A duty of care standard for cybersecurity

Next to brake lights, a crumple zone and airbags, your car ensures your safety in many ways you wouldn’t think of yourself and that you don’t have to ask for. But when you outsource software development, all too often it will be up to you to ensure your digital security. ‘Now is the time for a duty of care standard for cybersecurity,’ says Bernold Nieuwesteeg.’

bernold nieuwesteegWhenever a data breach occurs, people are quick in blaming the company or government agency where the data spill occurred,’ says Bernold Nieuwesteeg, researcher and director of the Centre for the Law and Economics of Cyber Security (CLECS) at Erasmus University Rotterdam. ‘That’s not fair, if you ask me. One would like the most knowledgeable party to carry most responsibility for cybersecurity. Often, that will be party providing the software rather than the party using it.’

   Do laws such as the data breach notification obligation work?

Law and economics

Nieuwesteeg decided to complete both of his master’s – in Technology, Policy and Management at TU Delft and in European Law at Utrecht University – with a single thesis. The topic? Cybersecurity! He subsequently obtained his doctorate at the Department of Law and Economics at Erasmus University Rotterdam, focussing on that same topic. ‘If you think of cybersecurity as an economic market, you will notice that it has certain shortfalls,’ he says. ‘For instance, companies lack sufficient information to determine how much they should invest in cybersecurity. There are many ways to correct such a market failure, by taking out insurance, for example, or by implementing a legal instrument. This could be a binding law or something more akin to gentle nudge, such as an opt-out system for cybersecurity rather than an opt-in system. The field of law and economics studies the efficacy of these legal measures in solving an economic problem.’

A thorn in the side

When it comes to European law on cybersecurity – and national law based on these European laws, such as the data breach notification obligation – Nieuwesteeg positions the CLECS to be the thorn in the side of the authorities. Nieuwesteeg: ‘Does a law achieve what it was intended for, how does it do that, and can it be further improved? Before a bill is enacted into law, it is often praised for achieving a certain effect. Once passed, however, nobody cares to check these claims.’ The CLECS also looks into digital autonomy – Nieuwesteeg: ‘quite a cybersecurity risk when all our data are in American and Chinese hands – and it aims to find smart methods for assigning the responsibility for cybersecurity so that more knowledgeable parties are inclined to share their insights. This is what the duty of care standard for cybersecurity is about.

The duty of care standard

‘The academic world holds a great deal of knowledge about how to deal with cybersecurity,’ Nieuwesteeg says. ‘As a scientist, I consider it my duty to make this knowledge available to the business community.’ He therefore launched the Cyber Security Lab, together with Petra Oldengarm and Rutger Leukfeldt. A lab session with ten people from academics and the business community resulted in a position paper (in Dutch), calling for a duty of care standard for cybersecurity. The essence of the standard is that it prescribes how responsibilities will be distributed between contracting parties. One can only deviate from this standard if both parties agree to do so, providing good reasons. Nieuwesteeg: ‘The current disparity in knowledge translates into a disparity in negotiating power. Too often, this means that (full) liability is shifted to the customer ordering the software. A duty of care standard may motivate a supplier to share its knowledge about cybersecurity risks as they will be liable for any consequences.’

   Disparity in knowledge of cybersecurity results in liability being pushed onto customers.

Flexibility required, so no law

It is important for the duty of care standard to be easily adaptable to the rapid developments in the field of cybersecurity. ‘I therefore prefer not to solve this by way of European legislation,’ Nieuwesteeg says. ‘That’s just way too rigid an approach. The standard has to be legally recognised, but we need to leave it to scientific experts and industry representatives to draft and adapt the guidelines.’ Nieuwesteeg is on good terms with the ministry of Economic Affairs and Climate Policy, which itself is working on a roadmap for Digitally Secure Hardware and Software. ‘The Netherlands are a prime example in consensus-based economic and social policymaking, meaning that we also need to consult the software suppliers that would rather not be subject to such a duty of care standard,’ he says. ‘But I have good hope that they will come to appreciate the benefit of having a higher overall level of cybersecurity in the Netherlands.’

cyber law

A cybersecurity index

The CSAR-index (CyberSecurity Annual Report index) is another endeavour by Nieuwesteeg to increase knowledge sharing on cybersecurity. It measures the transparency in cybersecurity of corporations listed at the stock exchange. ‘Unless a company is active in the field of computer and network security, its competitive position will not be negatively impacted by sharing its knowledge on cybersecurity,’ Nieuwesteeg says. ‘Customers do not switch their main supermarket over inadequate cybersecurity.’

   Customers do not switch their main supermarket over inadequate cybersecurity.

Building bridges

For Nieuwesteeg, cybersecurity is a textbook example of a topic requiring a multidisciplinary approach. ‘In the Netherlands, all universities are active in the field of cybersecurity, each following their own unique approach. If we would create one large institute, combining all disciplines, I don’t think we would be able to reach sufficient depth of knowledge. That’s why bilateral collaborations are often preferred.’ Nieuwesteeg himself is working on establishing a Digital Security Doctorate within Leiden-Delft-Erasmus. It will focus on researching the economic, legal, psychological and governance aspects of cybersecurity, rather than delving into hardware-related security risks in computer chips. ‘It is our ambition to have several students start their PhD simultaneously, allowing them to share their insights and learn from each other,’ Nieuwesteeg says. ‘It is how we strengthen the LDE ideology.’

Read more interviews in the Cyber Security Research Collection