An ounce of prevention is worth a pound of cure, so the saying goes, and while it may seem trite, for in-house counsel who have to deal with the aftermath of a cyberattack or data breach, that recommendation overwhelms all others. When intellectual property and customer information falls into the wrong hands, how well prepared the organization is for such an eventuality will determine the ramifications.
While it would appear that most organizations in Canada have a handle on the technological aspects of cybersecurity, there is still a ways to go when it comes to pre-emptive planning in case of a data breach and involving in-house counsel so they can contribute. Most of all, it would appear there needs to be a culture shift that has employees taking cybersecurity to heart and understanding how entwined it is with the overall health of the business.
Ralph Kroman, partner with WeirFoulds LLP in Toronto, says it’s never a bad idea for a lawyer to be proactive rather than reactive, but when it comes to protecting customer information and the organization from potential litigation, in-house can never be too careful when preparing for a cyberattack and its aftermath. He sees it as being the No. 1 skill of in-house counsel who are looking at keeping their feet under them as they navigate the shifting sands of cybersecurity and ever-adapting legislation. “Being proactive can in fact reduce liability and in fact eliminate it,” Kroman says. However, many are caught flat-footed when their organization experiences a threat that compromises the integrity of corporate data, says Kroman, whose practice is focused on intellectual property and information technology. He says there is a tendency to treat cybersecurity and data breach prevention as a technology issue, but planning, ongoing protection, and any response to an incident should also involve people and processes.
Embrace life-long learning
Because the nature of threats is changing day to day and month to month as is legislation, in-house counsel also needs to have an open mind and be eager to learn, says Kroman. They also need to be persistent, both in terms of keeping on top of trends, legislation, and threats, but also in educating the executives and employees in their organization. Legislation is adapting and becoming more robust.
“Counsel really needs to keep on top of it,” he says. “It’s not just something you can look up in a book.”
What is law today may change, he adds, and while it’s quite unusual for legislation to change overnight, and in-house counsel should have a process in place to keep on top of any changes. This is where tapping the expertise of an external legal resource can help. “It can really be a team effort.”
One of the reasons Kroman says in-house counsel needs to be persistent is that many organizations have an “it can’t happen to them” attitude. “There can be a reluctance in the organization to do things in cyber-security beyond technology measures.”
There are more incidents of corporate data breaches being reported, and more lawsuits as a result, says Kroman. And it’s not just enough to understand Canadian legislation with regards to privacy. It’s important to know who must be notified, including various governments. “Those obligations are changing quite rapidly,” he says. “As part of preparing for an incident, organizations need to understand what jurisdictions apply.”
A company in Canada may have to comply with privacy legislation in more than one province, as well as that of other countries, depending on the nature of its operations. It needs to understand who to notify and when it must notify, says Kroman. “Case law has shown that failure to notify can open up an organization to a successful lawsuit.”
Safeguarding privacy is a core component of cybersecurity. Chantal Bernier, who led the Office of the Privacy Commissioner of Canada for six years and is now counsel with Dentons LLP in Ottawa, says the privacy aspect means a key skill for in-house counsel is having sufficient knowledge of regulatory frameworks to understand when they are triggered in the advent of a data breach. Organizations should either have internal expertise or retain external counsel who has that knowledge, Bernier says.
In-house counsel should also keep an eye on global trends, not just around technology but around the legal impact of a successful cyberattack. Bernier’s experience with both the federal government and now as external counsel is that senior management often underestimates the importance of security, as well as the legal repercussions that come with a data breach. In-house counsel needs to engage with C-level executives to educate them from a corporate risk management perspective.
Advice needs to be ongoing, Bernier adds, particularly whenever new technology is adopted. Bernier cites the bring-your-own-device phenomenon as a prime example of a trend that requires the input of in-house counsel on what the privacy issues and risks to the business are with regard to employees carrying corporate data on their own smartphones or tablets.
Training around privacy issues has become increasingly important, according to Éloïse Gratton, a partner at Borden Ladner Gervais LLP in Montreal. “More and more in-house lawyers are taking privacy courses or having privacy certifications,” she says. Gratton also serves as national co-leader of the firm’s national privacy and data security practice group and sees about 15 to 20 breaches a year. “At the end of the day, you need to understand the frameworks.”
In addition to ever-evolving privacy legislation, there is also case law over the years that can provide an indication as to the consequences an organization might face if it has a data breach of any kind, Gratton says. When one occurs, counsel should keep in mind what a privacy commissioner will scrutinize, such as whether its security technology is industry standard. For example, if a data breach occurred via a compromised laptop, was the data on it adequately encrypted? What kind of governance was in place?
What are the policies in place for employees to support the safeguarding of customer information and intellectual property?
Cybersecurity is core to
corporate risk management
If a third-party service provider is involved, organizations should make sure they are transferring only the data that is necessary for that function. And in an era of Big Data where many businesses rely heavily on analysis of customer information and behaviour to make decisions, Gratton says they need to know who is using personally identifiable information and how it is being aggregated. “It’s not always clear at what point a piece of information is anonymized,” she says.
As use of outside providers through models such as cloud computing expose PII to third parties, it calls for robust contractual terms, which is a tangible area where in-house counsel can flex their muscle around cybersecurity and mitigate risk, says Kroman, as well as advise on the necessity for cyber insurance, which is growing in popularity.
The balancing act of going public
Bernier says it takes a flexible personality to fill the in-house counsel role and navigate the opposing demands of the law and the interests of the corporation. “They have to be strong enough to enlighten senior management on the legal risk while balancing the commercial risk,” she says. “In-house counsel must be able to provide senior management with the exact possible level of legal risk.”
Bernier says in-house counsel might be inclined to go public to mitigate legal exposure to the organization, while senior management is likely worried about managing reputation. “Where it really comes to a head is breach notification.”
It’s a prime example of where legislation is changing. In-house counsel will have to prepare their organization, says Bernier. Last June, Canada passed into law Bill S-4 — The Digital Privacy Act, which makes a number of important amendments to the Personal Information Protection and Electronic Documents Act. One of the key changes was mandatory breach notification, so that under PIPEDA, organizations are required to give notice to the affected individuals and to the Office of the Privacy Commissioner of Canada about data breaches in certain circumstances.
The changes in PIPEDA regarding mandatory breach notification are similar to the existing common practice under Alberta privacy law, and since PIPEDA covers far more organizations and activities across Canada, the introduction of breach notification is expected to dramatically increase the number of notices in Canada.
PIPEDA will require organizations to notify individuals, unless otherwise prohibited by law, and report to the commissioner all breaches where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual.”
The challenge for organizations and in-house counsel, says Bernier, is determining if there is a real risk and how to go about notifying affected individuals. The law does provide some parameters, she says, but, ultimately, “in-house counsel must be part of the discussion because it is a legal standard.”
Any breach response policy should outline who should be contacted and when, says Gratton. “There should already be a team in place.” That team should include key people not only in information technology but also marketing and public relations. “You have to decide how you will notify people.”
Nowadays, it makes sense to have a social media expert to disseminate important information to affected customers, and if the organization has a call centre, a script should be prepared for any questions that come in.
It can be a challenge for an organization to identify a breach, says Gratton, but even if it thinks it has everything under control, being hasty can sometimes lead to deleted data and lost evidence, which can make the situation even harder to remediate. She recommends that in-house counsel bring in someone with cyber-forensics expertise.
Because businesses operate almost exclusively on cyber-platforms, says Bernier, protecting the data entrusted to you by users has become a central part of corporate management risk. “Cyberattacks are incessant, they are persistent, and you can’t bury your head in the sand.”
An inside job
Kroman breaks down the sources of cybersecurity threats into four main groups. The attacks are sophisticated and well funded. Not surprisingly, a chief source is criminal organizations, often looking to exhort money from businesses, while nation states through the arm of a government are also commonly responsible for cybersecurity breaches for political gain. Similarly, hacktivists also have political as well as ideological motives for stealing corporate data.
But not all threats are driven by money, ideology, or politics, says Kroman. Insiders are also a major threat to customer information and intellectually property. Disgruntled employees, both current and former, might have an axe to grind.
A recent study released by the Washington, DC-based Association of Corporate Counsel Foundation found that a third of in-house counsel have experienced a corporate data breach, with 47 per cent of respondents reporting that the breach occurred recently — either in 2014 or 2015. Data breaches were more common at large companies: 45 per cent of in-house counsel working at companies with 5,000 or more employees said they work at or have worked at a company that experienced a breach.
The “State of Cybersecurity Report,” which, according to the ACC, is the largest study of in-house counsel on the subject of cybersecurity, also found that breaches were more than twice as likely at the largest companies and most likely to be the result of internal factors — employee error or an inside job.
Getting a seat at the table
The study found that more than half of in-house counsel reported their companies were increasing spending on cybersecurity, based on input from more than 1,000 in-house counsel at 887 organizations in 30 countries, including 77 per cent who hold the positions of GC or chief legal officer.
Among this constituency, 50 per cent want to increase their role and responsibility regarding cybersecurity, while 57 per cent expect that the law department’s role in cyber matters will increase in the coming year.
One of the challenges in-house counsel may face is that they don’t have visibility at the executive level, says ACC vice president and chief legal strategist Amar Sarwal, and cybersecurity, much like a company’s customer information and intellectual property, is diffused throughout the organization. “It’s not all together clear who has the primary responsibility,” he says.
Sarwal says companies in highly regulated sectors have moved lawyers into the C-suite, but many companies still have their in-house counsel deeply embedded in one department, usually finance. Smaller companies, meanwhile, have a harder time grappling with the legal issues around cybersecurity due to resource constraints, he adds, but still face the same threats as larger ones, including internal risks to intellectual property. “Every employee wants to use their iPhone. It’s really employee error that is the weakest link in the chain.”
Although employee error is the most common reason for a breach in all global regions except for Asia Pacific, fewer than half of in-house counsel reported that mandatory training exists at their companies, according to the ACC study, and even fewer say that their corporations track or test employee knowledge.
Justine Laurier, an associate at BLG with a focus on labour and employment law, says in-house counsel must do more than draft a cybersecurity policy and have a response plan in place. Employees must be made to understand the potential consequences should the business be a victim of a cyberattack, as well as the potential negative effect to their livelihoods. “The management team should be aware of policies, how they are implemented, and what their role is as managers with respect to privacy issues,” she says.
The ACC study did find that 56 per cent of GCs and CLOs stated that their companies are allocating more money to promote cybersecurity prevention than one year ago, while one-third of GCs and CLOs say they have retained outside counsel to help should a cyberbreach occur.
In-house counsel should also look to other companies in their industry to share best practices, Sarwal says, as well as intelligence when there are breaches. While traditionally there has been reluctance to share with others for fear of liability, high-profile data breaches suffered by retailers prompted the Retail Industry Leaders Association to launch the Retail Cyber Intelligence Sharing Center so brands and government could collaborate on strengthening defences against cyberattacks and better protect customers.
Cybersecurity as the cultural norm
Sarwal sees cybersecurity as social engineering issue, not just a technology issue. “It’s really hard to design around these issues.” He says organizations need to look at their own business model and understand what role information plays in it. “A lot of companies are extremely reactive.”
Cybersecurity is a complex area for in-house counsel, not just from a technology perspective, says Sarwal, and it’s not for the meek. They are in a position where they need to create a culture of compliance within their organization by marshalling every division and bringing them together. “It’s a people issue. In-house lawyers can’t fire their clients.”
Sarwal believes that training of employees around basic cybersecurity best practices will have to become the norm so they treat it as something they have to do and realize it’s at the heart of the business.
“Cybersecurity knowledge is going to become a requirement.”