our latest updates as they happen
Santander Hacking Attempt
13th September 2013
It has been reported today, that 12 men have been arrested, over what the Metropolitan Police have described as a “very significant and audacious cyber-enabled offence,” which if not thwarted, may have resulted in multi-million pound losses for Santander.
The actual incident has been reported as involving an IT device being fitted to a computer within a branch of Santander, which was intended to provide remote data access to certain of the bank’s IT systems. Fortunately, Santander has reported that no money was at risk due to the robustness of the bank’s systems.
The circumstances, although relating to criminal offences, also serve as a timely reminder about contractual issues and safeguards, for both IT service providers and IT customers, particularly those operating in regulated fields, such as Financial Services.
Jagvinder Kang, co-founder and Director with leading IT law firm, Technology Law Alliance, comments that: “Any form of successfully hacking, is likely to result in unauthorised data access, data loss and even possibly data corruption. We have come across certain financial institutions, particularly certain Stock Market listed companies, which in their pursuit to stress the importance of data protection, have engaged in overly ‘robust’ IT and outsourcing contracts, which unfortunately are intended to have a draconian effect for IT service providers through inappropriate financial liabilities, rather than embracing pragmatic arrangements, with appropriate risk and reward apportionment in the contract.”
Kang continues, by highlighting some of his concerns for IT service providers in such contracts under the guise of ‘data protection,’ as being:
- Wide ranging contractual remedies being sought by certain financial institutions for any security issues or data losses, without appropriate contractual qualifications;
- Open ended or unlimited liability being sought to be imposed for a wide range of circumstances and losses, including for reputation or goodwill damage, and in some circumstances even Stock Market associated losses;
- Wide ranging security assurances beyond what would reasonably be in the remit of the IT service provider;
- Taking away common safeguards for IT service providers, in respect of events which are beyond the reasonable control of the IT service provider.
Kang advocates a more pragmatic and co-operative approach to be adopted between IT customers and IT service providers, where the IT customer should:
- Take responsibility for working with the IT service provider to identify particular security safeguards which are required, especially if the IT customer is operating in a regulated industry sector, or if the IT customer is a ‘sophisticated’ client with in-house expertise of security requirements;
- Ensure that that there are internal safeguards to guard against security breaches, rather than relying solely upon the IT service provider, and ensure that regular internal (and where appropriate, external) audits are undertaken to provide practical assurances and identify any security risks which need to be addressed;
- Distinguish between IT service provider genuine ‘fault’ actions, such as dishonesty of an IT service provider’s staff or a lack of reasonable skill and care by the IT service provider, as opposed to external factors, such as ‘hacking,’ which although can be guarded against to some extent, clearly cannot be 100% eliminated;
- Ensure that there are appropriate internal and external business continuity and disaster recovery measures in place;
- Ensure that there is a collaborative process which allows for timely addressing of security breaches – with the customer acknowledging that certain of these IT service provider activities might need to be additionally paid for.
Kang comments that: “When situations involving ‘hacking’ occur, one of the priorities must be to understand and address the security exposure. An IT customer may have sufficient internal IT resource to deal with this itself, but quite often, there is expertise available from an external IT service provider which can provide genuine benefits. If there is a collaborative arrangement, and one where the contract is drafted in such a manner from the outset, then clearly it means that both parties can quickly move to address issues.”
Kang concludes by saying, “Where I have negotiated against an IT customer’s procurement or legal team which is adopting an overly robust and impractical approach, I have recommended to the respective IT service provider, that the matter be escalated to the respective IT customer’s business team, to determine whether an impasse is a genuine ‘showstopper’ for the customer, or whether alternative approaches, which are more aligned with industry practice, can provide the requisite comfort. The contract at the end of the day is intended to allow two parties to enter into a business arrangement, and therefore procurement teams and legal teams must not divorce this requirement from the day to day negotiations – whether under the guise of ‘data protection’ or otherwise.”