Do your clients have a plan that identifies and addresses cross-border cyber-risks in their businesses? If not, are they OK with being excluded from certain markets due to the cyber-risk they pose?
In today’s world, it is a question of when — not if — an organization will face a cyber-incident, says Wendy Hulton, partner at Dickinson Wright LLP and chairwoman of the Canadian interdisciplinary data privacy and cybersecurity team at the firm.
“The reality of business these days is it’s virtually all cross-border,” Hulton says. “Cybersecurity is inherently global — it’s multi-jurisdictional even if you think you’re a domestic company … so you have to take this into consideration when you’re putting your plans in place.”
Hulton says subpar cybersecurity standards or practices are an issue she sees in the mergers and acquisitions world right now, where “people are pushing back from the table because when they do their due diligence on the cybersecurity, they go, ‘This is going to be too much work for me. I’m going to go shop elsewhere.’”
“Definitely, the cross-border issue is a live one in many situations and a difficult one to navigate — and sometimes possibly a barrier,” says Katherine Kolnhofer, partner at Bell Temple LLP who, along with associate Brenda Cuneo, works in a privacy and access to information practice group with a focus on cybersecurity and data breach management.
Kolnhofer, whose group takes on the role of a risk coach or data breach coach, says most clients these days have intentions to do cross-border business, whether they’re in the process of doing it or it’s part of the eventual plan. She says finding out what systems vendors or other businesses with which clients are entering into contracts have in place to ensure privacy is becoming more and more standard.
Kolnhofer recommends clients look into insurance for their business, which can be designed to cover them in other jurisdictions. While not mandatory at the moment, it’s “definitely coming more to the forefront in terms of [being] required,” she says.
“Brokers are having more and more discussions with their various clientele about needing those kinds of policies,” Kolnhofer says, adding many also provide a consultative layer that can provide the insured with legal or IT advice both from a preventive perspective and in the event of an attack.
“The appropriateness will depend on the size of the client and insurers will work with clients in terms of what they need for their particular size or risk.”
When it comes to developing cross-border breach response plans, Hulton strongly recommends clients don’t wait for the “ultimate stress test” of an actual incident.
Hulton and her team help clients develop breach response plans, educate general counsel on best practices and provide counsel in the case of an actual breach. Though “the uptake varies across the board,” Hulton says her team is constantly preaching the proactive approach to clients and recently more are on board, which she calls heartening.
Jean-François De Rico, a partner specializing in information technology law at Langlois Lawyers LLP’s Quebec City office, agrees there are changing attitudes toward the need for having a detailed breach response well in advance of an actual issue, although he notes there’s a general acknowledgement that there’s no situation where absolute security can be assured.
De Rico starts from the premise that the threat is global and constant, and his obligation to clients is to enlighten them about the risks arising from threats that are known today, what can be managed and how best to do so.
“Cybersecurity occupies me more in the prevention realm as of today than in the curing and breach context,” he adds. “In at least the last two or three years, I’ve been doing a lot more reviewing, advising, contractual work — both in the procurement side and actual negotiation as to the measures of information security that will be imposed on a service provider. There’s a lot of negotiations in that field.”
Kolnhofer says it’s an education process with the clients to get them to accept that cybersecurity breaches are a reality.
“There’s still a perception this is not going to happen to a small business, your average business, any kind of local business smaller than Yahoo or those larger companies that you hear in the news,” she says. “They’re somewhat resistant to thinking they need to expend resources to implement all these strategies, but it is actually happening.”
Hulton says the role of legal counsel in a company’s cybersecurity protocol is misunderstood, with many believing the issue is purely technology based.
“Devoting more financial resources is one aspect of it, but also, inherently in cybersecurity, education is the other side of the coin. The two have to go hand in hand.”
Involving all levels of employees is crucial — CEOs have to make friends with their IT department because “if anybody knows exactly what’s going on, it’s that department. They can’t be afraid to talk to their CEO.”
The best approach to cybersecurity, she notes, is to understand that there are many moving parts. It’s about planning, foresight, updates and developing a privacy program.
The boilerplate approach to these issues is not enough anymore — there are a lot of do-it-yourself people out there, Hulton notes, who think they can grab a response plan off the internet, “do a couple little tweaks in-house” and be good to go, but that’s not the case.
Using best practices in prevention and breach response is part of remaining competitive, Kolnhofer says, adding “at this point if you’re not keeping up with the current privacy by design, then you might simply have to exit the market because people aren’t going to want to deal with you. It definitely makes you more marketable.”
Privacy by design is a three-fold approach, where a business sets up IT systems that protect as best possible, have accountable business practices and then “implement it from a physical perspective in terms of the physical design of your business and the IT perspective — what you’re using in terms of equipment and infrastructure,” Kolnhofer says.
“The key with this approach is balancing the protection and risk management while ensuring your clients are able to continue with whatever their innovative projects are and to keep them competitive in the business that they’re in.”
Hulton and her team offer clients the opportunity to proactively conduct an internal audit to help develop breach response plans. They give the clients the tools to do the first step themselves and gather basic information; the lawyers then “cross-examine” them, asking the hard questions and drilling down based on the cybersecurity team’s experience.
“If we can get proactive and get in there ahead of time, we already know what their cross-border exposure is, so we’ve already covered that. [In] this day and age, even very small mom-and-pop operations are cross-border.”
De Rico, whose team works both with public organizations and businesses, acts for clients in the course of procurement projects and the development or review of internal policies, but he notes it can be hard to meet the “cloudy language” requirements of information security, which is “the obligation to ensure you put in place appropriate processes, procedures and controls to ensure security of information,” he says.
“I keep myself informed of the threats, the risks and the way to mitigate that risk technologically but also in the realm of business processes and the education of actual individuals.”
In cross-border operations with the U.S., there’s varying legislation depending on the state you’re dealing with and that leads to some tricky decisions, Kolnhofer says.
“Should you adopt the strictest laws and apply that generally or have more of a patchwork system of compliance depending on where your business is operating? That can become a resource challenge.”
There’s no blanket advice you can give clients, Kolnhofer says, because it’s going to depend on the size of their business, the resources available — because “it might become cost-prohibitive to get too complicated with what they’re implementing from a risk approach” — and also on the sensitivity of the data.
“Each business is different — the level of business they’re doing in the other jurisdictions is different, it might depend on how strict or not the other jurisdiction’s regulations are,” Kolnhofer says. “You weigh a cost-benefit analysis.”
Hulton says her personal inclination is always to go with the best-practices approach when it comes to breach reporting, which means “if you’re going to report in one you’re going to report in all.” But she acknowledges you can’t say that across the board — best practices vary from company to company and industry to industry, depending on the sensitivity of the information.
“You could be reporting in another jurisdiction where literally the stress of reporting the breach might cause more damage than the breach itself,” she adds.
De Rico says the difficulty is finding that gold measure. There are international third-party standards such as the ISO/IEC 27001 standard or business-specific standards such as the Payment Card Industry Data Security Standard, that De Rico uses as tools to give him a measure of compliance.
Though he doesn’t encourage litigation, De Rico notes that courts give guidance as to what the standard is that needs to be followed. A few class actions that have been introduced and authorized in Canada — Condon c. Canada, Belley c. TD Auto Finance Services Inc./Services de financement auto TD inc. and Zuckerman c. Target Corporation — will “allow us to see actual situations where organizations will either be classified as having been diligent in the way they deploy processes, procedures and security measures or will be condemned because of a deficiency in the way they did it,” he says.
“Information security is a difficult field to identify those levels because it’s constantly moving.”
In September, the government released proposed Breach of Security Safeguards Regulations giving more information about amendments from the Digital Privacy Act that impact Canada’s Personal Information Protection and Electronic Documents Act. The government states the key change is the establishment of mandatory breach reporting, and the aim is to “codify existing best practices” and harmonize Canada’s regime for reporting with those of other jurisdictions — currently, only Alberta has mandatory reporting requirements — and “reducing the burden of reporting for organizations operating in multiple jurisdictions.”
Hulton predicts 2018 will be the year the regulations come into force.
“Its implications must be considered when developing corporate legal policies and incident response plans dealing with data breaches that cross the border,” she says.
“We need the Canadian regulations to be formalized so we know where we stand,” Kolnhofer says. “What’s intended with these new regulations is to get us more up to speed and on par with other initiatives around the world.”
A harmonized approach to breach reporting across Canada “would be the dream,” Hulton says, but there are the provincial laws to take into account that may impact different sectors’ comfort levels with the changes.
With the regulations imposing more obligations on businesses, some clients have been less than receptive, but Hulton says “we can usually talk them down — it’s always fear of unknown.”
It’s an education process, Kolnhofer says, because “anything that imposes requirements that involve restructuring or an infusion of financial obligation to upgrade an infrastructure is always going to be resisted,” especially by smaller and mid-size businesses.
“The way we address it is to suggest this is actually a positive change for the business as well,” Kolnhofer says. “It’s ultimately for their protection because it will require them to have protections upfront, the idea being you have less risk of being breached.”
Mandatory reporting puts everybody on the same playing field, which is an advantage, De Rico says, as some mature businesses whose inclination was to report in all jurisdictions in the event of a breach, legal obligation or no, hesitated because of the reputational risk of doing so. That won’t be an option because of the broad definition of risk, which if reached would trigger the mandatory reporting.
“It will be very difficult for someone like me to say, in light of a breach, that there is no risk in the sense of how it is defined in the regulation,” says De Rico.
Kolnhofer agrees that the wording is vague, saying what’s concerning is the “real risk of significant harm” as sort of a breach threshold.
“We’re going to see that lead to some litigation or possible issues in terms of how the government is going to decide whether there’s been compliance or not, particularly where they’re imposing monetary fines and how is that going to be measured,” she predicts. “That seems to be a predominant area of ambiguity.”
De Rico thinks the new Canadian regulations will mean more work for cybersecurity lawyers as many businesses “will have difficulty meeting their obligations because there hasn’t been that much incentive in deploying the resources to secure networks and secure data storage environments.”
“You go from the micro or small business, pass by the mid-size business to the telco or bank — within that range you find everything. You find . . . robust processes and you find the desert,”