The increasing digitization and automation of society leads to a proportional increase in the importance of cybersecurity. The fact that the logistics sector is no exception to the rule was proven last year, when shipping company Maersk and the container terminals of its subsidiary APMT were hacked. As a result of the cyberattack, the container terminals in the port of Rotterdam were inoperative for more than a week.
At the World Economic Forum in Davos, Switzerland, Maersk announced it had to reinstall 4000 new servers, 45,000 computers and 2,500 applications. The total costs were estimated at 300 million dollars, the main cause being the impossibility of accepting new bookings for container carriage.
It is often argued that fully preventing cybercrime and other IT related issues is problematic. The constant need for new functions and updates of software mean that while security vulnerabilities are being fixed, others could easily arise.
Thus, the importance of cybersecurity is here to stay. This means it is meaningful to consider the legal risks and obligations that follow as a result of a cyberattack.
When a company is shut down by a cybercriminal, it may not be able to fulfill its obligations towards its client. This leads to a loss in revenue, but it could also lead to claims for compensation. The claim for compensation is subject to the terms of the contract between the client and the company which failed to fulfill its obligations under said contract.
Usually, the affected company included a provision in the contract stating that providing uninterrupted services cannot be guaranteed. However, this does not exonerate the company from having to make sure its services can be continued as quickly as possible. If the company is able to demonstrate that sufficient efforts have been made to prevent cyberattacks, it is also conceivable that the company can invoke force majeure. Finally, a company can (partially) exonerate damages caused by its failure to fulfill its obligations.
If a cyberattack leads to a data leak, there may be a loss of privacy-sensitive data. Under the Dutch Personal Data Protection Act (PDPA), companies are obligated to immediately report the breach to the Dutch Data Protection Authority. In certain cases the data breach must also be reported to those involved. Victims of a privacy violation may be able to claim compensation, although it may be problematic to estimate the amount of damages it caused.
Furthermore, on 1 October 2017 the Data Processing and Cybersecurity Report Duty Act (DPCRDA) partly came into effect. The DPCRDA covers the tasks of the National Cyber Security Center (NCSC) and provides for its authority to process personal data.
The DPCRDA also provides for a duty to report data breaches. The duty to report applies to organizations where serious digital security breaches could disrupt society. These include the Harbor Master’s Division of the Port of Rotterdam, Royal Schiphol Group N.V., the Dutch Air Traffic Control, Aircraft Fuel Supply B.V. and the Royal Marechaussee. It is possible the list will be expanded in future amendments.
When an organization fails to comply with its duty to report a data breach, it could face high penalties.
The PDPA provides for the possibility of imposing substantial sanctions on a legal entity, but it is also possible to impose them on a director of the company. This is especially the case when it appears that a director has given instructions to ignore the duty to report in order to keep the data breach a secret.
Even if a fine is imposed on the legal entity, the director could be confronted with an internal claim if it turns out that the director was aware of the seriousness of a data breach and he failed to take the appropriate measures.
Cybersecurity has become an important part of society, which explains why legislation has started to catch up with this development. A cyberattack can cause a lot of damage to a company, but the legal consequences including liability claims and sanctions could increase the costs even further.
