1、Cybersecurity 2023Practical cross-border insights into cybersecuritySixth EditionContributing Editor:Edward R.McNicholasRopes&Gray LLPTable of ContentsQ&A Chapters1Why AI is the Future of CybersecurityAkira Matsuda,Iwata Godo5AustraliaNyman Gibson Miralis:Dennis Miralis,Phillip Gibson&Jasmina Ceic13

2、BelgiumSirius Legal:Roeland Lembrechts&Bart Van den Brande133PortugalCSAssociados:Jorge Silva Martins,Joana Avelino Gomes&Ins Cor143SingaporeDrew&Napier LLC:Lim Chong Kin,David N.Alfred&Albert Pichlmaier21CanadaBaker McKenzie:Theo Ling,Conrad Flaczyk,Ahmed Shafey&John Pirie32ChinaKing&Wood Mallesons

3、:Susan Ning&Han Wu43England&WalesRopes&Gray LLP:Rohan Massey,Edward Machin&Robyn Annetts53FranceBERSAY:Frdric Lecomte60GermanyEversheds Sutherland:Dr.Alexander Niethammer,Dr.David Rieks,Stefan Saerbeck&Isabella Norbu68GreeceNikolinakos&Partners Law Firm:Dr.Nikos Th.Nikolinakos,Dina Th.Kouvelou&Alexi

4、s N.Spyropoulos79IndiaSubramaniam&Associates(SNA):Aditi Subramaniam87IrelandMaples Group:Claire Morrissey&Brian Clarke95ItalyParadigma Law&Strategy:Chiara Bianchi 103JapanMori Hamada&Matsumoto:Hiromi Hayashi,Masaki Yukawa&Daisuke Tsuta119MexicoCreel,Garca-Cullar,Aiza y Enrquez,S.C.:Gaby Finkel Singe

5、r&Dafne Mndez Prez151SwedenTIME DANOWSKY Advokatbyr AB:Jonas Forzelius&Esa Kymlinen161SwitzerlandKellerhals Carrard:Dr.Oliver M.Brupbacher,Dr.Nicolas Mosimann,Dr.Claudia Gtz Staehelin&Marlen Schultze169TaiwanHsu&Associates:Steven Hsu176ThailandSilk Legal Co.,Ltd.:Dr.Jason Corbett&Don SornumpolUSARop

6、es&Gray LLP:Edward R.McNicholas&Kevin J.Angle113126NorwayCMS Kluge:Stian Hultin Oddbjrnsen,Ove Andr Vanebo,Iver Jordheim Brkke&Jonas Fougner EngebretsenExpert Analysis ChaptersTable of ContentsQ&A ChaptersExpert Analysis ChaptersChapter 1187IrelandMaples GroupBrian ClarkeClaire MorrisseyIrelandCyber

7、security 2023Possession or use of hardware,software or other tools used to commit cybercrimeAs above,possession or use of hardware,software or other tools used to commit cybercrime constitutes an offence under the 2017 Act(section 6).Identity theft or identity fraud(e.g.in connection with access dev

8、ices)Although there is no precise,standalone offence of identity theft or identity fraud in this jurisdiction,it can nonetheless potentially be captured by the more general offence referred to as“making a gain or causing a loss by deception”(as contained in section 6 of the Criminal Justice(Theft an

9、d Fraud Offences)Act 2001(the“2001 Act”).This occurs where a person who dishonestly,with the intention of:making a gain for himself,herself or another;or causing loss to another,by any deception induces another to do or refrain from doing an act.In addition,sections 25,26 and 27 of the 2001 Act cove

10、r specific forgery offences.Separately,under section 8 of the 2017 Act,identity theft or fraud is an aggravating factor when it comes to sentencing,in relation to“denial-of-service attack”or“infection of IT systems”offences.Electronic theft(e.g.breach of confidence by a current or former employee,or

11、 criminal copyright infringement)Electronic theft is covered by the relatively broad offence of“unlawful use of a computer”,as provided for in section 9 of the 2001 Act.This occurs where a person who dishonestly,whether within or outside the State,operates or causes to be operated a computer within

12、the State with the intention of making a gain for himself,herself or another,or of causing loss to another.Unsolicited penetration testing(i.e.the exploitation of an IT system without the permission of its owner to determine its vulnerabilities and weak points)Unsolicited penetration testing is an o

13、ffence under the 2017 Act(section 2)where it involves intentionally accessing an IT system by infringing a security measure without lawful authority(i.e.permission of the system owner/right holder or where other-wise permitted by law)or“reasonable excuse”.This term is not defined under the 2017 Act,

14、and its application will depend on future judicial interpretation.Any other activity that adversely affects or threatens the security,confidentiality,integrity or availability of any IT system,infrastructure,communications network,device or dataSection 5 of the 2017 Act created the offence of“interc

15、epting the transmission of data without lawful authority”.This occurs 1 Cybercrime1.1 Would any of the following activities constitute a criminal or administrative offence in your jurisdiction?If so,please provide details of the offence,the maximum penalties available,and any examples of prosecution

16、s in your jurisdiction:Hacking(i.e.unauthorised access)Yes,hacking is an offence under section 2 of the Criminal Justice(Offences Relating to Information Systems)Act 2017(the“2017 Act”).A person who,without lawful authority or reasonable excuse,intentionally accesses an information system by infring

17、ing a security measure,commits an offence.Denial-of-service attacksYes,denial-of-service attacks are an offence under section 3 of the 2017 Act.A person who,without lawful authority:inten-tionally hinders or interrupts the functioning of an information system by inputting data on the system;transmit

18、s,damages,deletes,alters or suppresses,or causes the deterioration of,data on the system;or renders data on the system inaccessible,commits an offence.PhishingPhishing does not in itself constitute a specific offence in Ireland.However,it is possible that the activity would be caught by certain othe

19、r,more general criminal legislation,depending on the circumstances(for instance,relating to identity theft or identity fraud).In this regard,see below.Infection of IT systems with malware(including ransom-ware,spyware,worms,trojans and viruses)Infection of IT systems with malware is also an offence

20、under Irish law.Pursuant to section 4 of the 2017 Act,any person who,without lawful authority,intentionally deletes,damages,alters or suppresses,or renders inaccessible,or causes the deteriora-tion of data on an information system commits an offence.Distribution,sale or offering for sale of hardware

21、,software or other tools used to commit cybercrimeDistribution,sale or offering for sale hardware,software or other tools used to commit cybercrime are also offences under Irish law(section 6 of the 2017 Act).It occurs when a person who,without lawful authority,intentionally produces,sells,procures

22、for use,imports,distributes,or otherwise makes avail-able,for the purpose of the commission of an offence under the 2017 Act,certain hacking tools.88IrelandCybersecurity 2023 Data Protection:The General Data Protection Regulation(Regulation(EU)2016/679)(the“GDPR”)and the Data Protection Acts 1988 to

23、 2018(the“DPA”)govern the manner in which personal data is collected and processed in Ireland.Data controllers are required to take“appro-priate security measures”against unauthorised access,alteration,disclosure or destruction of data,in particular where the processing involves transmission of data

24、 over a network,and comply with strict reporting obligations in relation to Incidents.The DPA also provides for offences related to disclosure and/or sale of personal data obtained without prior authority.e-Privacy:The e-Privacy Regulations 2011(S.I.336 of 2011),which implemented the e-Privacy Direc

25、tive 2002/58/EC(as amended by Directives 2006/24/EC and 2009/136/EC)(the“e-Privacy Regulations”),regulate the manner in which providers of publicly available telecommunications networks or services handle personal data and require providers to implement appropriate technical and organisational meas-

26、ures to safeguard the security of its services and report Incidents.It also prohibits interception or surveillance of communicationsandtherelatedtrafficdataoverapubliclyavailable electronic communications service without users consent.The draft EU e-Privacy Regulation is intended to replace the exis

27、ting e-Privacy Directive and e-Privacy Regulations and expand the current regime to cover all busi-nesses that provide online communication services.Network and Information Systems:The Security of Network and Information Systems Directive 2016/1148/EU(the“NISD”)was transposed into Irish law under S.

28、I.360/2018 European Union(Measures for a High Common Level of Security of Network and Information Systems)Regulations 2018(the“NISD Regulations”).The European Parliament and the Council reached a provi-sional agreement on the text of a revised Directive on the Security of Network and Information Sys

29、tems on 13 May 2022(“NIS2”),which will replace the NISD.NIS2 will introduce a number of key changes to the NISD frame-work,including having broader applicability than the NISD.NIS2 will cover additional sectors and include medium and large entities operating within the sectors covered by NIS2 in its

30、 scope,rather than only operators of essential services and digital services providers.Higher administrativefinesupto10millionor2%ofglobalannual turnover will also be introduced.Payments Services:The Payments Services Directive II(Directive 2015/2366/EU or“PSD2”),was transposed by the European Union

31、(Payment Services)Regulations 2018(S.I.6 of 2018)(the“Payment Services Regulations”),and introduced regulatory technical standards(which were published by the European Banking Authority)to ensure“strong customer authentication”and payment service providers will be required to inform the national com

32、pe-tent authority in the case of major operational or secu-rity Incidents.Providers must also notify customers if anyIncidentimpactsthefinancialinterestsofitspaymentservice users.Other:If there is a security breach that results in the dissemination of inaccurate information,persons about whom the in

33、accurate data relates may seek a remedy under the Defamation Act 2009 or at common law for breach of confidenceornegligence.See also sections 1 and 5.when a person who,without lawful authority,intentionally inter-cepts any transmission(other than a public transmission)of data to,from or within an in

34、formation system(including any elec-tromagnetic emission from such an information system carrying such data).With regard to penalties,in relation to offences under the 2017 Act,the penalties range from maximum imprisonment of one year and a maximum fine of 5,000 for charges brought“summarily”(i.e.fo

35、r less serious offences),to a maximum of five years imprisonment(10 years in the case of denial-of-service attacks)and an unlimited fine for more serious offences.The relevant offences under the 2001 Act are only tried in the Circuit Court,with“making a gain or causing a loss by deception”carrying a

36、 maximum penalty of five years imprisonment and an unlimited fine,and forgery and“unlawful use of a computer”offences carrying a maximum of 10 years and an unlimited fine.1.2 Do any of the above-mentioned offences have extraterritorial application?All of the above offences under the 2017 Act have ce

37、rtain extraterritorial application.Offenders may therefore be tried in Ireland,so long as they have not already been convicted or acquitted abroad in respect of the same act.1.3 Are there any factors that might mitigate any penalty or otherwise constitute an exception to any of the above-mentioned o

38、ffences(e.g.where the offence involves“ethical hacking”,with no intent to cause damage or make a financial gain)?The offences under the 2017 Act all provide that they are committed without“lawful authority”(i.e.permission of the system owner/right holder or where otherwise permitted by law).Accordin

39、gly,prosecution of these offences will require,necessarily,that such authority or lawful permission was absent.In addition,the offence relating to“hacking”carries a further qualification,i.e.where the person or company had a“reason-able excuse”.This term is not defined under the 2017 Act,and so its

40、application will depend on future judicial interpretation.If a company is charged with any of the above 2017 Act offences where the offence was committed by an employee for the benefit of that company,it will be a defence for that company that it took“all reasonable steps and exercised all due dilig

41、ence”to avoid the offence taking place.It can be expected that judges will continue to take established factors into account when considering the appropriate penalty on foot of a conviction of a cyber-related crime(e.g.remorse,amends,co-operation with investigators,criminal history,and extent of dam

42、age).2 Cybersecurity Laws2.1 Applicable Laws:Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity,including laws applicable to the monitoring,detection,prevention,mitigation and management of Incidents.This may include,for example,data protection and e-privacy laws,intell

43、ectual property laws,confidentiality laws,information security laws,and import/export controls,among others.Apart from the above-referenced statutes in respect of criminal activity,Applicable Laws include the following:89Maples GroupCybersecurity 2023methodology)to a regulatory or other authority in

44、 your jurisdiction?If so,please provide details of:(a)the circumstance in which this reporting obligation is triggered;(b)the regulatory or other authority to which the information is required to be reported;(c)the nature and scope of information that is required to be reported;and(d)whether any def

45、ences or exemptions exist by which the organisation might prevent publication of that information.Where a personal data breach occurs,the controller shall,without undue delay and,where feasible,within 72 hours of becoming aware of the breach,notify the DPC of the breach.This notification shall inclu

46、de a description of the breach,the number or approximate number of data subjects and personal data records concerned.It must also contain a list of likely consequences of the breach and measures taken or proposed to be taken to address the breach.Where a data breach occurs that is likely to result i

47、n a high risk to the rights and freedoms of a data subject,the controller must notify the data subject to whom the breach relates.The require-ment is waived where the controller has implemented appropriate measures to protect the data;in particular where the measures render the data unintelligible t

48、hrough encryption or otherwise to any person not authorised to access it.This notification must contain at least the same information provided to the DPC as described above.The DPC and European Data Protection Board have also published guidelines on data breach notification.Providers of publicly ava

49、ilable telecommunications networks or services are required to report information relating to Inci-dents or potential Incidents to the DPC(to the extent that such Incidents relate to personal data breaches).In the case of a particular risk of a breach to the security of a network,providers of public

50、ly available telecommunications networks or services are required to inform their subscribers concerning such risk without delay and,where the risk lies outside the scope of the measures to be taken by the relevant service provider,any possible reme-dies including an indication of the likely costs i

51、nvolved.In case of a personal data breach,such providers must notify the DPC without delay and,where the said breach is likely to affect the personal data of a subscriber or individual,notify them also.If the provider can satisfy the DPC that the data would have been unintelligible to unauthorised p

52、ersons,there may be no require-ment to notify the individual or subscriber of the breach.The NISD Regulations require OES and digital providers to notify the NCSC without delay of any Incident having a substan-tial impact on the provision of a service.The notification must provide sufficient informa

53、tion so that the NCSC can assess the significance of the same and any cross-border impact.The NISD Regulations stipulate that notification shall not make the notifying party subject to increased liability.Section 19 of the Criminal Justice Act 2011 mandates reporting certain cybercrimes to the Irish

54、 police force,An Garda Sochna.Failure to make such a report,without reasonable excuse,is an offence.The Central Bank of Irelands(the“CBI”)Cross Industry Guid-ance in respect of Information Technology and Cybersecurity Risks(“Cross Industry Guidance”)requires firms to notify the Bank when they become

55、 aware of a cybersecurity Incident that could have a signif-icant and adverse effect on the firms ability to provide adequate services to its customers,its reputation or financial condition.2.2 Critical or essential infrastructure and services:Are there any cybersecurity requirements under Applicabl

56、e Laws(in addition to those outlined above)applicable specifically to critical infrastructure,operators of essential services,or similar,in your jurisdiction?The NISD Regulations and Commission Implementing Regu-lation(EU)2018/151,which specifies further elements to be taken into account when identi

57、fying measures to ensure security of network and information systems,will apply.The National CyberSecurityStrategy20192024providesamandatefortheNational Cyber Security Centre(the“NCSC”)to engage in activ-ities to protect critical information infrastructure.Enforcement powers under the NISD Regulatio

58、ns allow NCSC-authorised officers to conduct security assessments and audits,require the provision of information and issue binding instructions to remedy any deficiencies.2.3 Security measures:Are organisations required under Applicable Laws to take measures to monitor,detect,prevent or mitigate In

59、cidents?If so,please describe what measures are required to be taken.Under the GDPR and DPA,controllers are required to take appropriate measures,as outlined in questions 1.1 and 2.1 above.The GDPR and DPA do not detail specific security measures to be undertaken but,in determining appropriate measu

60、res,a controller may have regard to the state of technological develop-ment and the cost of implementing the measures.Controllers must ensure that the measures provide a level of security appro-priate to the harm that might result from a breach and the nature of the data concerned.The Data Protectio

61、n Commission(the“DPC”)has issued guidance for controllers on data security,including recommending encryption,anti-virus software,fire-walls,software patching,secure remote access,logs and audit trails,back-up systems and Incident response plans.At the outset of COVID-19,the DPC published guidance on

62、 protecting personal data when working remotely.It supplements existing DPC security guidance and focuses on keeping devices,emails,cloud and network access and paper records secure.Under the e-Privacy Regulations,providers of publicly avail-able telecommunications networks or services are required

63、to take appropriate technical and organisational measures and ensure the level of security appropriate to the risk presented,having regard to the state of the art and cost of implementation.Such measures must ensure that personal data can only be accessed by author-ised personnel for legally authori

64、sed purposes,protect personal data against accidental or unlawful destruction,loss,alteration,processing,etc.,and ensure the implementation of a security policy.The NISD Regulations require that operators of essential services(“OES”)and digital services take appropriate measures to prevent and minim

65、ise the impact of Incidents affecting the secu-rity of the network and information systems used for the provision of essential and digital services with a view to ensuring continuity.2.4 Reporting to authorities:Are organisations required under Applicable Laws,or otherwise expected by a regulatory o

66、r other authority,to report information related to Incidents or potential Incidents(including cyber threat information,such as malware signatures,network vulnerabilities and other technical characteristics identifying a cyber attack or attack 90IrelandCybersecurity 20233 Preventing Attacks3.1 Are or

67、ganisations permitted to use any of the following measures to protect their IT systems in your jurisdiction(including to detect and deflect Incidents on their IT systems)?Beacons(i.e.imperceptible,remotely hosted graphics inserted into content to trigger a contact with a remote server that will reve

68、al the IP address of a computer that is viewing such content)There is no specific prohibition on the use of beacons for such purposes,but careful consideration would need to be given as to whether such use might itself constitute“hacking”under the 2017 Act.Honeypots(i.e.digital traps designed to tri

69、ck cyber threat actors into taking action against a synthetic network,thereby allowing an organisation to detect and counteract attempts to attack its network without causing any damage to the organisations real network or data)Subject to compliance with the various legislation identified above,ther

70、e is no specific prohibition on the use of honeypots for such purposes.Sinkholes(i.e.measures to re-direct malicious traffic away from an organisations own IP addresses and servers,commonly used to prevent DDoS attacks)Subject to compliance with the various legislation identified above,there is no s

71、pecific prohibition on the use of sinkholes for such purposes.3.2 Are organisations permitted to monitor or intercept electronic communications on their networks(e.g.email and internet usage of employees)in order to prevent or mitigate the impact of cyber attacks?Monitoring or interception of electr

72、onic communications on private networks to prevent or mitigate the impact of cyber-attacks must comply with the GDPRs requirements,including in relation to transparency,necessity and proportionality.The e-Pri-vacy Regulations prohibit interception or surveillance of commu-nications and the related t

73、raffic data over a publicly-available elec-tronic communications service without users consent.3.3 Does your jurisdiction restrict the import or export of technology(e.g.encryption software and hardware)designed to prevent or mitigate the impact of cyber attacks?The export of dual-use technology(i.e

74、.technology that can be used for both civil and military purposes)is restricted.Most dual-use items can move freely within the EU;however,a licence is required to export them to a third country(i.e.outside the EU).Very sensitive items,such as equipment or software designed or modified to perform“cry

75、ptanalytic functions”,require a transfer licence for movement within the EU.2.5 Reporting to affected individuals or third parties:Are organisations required under Applicable Laws,or otherwise expected by a regulatory or other authority,to report information related to Incidents or potential Inciden

76、ts to any affected individuals?If so,please provide details of:(a)the circumstance in which this reporting obligation is triggered;and(b)the nature and scope of information that is required to be reported.Please see the response to question 2.4 above.2.6 Responsible authority(ies):Please provide det

77、ails of the regulator(s)or authority(ies)responsible for the above-mentioned requirements.Please see the response to question 2.4 above.2.7 Penalties:What are the penalties for not complying with the above-mentioned requirements?Failure to have appropriate security measures in place and/or report a

78、data security breach in accordance with the GDPR can result in one of a number of administrative sanctions,including a ban on processing,and the potential exposure to fines up to 10 million or 2%of the global turnover(whichever is higher).Failure by providers of publicly available telecommunica-tion

79、s networks or services to comply with the above-mentioned requirements under the e-Privacy Regulations is an offence,liable to a fine of up to 250,000.If a person is convicted of an offence,the court may order any material or data that appears to it to be connected with the commission of the offence

80、 to be forfeited or destroyed and any relevant data to be erased.Failure by an OES or a digital service provider to notify an Incident is an offence under the NISD Regulations liable to a fine of up to 500,000.2.8 Enforcement:Please cite any specific examples of enforcement action taken in cases of

81、non-compliance with the above-mentioned requirements.The years 2021 and 2022 saw some high-profile enforcement activity in respect of these requirements.In December 2021,the CBI fined Bank of Ireland(“BOI”)24.5 million in connection with breaches pertaining to its IT service continuity framework and

82、 related internal controls failings.In 2022,the DPC announced large fines on Meta Platforms(“Meta”)and BOI for various breaches of the GDPR.A 17 million fine was imposed on Meta for the failure to have in place appropriate technical and organisational measures that would enable it to readily demonst

83、rate the security measures that it implemented in practice to protect EU users data,in the context of 12 personal data breaches.BOI was fined 463,000 for the failure to implement appropriate technical and organisa-tional measures to ensure a level of security appropriate to the risk presented by its

84、 processing of customer data in transferring information to the Central Credit Register,failure to report data breaches to the DPC without undue delay,and failure to notify those data subjects affected by the breach without undue delay.91Maples GroupCybersecurity 2023name registries)also now fall wi

85、thin the ambit of the NISD Regulations together with essential operators in the energy,transport,health,drinking water and digital infra-structure sectors.5 Corporate Governance5.1 In what circumstances,if any,might a failure by a company(whether listed or private)to prevent,mitigate,manage or respo

86、nd to an Incident amount to a breach of directors or officers duties in your jurisdiction?While there are no express directors duties specific to cyber-security,directors owe fiduciary duties to their company under common law and under the Companies Act 2014(the“CA 2014”).There are a number of key f

87、iduciary duties of directors set out in the CA 2014,which are relevant.This list,however,is not exhaustive.Relevant examples of directors duties that could be considered to extend to cybersecurity are to:exercise the care,skill and diligence that would be exer-cised in the same circumstances by a re

88、asonable person having both the knowledge and experience that may reasonably be expected of a person in the same position as the director,and the knowledge and experience that the director has;honestly and responsibly in relation to the conduct of the affairs of the company;act in accordance with th

89、e companys constitution and exercise their powers only for the purposes allowed by law;exercise their powers in good faith in what the director considers to be the interests of the company;and have regard to the interests of their employees in general.Directors have a general duty to identify,manage

90、 and mitigate risk,as well as fiduciary duties,such as those outlined above,which would extend to cybersecurity.Such duties are likely to be interpreted to mean that directors should have appropriate poli-cies and strategies in place with respect to cyber risk and security and that directors should

91、review and monitor these on a regular basis.Regard may also be had to compliance by a company with all relevant legislative obligations imposed on that company in assessing compliance by directors with their duties.Appropriate insurance coverage should also be considered.Directors should be fully br

92、iefed and aware of all of the key issues relating to cyber risk.Larger organisations may choose to delegate more specific cyber risk issues to a specific risk sub-committee,but with the board retaining ultimate oversight and responsibility.In relation to company secretaries,this will depend on what

93、duties are delegated to the company secretary by the board of directors.5.2 Are companies(whether listed or private)required under Applicable Laws to:(a)designate a CISO(or equivalent);(b)establish a written Incident response plan or policy;(c)conduct periodic cyber risk assessments,including for th

94、ird party vendors;and(d)perform penetration tests or vulnerability assessments?While there are no such express obligations from a company law perspective,general directors fiduciary duties,best corpo-rate governance practices,as well as the“appropriate security”requirements under the DPA,may dictate

95、 that such actions are performed.See question 5.1 above for more detail on directors duties.For industry-specific requirements,see question 4.1 above.4 Specific Sectors4.1 Does market practice with respect to information security vary across different business sectors in your jurisdiction?Please inc

96、lude details of any common deviations from the strict legal requirements under Applicable Laws.Market practices regarding information security varied consider-ably in Ireland depending on the industry sector concerned.Busi-nesses in industries recognised as being particularly vulnerable to Incidents

97、,such as the financial services sector,were more likely to have adequate processes in place to effectively address cyber risk.However,the GDPR and factors such as COVID-19,with the increased reliance on remote working and technology,have accelerated investment in information security across all sect

98、ors.COVID-19 also provided more opportunities for scams and cyber-attacks with the 2021 Conti cyber-attack on the Irish Health Service Executive(the“HSE”)being the most high profile.In response to the attack,the Garda Cybercrime Bureau,Irelands cybercrime unit,seized domains used in the attack and i

99、s engaging with Europol and Interpol.The full independent post-incident review of the attack was published in December 2021.Overall,the trends are towards increased security and systems.4.2 Excluding the requirements outlined at 2.2 in relation to the operation of essential services and critical inf

100、rastructure,are there any specific legal requirements in relation to cybersecurity applicable to organisations in specific sectors(e.g.financial services or telecommunications)?(a)Not per se;however,the requirement for appropriate systems and procedures is the subject of regulatory focus,andtheCBIis

101、focusedonensuringthatfirmsinthefinan-cial services sector have appropriate systems,policies and procedures in place,as part of its regulatory supervision mandate.So,for example,the CBI has published Cross IndustryGuidancetofinancialinstitutions,whichmakesa number of recommendations including(but not

102、 limited to):the preparation of a well-considered and documented strategy to address cyber risk;the implementation of secu-rity awareness training programmes;the performance of cyber risk assessments on a regular basis;and the imple-mentationofstrongcontrolsbyfirmsoveraccesstotheirIT systems.Further

103、,the NISD Regulations introduce security measures and Incident reporting obligations for credit institutions.See also the reference to the Payment Services Regulations at question 2.1 above.The European Commissions draft Digital Operational Resilience Act(the“DORA”)publishedinSeptember2020seesEUfina

104、ncialregulatorsexpandingtheirfocusbeyondfinancialresilienceto operational resilience including effective and prudent management of ICT risks and cybersecurity incidents.A Consultation Paper on the CBIs Cross Industry Guidance on Operational Resilience is currently active.The guidance willapplytoallr

105、egulatedfinancialserviceprovidersandincludes recommendations regarding identifying,preparing for,responding to,adapting to and learning from opera-tional disruptions,including cybersecurity incidents.(b)As noted above,electronic communications companies(such as telecoms companies and ISPs)are govern

106、ed by the GDPR,the DPA,and also the e-Privacy Regulations.Certain operators(IXPs,DNS service providers and TLD 92IrelandCybersecurity 2023 The DPA permits a data subject to take a data protection action against a controller or processor where they believe their rights have been infringed.A breach of

107、 a persons privacy rights may give rise to a claim in tort for breach of confidence or negligence,depending upon the circumstances.Incidents involving the theft of information or property may give rise to claims in the tort of conversion.Incidents involving the publication of intrusive personal info

108、rmation may,in some circumstances,constitute the tort of injurious or malicious falsehood.Incidents involving the misuse of private commer-cial information may give rise to claims for damages for tortious interference with economic relations.7 Insurance7.1 Are organisations permitted to take out ins

109、urance against Incidents in your jurisdiction?Cyber insurance products are being taken up by businesses with increasing frequency and are now seen as routine.Such prod-ucts afford cover for various data-and privacy-related issues including:the financial consequences of losing or misappro-priating cu

110、stomer or employee data;the management of a data breach and attendant consequences,including the costs associ-ated with involvement in an investigation by the DPC;and the costs associated with restoring,recollecting or recreating data after an Incident.7.2 Are there any regulatory limitations to ins

111、urance coverage against specific types of loss,such as business interruption,system failures,cyber extortion or digital asset restoration?If so,are there any legal limits placed on what the insurance policy can cover?There are no specific regulatory limits placed on what an insur-ance policy can cov

112、er;however,the legal doctrine of the ex turpi causa non oritur actio principle(i.e.that a party should not be entitled to enforce a contract that is tainted with illegality in some form,or,a claimant has no remedy allowing it to profit from its own wrongdoing)is recognised under Irish law(see for ex

113、ample the Supreme Court decision in the 2015 case of Quinn v IBRC).There is presently no Irish equivalent to the decision of the English Court of Appeal in Safeway Stores Limited v Twigger 2010 EWCA Civ 1472,but Irish law recognises similar princi-ples.Whether a policy would permit recovery is depen

114、dent on the circumstances,and the nature of the alleged wrongdoing.As GDPR and DPA administrative fines are intended to be“effective,proportionate and dissuasive”,it is certainly argu-able that any such fines imposed should not be insurable.It may be said that to allow the same would undermine the d

115、issua-sive nature of the fines if they could simply be passed on to an insurer.Similarly,criminal fines prescribed by statute are not likely to be insurable in Ireland.However,there are also arguments to support a contention that where there has been a breach that amounts to an error,as opposed to a

116、 purposeful act or omission,that cover for such event and outcome should not offend the public principles.5.3 Are companies(whether listed or private)subject to any specific disclosure requirements(other than those mentioned in section 2)in relation to cybersecurity risks or Incidents(e.g.to listing

117、 authorities,the market or otherwise in their annual reports)?While there are no such express obligations from a company law perspective,general director fiduciary duties,as well as best corporate governance practices,may dictate that such actions are performed.See question 5.1 above for more detail

118、 on direc-tors duties.6 Litigation6.1 Please provide details of any civil or other private actions that may be brought in relation to any Incident and the elements of that action that would need to be met.As discussed in response to question 6.3 below,an Incident may give rise to various claims unde

119、r the law of tort and under statute.It is also conceivable that an Incident would,depending on the circumstances,give rise to a claim for breach of contract.In order to be entitled to compensation in damages,whether under a tortious or contractual analysis,a plaintiff will be required to establish:t

120、hat a duty or obligation was owed to him/her by the defendant;that an Incident has occurred as a result of the defendant acting in breach of that duty or obligation;and loss or damage has been sustained to the plaintiff that would not have been sustained,but for the defendants conduct.Many classes o

121、f Incident may also give rise to claims for damages for breach of the constitutional right to privacy.Where an Incident is committed by a State actor,for example,during the course of an investigation,it may give rise to an action in judicial review to prevent misuse of any inappropriately obtained d

122、ata and/or to quash any decision taken in relation to,and/or on foot of,the Incident or any improperly obtained data(see,e.g.CRH plc and Others v Competition and Consumer Protection Commission 2017 IECS 34).6.2 Please cite any specific examples of published civil or other private actions that have b

123、een brought in your jurisdiction in relation to Incidents.In the recent case of Shawl Property Investments Limited v A&B,decided in February 2021,the Court of Appeal considered the question of strict liability for data breaches,and,in allowing a claim for breach of data protection rights to progress

124、 to a plenary hearing,commented that:“Nothing stated in s.117 or indeed the Act itself the Data Protection Act 2018 suggests that a data protec-tion action is a tort of strict liability.”In Lannon v Minister for Social Protection,a damages action by a man whose address was given by a then employee o

125、f the Depart-ment of Social Protection to a private detective hired by solic-itors for a bank,was settled in the High Court in 2019.This followed a statement of acknowledgment and regret on behalf of the Department that“data relating to Mr Lannon was released in contravention of the 1988 Data Protec

126、tion Act by a former employee”.6.3 Is there any potential liability in tort(or equivalent legal theory)in relation to failure to prevent an Incident(e.g.negligence)?Depending on the specific type of Incident concerned,liability for breach of statutory duty or in tort may arise.Examples of such liabi

127、lities are as follows:93Maples GroupCybersecurity 2023The DPC has broad powers to investigate breaches under the DPA,including the power to enter business premises unan-nounced and without a court-ordered search warrant.8.2 Are there any requirements under Applicable Laws for organisations to implem

128、ent backdoors in their IT systems for law enforcement authorities or to provide law enforcement authorities with encryption keys?There are no requirements under Irish law for organisations to implement backdoors to their IT systems for law enforce-ment authorities,or to provide law enforcement autho

129、rities with encryption keys.8 Investigatory and Police Powers8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable Laws in your jurisdiction(e.g.anti-terrorism laws)that may be relied upon to investigate an Incident.Under the 2017 Act,the Iri

130、sh police force is given a relatively broad authority to investigate cybersecurity Incidents or suspected activity.Specifically,a warrant is obtainable so as to enter and search a premises,and examine and seize(demanding passwords,if necessary)anything believed to be evidence relating to an offence,

131、or potential offence,under the 2017 Act,from a District Court Judge on foot of a suitable Garda statement,on oath.94IrelandClaire Morrissey is Partner and Head of the Dublin Data,Commercial&Technology practice at Maples and Calder(Ireland)LLP,the Maples Groups law firm.Claire advises on a broad rang

132、e of data protection issues and commercial contracts with a particular focus on compliance with the GDPR,technology and IP.In addition,Claire regularly advises on the technology,IP and data aspects of joint ventures and mergers&acquisitions.Maples Group75 St.Stephens GreenDublin 2,D02 PR50IrelandTel

133、:+353 1 619 2113 Email:URL:Brian Clarke is a Partner in Maples and Calder(Ireland)LLPs Dispute Resolution&Insolvency team in the Maples Groups Dublin office.Brian has extensive experience advising both domestic and multinational clients on large and complex commercial disputes,including proceedings

134、before the Commercial Court,as well as all forms of arbitration.Brian is also experienced in managing investigations and acting for clients across various sectors in relation to regulatory investigations and prosecutions.Maples Group75 St.Stephens GreenDublin 2,D02 PR50IrelandTel:+353 1 619 2042 Ema

135、il:URL:The Maples Group,through its leading international law firm,Maples and Calder,advises global financial,institutional,business and private clients on the laws of the British Virgin Islands,the Cayman Islands,Ireland,Jersey and Luxembourg.With offices in key jurisdictions around the world,the M

136、aples Group has specific strengths in areas of corporate,commercial,finance,investment funds,litigation and trusts.Maintaining relationships with leading legal counsel,the Group leverages this local expertise to deliver an integrated service offering for global business Cybersecurity 2023Alternative

137、 Investment FundsAnti-Money LaunderingAviation Finance&LeasingAviation LawBusiness CrimeCartels&LeniencyClass&Group ActionsCompetition LitigationConstruction&Engineering LawConsumer ProtectionCopyrightCorporate GovernanceCorporate ImmigrationCorporate InvestigationsCorporate TaxCybersecurityData Pro

138、tectionDerivativesDesignsDigital BusinessDigital HealthDrug&Medical Device LitigationEmployment&Labour LawEnforcement of Foreign JudgmentsEnvironment&Climate Change LawEnvironmental,Social&Governance LawFamily LawFintechForeign Direct Investment Regimes FranchiseGamblingInsurance&ReinsuranceInternat

139、ional ArbitrationInvestor-State ArbitrationLending&Secured FinanceLitigation&Dispute ResolutionMerger ControlMergers&AcquisitionsMining LawOil&Gas RegulationPatentsPharmaceutical AdvertisingPrivate ClientPrivate EquityProduct LiabilityProject FinancePublic Investment FundsPublic ProcurementReal EstateRenewable EnergyRestructuring&InsolvencySanctionsSecuritisationShipping LawTechnology SourcingTelecoms,Media&InternetTrade MarksVertical Agreements and Dominant FirmsCurrent titles in the ICLG seriesThe International Comparative Legal Guides are published by: