Have you ever checked your bank statements and found transactions that you do not recognize? Recently in Guatemala, a woman reported that, upon checking her online bank account, she found that she had lost more than Q100,000 (US$12,800) in less than an hour. With only six transactions, a suspected criminal group managed to empty her bank account.
Cybercrime like this has not only affected the personal finances of its victims, but also those of businesses, government entities, international organizations, among others. Within two days, cybercriminals managed to access a company's bank account and made more than 30 transactions. The organization lost Q3.6 million (US$461,000).
A Global Trend
Cybercrime happens when electronic devices are used to commit illegal behavior. It has increased in Guatemala in the last year. In 2023 alone, the Superintendency of Banks (SIB) revealed that reported scams amounted to Q319.52 million (US$40.9 million). The authorities claim that a transnational criminal network is behind these acts.
However, the goal of cybercrime is not always to obtain money. In some cases, it is to sequester high-value information and then sell it, extort money from the company and/or users or use that information for their own purposes.
The technology firm IBM published a report with projections of costs arising from these acts. They reported that, in Latin America, the average cost of a data breach amounted to US$2.46 million in 2023. These losses come from the paralysis of the organization's activities, as well as expenses in the recovery of the system.
Your organization can be affected by cybercrime, either due to a lack of cybersecurity measures, weak security measures or because a person within the company commits a human error or is complicit in an attack that violates the system. Therefore, it is important to foresee risk scenarios by identifying the liabilities that your organization may have to different stakeholders.
Legal Responsibilities and Cybersecurity
When a company becomes a victim of a cybercrime in which sensitive information is extracted or suffers monetary losses, it must consider the responsibilities it has towards the stakeholders of its organization . These refer to those persons or entities that may be affected by your company's activities. Among them, we can mention shareholders, customers, employees, suppliers, regulators, among others.
The legal consequences of losing confidential information due to a cyberattack may vary depending on the stakeholder concerned, the jurisdiction in which it is located and the specific circumstances of the incident. The following describe some liabilities and suggestions for mitigating risks:
Description
If the organization had contractual agreements with third parties that required the protection of certain confidential information, it could face legal action for breach of contract if those obligations are not met.
Mitigation
In your contracts you can establish certain cybersecurity protocols and define which cyber-attack scenarios will be considered "force majeure". The purpose is that your organization is protected in case it suffers an attack, despite having taken all possible measures.
Description
If the lost information includes intellectual property such as trade secrets, patents, or copyrights, there could be IP violations that could result in civil or criminal claims for damages.
Mitigation
In addition to the recommendation above, you should file a complaint at the Attorney General's Office IP Unit, as well as monitor counterfeits in the market and report them. Recently, new cyber liability insurances have emerged that can help you mitigate potential costs.
Description
Individuals affected by the loss of confidential information could file civil or criminal lawsuits for damages, alleging that the organization or individual was negligent in protecting their data.
Mitigation
It is advisable to communicate with people whose personal information has been breached and extend recommendations to protect themselves. For example, if their financial information is involved, you can recommend that they get a new credit card and change their passwords.
Description
The offender could commit crimes such as destruction of computer records, alteration of programs, manipulation of information, among others. In addition, it is possible that the Attorney General's Office may investigate and file criminal charges against individuals or the organization if negligence or intentional misconduct is deemed to have occurred.
Mitigation
We recommend that you have an internal cybersecurity protocol or regulation that includes staff training, licensing of any software purchased and any other relevant information. The goal is to mitigate potential incidents, as well as to demonstrate in the event of one that your organization has not been negligent.
Description
If a shareholder considers that there was negligence in the protection of their information or the value of their shares, they could take both civil and criminal action.
Mitigation
In addition to being transparent, it is advisable to have protocols for responding to cyber-attacks, as well as to prepare reports detailing how these protocols have mitigated costs.
These recommendations are general and do not include specific requirements that regulated industries might have, such as finance, health services, insurance, professional services (especially legal), among others. In these industries, the law includes more specific provisions on the safeguarding of information.
For more information on how to protect your operations, please contact us.
