In the digital age, cybersecurity has emerged as a critical concern for businesses of all sizes. The growing complexity of cyber threats poses significant risks to corporate data, reputation, and financial stability. This article explores the legal and ethical obligations of corporations in safeguarding sensitive information, the potential consequences of data breaches, and effective strategies for mitigating cybersecurity risks.
What is corporate liability?
Corporate liability refers to the extent a company may be held legally liable for the acts and omissions of business partners and the persons it employs. Liabilities are the obligations incurred by a company. All businesses have liabilities, whether they are debts the company has or will have. They may be legal liabilities arising from the actions of partners or employees.[1] In Salomon v Salomon & Co[2], the House of Lords held that once a company is registered, it must be treated like any other independent person with its own rights and liabilities. It can accordingly sue and be sued, hold property and transact, incur liability and generally act as though it were a natural person. It has perpetual succession and continues indefinitely notwithstanding changes to the identity of the persons who from time to time compose it.
In the cybersecurity context, corporate liability would include the obligation to protect data and digital systems. Failure to ensure adequate security can lead to legal action under data protection laws or claims of negligence if security breaches harm clients, customers, or partners.
Today, businesses have become highly dependent on technology to manage day-to-day operations. This dependence has exposed them to a growing number of cybersecurity attacks, including hacking, ransomware, phishing, and data breaches. They are faced with unprecedented risks from supply chain attacks to cloud vulnerabilities. Cyber-attacks now target organizations of all sizes, often causing financial loss, operational disruption, and reputational damage. As businesses increasingly rely on cloud services and IoT devices, vulnerabilities multiply, making it imperative for organizations to adopt robust cybersecurity frameworks.
By taking the necessary action and steps to mitigate these cyber threats, we will protect our sensitive data, and ensure financial security.
Legal Framework Governing Corporate Liability
In Ghana, the recognition of the right to privacy regarding the processing of personal data or information stems from the constitutional guarantee of privacy under Article 18(2) of the 1992 Constitution. This provision reinforces the protection of personal information and ensures that an individual’s privacy is respected in the handling of their data.
Companies are required to implement strong cybersecurity measures and ensure that consumer data is adequately protected. Some of the most notable legal frameworks include:
Data Protection Act, 2012 (Act 843): This Act mandates that companies must process personal data fairly and lawfully while implementing appropriate security measures to protect against unauthorized or unlawful processing and accidental loss, destruction, or damage of personal data. Under Section 28 of the Act, data controllers are required to take appropriate technical and organizational measures to safeguard data security. Data processors who handle personal data on behalf of a data controller must comply with the security measures outlined under the Act. They are responsible for ensuring that the data remains confidential and that it is processed with the prior knowledge or authorization of the data controller subject to Section 29. According to Section 31, If there are reasonable grounds to believe that personal data has been accessed or acquired by an unauthorized person, the data controller or any third-party processor must notify the Data Protection Commission and the affected data subjects. The notification must be done as soon as reasonably possible and include sufficient information for the data subjects to take protective measures.[3]
Electronic Transactions Act, 2008 (Act 772): This Act regulates electronic communications and transactions, ensuring that companies engage in secure electronic transactions. Section 9 mandates that organizations must use security measures appropriate to the sensitivity of the information being handled. This includes ensuring the confidentiality, integrity, and authenticity of electronic records, which is critical for protecting clients’ data against cyber threats. Service providers are prohibited from divulging the contents of communications stored by their systems unless authorized by law. This section ensures that companies handling electronic data, particularly customer information, must protect it from unauthorized access and use subject to Section 96.[4]
Cybersecurity Act, 2020 (Act 1038): This comprehensive legislation establishes the Cybersecurity Authority, which oversees and regulates cybersecurity activities within the country. The Act imposes obligations on companies to report cybersecurity incidents and adopt cybersecurity standards. Section 35 of the Act mandates that companies develop and implement a cybersecurity policy that addresses the protection of critical information infrastructure.
Section 40, emphasizes that unauthorized access to critical information infrastructure is illegal. Companies managing critical information infrastructure must prevent unauthorized access, and failure to do so could lead to corporate liability.[5]
National Communications Authority (NCA) Regulations: The NCA issues regulations and guidelines to ensure that telecommunications and ICT service providers implement robust cybersecurity measures. These guidelines often require companies to conduct regular risk assessments, employ encryption technologies, and maintain an incident response plan.
Failure to comply with these legal requirements may result in significant penalties, including fines, imprisonment, and reputational damage. Companies must therefore stay abreast with these legal obligations and continuously enhance their cybersecurity frameworks to mitigate corporate liability in the face of evolving cyber threats.
Beyond the Breach: Quantifying the Costs of Cybersecurity Failures
If your computer systems are subjected to unauthorized access or if customer, employee, or partner data is lost, stolen, or otherwise compromised, the costs associated with response and remediation can be substantial. Your business may face the following potential expenses or be held liable for various reasons, this is however not limited:
- Negligence: If a company fails to implement reasonable cybersecurity measures, it may be found negligent. This includes failing to maintain updated security protocols, not conducting regular audits, or ignoring known vulnerabilities.
- Breach of Contract: When companies engage in contractual agreements, they often commit to safeguarding sensitive information. A data breach resulting from inadequate cybersecurity measures could result in a breach of contract claim.
- Regulatory Violations: Failing to comply with industry-specific or regional cybersecurity regulations exposes companies to fines and penalties. For instance, under the General Data Protection Regulation (GDPR), companies must notify authorities of data breaches within 72 hours, and failure to do so results in financial penalties.
- Shareholder Lawsuits: Corporations may face shareholder lawsuits for failing to disclose cybersecurity vulnerabilities or for not having proper risk management policies in place. Such claims often arise after a breach negatively impacts a company’s stock price or financial performance.
- Notification expenses: If your business stores customer data, you’re required to notify customers if a data breach has occurred or is even just suspected. This can be quite costly, especially if you have a large number of customers.
Case Study in Cybersecurity: Lessons from Notable Breaches
The case of the Electricity Company of Ghana (ECG) was seen as a serious threat to the country’s national security. Their ransomware attack resulted in a staggering loss of GH₵400 million to GH₵500 million.[6] The ransomware attack affected the ECG’s operations, leading to disruptions in power supply and other essential services. It also however had a negative impact on businesses, households, and the whole economy. The Bank of Ghana’s Fraud Report reveals a 65.5% increase in cyber email fraud losses, emphasizing the rising tide of cybercrime. Recently, the Africa Centre for Digital Transformation (ACDT) has warned of potential cyber threats to Ghana’s December 7 elections, urging stakeholders to take immediate action to safeguard the electoral process. The ACDT, in a press statement, highlighted the growing risk of cyber-attacks as digital systems become increasingly integral to Ghanaian society, including its electoral processes. The organization emphasized the national importance of addressing these attacks to ensure the integrity and security of the upcoming elections.[7]
Strategies for Mitigating Cyber Threats
Cyber security is a strategic business risk that requires board-level oversight. Corporate governance plays a vital role in ensuring that cybersecurity is integrated into a company’s risk management framework. Failure to do so can lead to significant legal, financial, and reputational damage, as demonstrated in high-profile breaches.
To combat these growing risks, corporations must adopt comprehensive cybersecurity strategies. Boards must take an active role in cybersecurity governance, ensuring that the right strategies, resources, and accountability structures are in place to protect the company’s assets and reputation. These attacks evolve rapidly, and what might be secure today could be vulnerable tomorrow. Companies should continuously monitor their systems for unusual activity and conduct regular risk assessments to stay ahead of emerging threats. Automated tools, such as Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) platforms, can help track and analyze potential risks in real-time. Companies should implement employee training programs aimed at educating staff about potential attacks, how to recognize suspicious activity, and the importance of following security protocols this is because many successful cyberattacks, such as phishing and social engineering attacks, exploit human error.
Conclusion
The Ghanaian Cyber Security Authority (CSA) frequently emphasizes the critical importance of strong cybersecurity defenses. As cybercriminals become more sophisticated, they pose a growing threat to individuals, businesses, and government agencies alike. These attacks pose substantial risks to data privacy, financial stability, and national security. To counteract this growing menace, it is imperative for Ghanaians to adopt specific cybersecurity measures, such as implementing multi-factor authentication (MFA) and strong passwords, which can significantly reduce the vulnerability to cyberattacks.
[1] https://brinenlaw.com/corporate/what-is-corporate-liability/
[2] Salomon v A Salomon and Co Ltd [1897] AC 22
[3]Data Protection Act, 2012 (Act 843)
[4] Electronic Transactions Act, 2008 (Act 772)
[5] Cybersecurity Act, 2020 (Act 1038)
[6] https://www.ecg.com.gh/index.php/fr/media-centre/news-events/ecg-lost-nearly-gh-500-million-due-to-ransomware-attack-managing-director-confirms#:~:text=And%20we%20have%20a%20quantity,period%2C%22%20the%20ECG%20Managing%20Director
[7] https://citinewsroom.com/2024/07/ghana-faces-cyberattack-threat-ahead-of-december-elections-acdt/
BY; NICOLINN ADJOWA KWAW
Disclaimer: This publication is for information purposes only and is not intended to constitute legal advice. If you require information on any matter discussed in this article, kindly reach out to the firm directly.
Nartey Law Firm is a leading corporate and commercial law firm in Ghana providing legal services to individuals, domestic and international businesses. Ensuring the success of our clients’ objectives is at the core of what we do. Comprised of a dedicated team of lawyers with extensive experience in corporate, commercial and international law and litigation, we pride ourselves with the diligent execution of all client matters, whilst guaranteeing an uncompromising standard with respect to excellence in service delivery. Some of our focus areas are Real Estate, Trade and Commerce, Banking and Finance, Regulatory Advisory, Capital Markets and Mergers and Acquisitions.
CONTACT:
NARTEY LAW FIRM
TEL: +233 (0)553508582
Email:info@narteylaw.com