During 2014, it became clear that the safest place for your information is in the analog world – digital means public. You don’t have to be a geek to read the news: the Heartbleed bug was named ‘the worst vulnerability since commercial traffic began to flow on the internet’ when it lead to the leak of private celebrity photos and the personal details of 50,000 Sony employees. It also illustrated how cybersecurity and personal data protection are linked.

Since no one wants to go back to the era of typewriters and tracing paper, the remaining option is to put some thought into cyber security.

Hacktivism and other cybersecurity threats are already a profitable business and an important political tool. Hackers are no longer just shady online groups, but include states and corporations. For example, during the Crimean conflict, large denial of service attacks was targeted at Ukrainian officials.

Furthermore, the Sony attack was claimed to be a North Korean attempt to cancel an upcoming film about the country’s leader. Seemingly harmless attacks will become more common and may be used to ultimately gain access another, more crucial site.

Together with new goals, the use of breached data has evolved too. The aim is no longer to just obtain information, though this clearly is still an important motive, but to use the breach to extort the data controller or even destroy the data in the end. ‘We don’t have anything interesting’ cannot, thus, be used as an excuse for poor cybersecurity. The data itself is valuable.

New Data Protection Obligations, Laws and Restrictions

Besides new threats, we also have new obligations. Currently, there are two clearly intersecting trends in the field of cyber security law. On the one hand, data protection and privacy laws are tightening, and companies are being made more and more responsible for their employees’ and clients’ information. On the other hand, governments are willing to increase their intelligence powers online.

The tightening of privacy requirements can also be seen in Finland, where the new Information Society Code came into force on 1 January 2015. It extends data protection responsibilities to all operators that convey communication, including international service providers in Finland.

Apart from somewhat pioneering European countries, countries like Russia and the US have also introduced new regulation to protect the privacy of their citizens. In Russia, the Federal Law on Personal Data was amended to restrict the use foreign servers processing personal data of Russians and facilitating supervision by Russian data protection authority. In the US, President Obama has addressed cyber security and privacy protection in his State of the Union speech in January and is expected to unveil new data protection plans within the year.

In the meantime, the same states expressing concern for their citizens’ right to privacy are equally worried about their own limited intelligence capacities on the Internet. The NSA’s espionage programme famously revealed by Edward Snowden in 2013 was explained as a security measure against terrorism. In Finland, the year started with a heated discussion about a government working group on online security that recommended expanding the espionage capacities abroad.

Cybersecurity Should Be Part of Every Company’s Risk Management

How should companies react to these trends? By now, cybersecurity should already be part of general risk management. It is not something the IT guys can handle alone! Traditionally cyber-risk management has concentrated on preventing attacks. This is still important, but it needs to be combined with plans on how to react to and recover from cyber-attacks. It’s not if, it’s when.

Risk assessment and prevention requires participation of both information and technical security providers in order to define and protect the most valuable assets of the company. However, this requires that the company already knows its IT systems and the purposes that they are (or are intended to be) used for – otherwise negotiating comprehensive contracts becomes impossible.

In conclusion, cybersecurity will continue going mainstream in 2015 in both the private and public sectors. By now, every company should have a cyber-resilience plan ready not just for preventing attacks, but also for reacting and recovering from them.

Together with direct cybersecurity challenges, government action should also be carefully monitored both in terms of tightening data protection requirements and states’ own actions online. Going offline is not a viable option any more, but going online shouldn’t be done lightly either.

Want to discuss the issues further?

Contact: Jaakko Lindgren at Castrén & Snellman Attorneys Ltd.

Issues like this and many more are discussed at Amcham Legal Committee meetings.

For more information on times and venues, please contact Matthew Wood at Amcham Finland.