This article briefly examines what businesses can and should do to prevent cyberattacks and sufficiently limit their damages from cyberattacks and ensure GDPR compliance.
The pandemic has caused businesses to operate even more digitally and the number and the cost of cyberattacks have increased rapidly for businesses bringing serious damage of all kinds. Businesses should take necessary steps before, during, and after cyberattacks to prevent such attacks and to sufficiently limit their damages.
What is a cyber-attack?
A cyber attack is an attack initiated by cybercriminal from a computer against a computer system, or an individual computer that compromises the confidentiality, integrity, or availability of the computer or information stored on it. Cyber attacks can take many forms such as data theft, attempting to gain, unauthorized access to a computer system or its data, installation of virus or malicious code or taking down websites.
Response to a cyber attack will depend on the type of the cyber attack. However, preventive measures as well as response actions can be taken to minimise the damage of a cyber attack.
What actions can be taken pre-cyber-attack?
Businesses can take different preventative actions in order to try to prevent occurrence of a cyber security incident. Such actions may include consulting specialist lawyers and cybersecurity companies for cybersecurity health checks, digital risk assessments, and antivirus software.
Additionally, businesses should work with these entities to develop detailed incident response plans to develop procedures that should be taken in the event of a cyberattack which may lead to data breaches. Employees should be trained and re-trained regularly to ensure that these procedures are understood and followed/implemented accordingly and effectively.
Additionally, businesses could also consider purchasing specific cyber insurance policies. Some businesses have opted for purchasing general liability insurance to cover property that could be damaged in cyberattacks. The issue with this is that these policies might include broad exclusionary clauses. This gives insurance companies leverage in disputing property damaged by cyberattacks. Specific cyber insurance policies offer more certainty. Given the cyber insurance market remains more of an emerging market as opposed to a developed one, businesses should receive assistance from lawyers in negotiating and understanding the cyber insurance policies to ensure that sufficient coverage is achieved.
What actions can be taken during a cyber-attack?
Not all cyber security incidents can be prevented. In the event of o cyber attack, businesses should be alerted/or alerted by their lawyers on their notification obligations in the GDPR in case security is breached and confidential business and personal data compromised.
It should be noted here that definition of personal data breach under GDPR is quite wide in scope and even a mere alteration of data is considered to be a data breach.
Notification obligations under GDPR include notification of the data breach to the supervisory authority and to data subjects.
Businesses could also enlist the help of law firms in the event of a ransomware. Law firms could assist in the negotiation of the ransom amount and the stipulations accompanying it. Several law firms work together with cybersecurity companies to offer a 24/7 service in ensuring damage control and legal protection throughout the attack.
What actions can be taken post-cyberattack?
Law firms play a pivotal role post-cyberattack as affected business may be on the receiving end of third-party claims. It is not unusual to have people filing charges against a business that has lost or altered their sensitive information. Law firms also play a role in helping businesses go through the process of regulatory investigations by EU authorities. This is important to ensure that relevant information is disclosed but market-sensitive information does not leak to the public.
Cyber insurance policies will also be able to cover such legal costs as well as compensation in the event of a settlement.
It is important for businesses to take appropriate measures and actions in an increasingly digitalised world to protect themselves from cyber attacks. It is clear that law firms play a pivotal role at all stages of a cyber attack and enlisting a cyber risk and data protection law firm would provide great assurance for businesses.
 ProWriters, ‘Does a Commercial General Liability Policy Cover Cyber?’ < https://prowritersins.com/cyber-insurance-blog/cgl-policy/> Accessed 7 July 2021
 Robert D.Chesler, Christina Yousef, ‘Insurance Disputes over Cyber Claims’ < https://coverage.memberclicks.net/assets/CommitteePagesSelectedPapers/accec_cyber_insurancedisputesovercyberclaims-currentandfutureflashpoints_chesleryousef.pdf>
 Articles 33(1) and 34(1) of GDPR.