Pérez-Llorca held its first “Pérez-Llorca Compliance Update” session, a biannual discussion forum where lawyers from the White Collar Crime and Investigations practice discuss current compliance issues.
Juan Palomino and Ángela Uría, partner and associate respectively of this practice, participated in the event along with Andrea Sánchez, associate in the Intellectual Property and Technology Law practice. The speakers explained the practical importance of companies implementing first response protocols for cyberattacks, which are targeting businesses with increasing frequency.
Palomino and Uría explained that establishing these types of protocols is important in terms of limiting the potential damages and liabilities for companies following a cyberattack, from both a criminal and civil law perspective. They also emphasised the need for these protocols to be simple, understandable and easy to implement.
The speakers also noted which kinds of cyberattacks are occurring the most frequently. Prime examples include “computer kidnappings”, in which attackers block the use of a company’s computer systems and demand a ransom be paid to unblock it, and “CEO fraud” attacks, where attackers impersonate third parties to prompt money transfers to be made to their bank accounts. They also explained the various legal implications for companies affected by cyberattacks.
Lastly, Juan Palomino and Ángela Uría discussed the benefits of companies creating internal crisis committees which are responsible for ensuring the protocol is established and followed. They then listed the essential requirements for such committees, such as the allocation of decision-making powers and multidisciplinary membership.
On the subject of cyberattacks, Andrea Sánchez, an expert in data protection, noted the importance of identifying security breaches that may have affected personal data. She explained the situations in which companies must notify the Spanish Data Protection Agency of these breaches and the information they must provide. She also spoke about the obligation to notify affected users in these situations, and the exceptions that are applicable in each case.
The speakers ended the session by listing the measures companies should take in the first few hours following a cyberattack, as well as medium-term measures such as carrying out an internal investigation and updating and improving internal procedures.