattack can lead to liability.

What are the implications of a cyberattack?

A company that is affected by a cyberattack can be impacted in a number of ways. One of the major effects is the financial loss that stems from criminals accessing bank accounts. It can also cost a fair amount to clean up after an attack as the system impacted can be nonfunctional and need specialist care.

Alongside financial loss, companies can lose respect or can suffer damages to its reputation. In response, organisations will need to convince customers, suppliers and employees that the incident was a one-off and not indicative of the company’s lack of control.

One of the less understood problems that stem from a cyberattack is the effects on liability. A company is liable under contracts if delivery of products is derailed or if private data is stolen or taken away.

Some contracts have clauses that may exclude cyberattacks.

What can I do to avoid these problems?

While an IT specialist can help you to avoid or mitigate cyberattacks, under New Zealand law, obligations stemming from commercial contracts are not easily avoided. As such, you could also complete a health check of your contractual commitments with a qualified and experienced lawyer.

An analysis should be completed of your liability, including failure to deliver goods and services on time in an instance of a cyberattack. You should ask if there are the required limitations in place to ensure you are not negatively affected.

Additionally, you could also look into how disruption is defined in your contracts. Traditionally, it will not include cyberattacks and businesses could be held liable as a result.

The best way to ensure you are not found liable by a cyberattack it to talk to an expert in commercial law. If you are unsure about how your contracts deal with cyberattacks, talk to the experts today.