There are three types of entities in the world of cybersecurity: Those whose systems have been hacked, those who don’t know they’ve been hacked and those whose systems are about to be breached.
The liabilities are palpable; not just because of the brand and reputational damage or the financial cost but because it opens doors for lawsuits.
Case in point: It took less than 24 hours for Ted Charney of Charney Lawyers to team with Sutts Strosberg LLP and announce a $50-million class action lawsuit following last November’s revelation that personal data and financial credit card details from thousands of employees, players and guests at Ontario’s Casino Rama had been breached.
Cybersecurity isn’t just the IT department’s issue anymore; every C-suite office has a stake, including and not least, legal.
“I think the bigger companies are getting it, but not so much the mid-size and smaller enterprises, who, to be fair, don’t always have the same resources,” says Imran Ahmad, a business law partner at Miller Thomson LLP who also sits on the Canadian Advanced Technology Alliance Cyber Council, an industry group seeking to raise awareness about online security.
Advanced planning is the key to mitigate legal liabilities, he says, and to be successful counsel should be involved early on in any discussion of network and data security.
Sadly, it isn’t always the case, says Katherine Thompson, chair of CATA’s Cyber Council, and compounding the issue isn’t a lack of security expertise, it’s the inability to see the bigger picture and formulate a planned response.
Given the myriad regulatory burdens, the risk to brand, the impact to the bottom line and the damage that may accrue going forward, she says, it’s a stunning oversight.
“Too often, they only bring the lawyer in when there’s a hack,” she says, leaving counsel to fight a rearguard action and oversee damage control.
It’s too short-sighted, she says. If clients prudently follow industry best practices of security precautions and keep protocols up to date, it’s more likely a court will mitigate any claims for damages because of their due diligence, Ahmad says.
He finds it shocking that many companies have a disaster recovery plan on hand but have never considered a cyberbreach response plan.
Like any crisis plan, it should have a response team identified for immediate notification and include C-suite executives, notifying the board of directors along with media relations experts, government relations specialists and contacts at the insurance company. Others also need to be on deck for an immediate and reasoned public response as well as meeting any regulatory or legislative requirements. And that includes having experienced legal counsel.
“You can’t go to the local police or even the RCMP and expect them to do anything for you,” he says. “They don’t have the resources. You’re on your own so you have to have a plan.”
And even if a trace back is possible, he says, it’s unlikely there will be a fingerprint on a smoking keyboard.
Being proactive is the only assurance, he says. As such, more companies are also including a cybersecurity audit of third-party vendors to qualify them.
“In one case, a hospital’s data was compromised because they hacked in through an HVAC contractor’s credentials,” Ahmad says. “So you have to look at access. Why does the parking lot contract have access, for example?”
Thompson says companies collecting customer data are also going to have to up their game in 2017 as changes flow from last June’s passage of the Digital Privacy Act, amending the Personal Information and Protection of Electronic Documents Act, and address reporting, notification and documentation. They’re expected to be flagged and then enacted by the summer, increasing the legal liability on any entity that stores personal information and requiring a log of all activities.
Legislative penalties aside, the costs of a breach add up quickly. The IBM Ponemon Institute 11th annual Cost of Data Breach Study set the average consolidated total cost of a data breach at US$4 million, up from US$3.8 million globally and up 29 per cent since 2013. Each lost or stolen record with sensitive and confidential information alone cost US$158, up 15 per cent since 2013.
Further, the study found, 54 per cent of all breaches in Canada came from hackers and criminal insiders, which in turn meant companies in the U.S. and Canada spent the most to resolve a malicious or criminal attack, US$236 and US$230 per record, respectively.
Size also matters: The more records lost, the higher the cost of the data breach. The cost ranges from $2.1 million for a loss of less than 10,000 records to $6.7 million for more than 50,000 lost or stolen records.
Further complicating things, for corporations operating globally, laws around computer technology vary and so do interpretations, notes Queen’s University professor David Skillicorn, who heads the Smart Information Management Laboratory at the School of Computing and is an adjunct professor at the Royal Military College of Canada.
“The laws in Australia are written with nearly exactly the same wording,” says Skillicorn, speaking via Skype from the University of Sydney where he was researching while on sabbatical.
“But they are interpreted completely differently. In Australia, if an ISP sees something, malware or whatever, they just go into your computer and deal with it. They’d never do that in Canada. They don’t need your permission [and] the law is virtually the same.”
One of the issues lawyers face in advising clients is that the existing legislation in most jurisdictions simply hasn’t kept pace with the technology.
“And often, it all hinges on interpretation,” Skillicorn says.
“At the University of New South Wales, one of the hottest courses is law and computing,” he continues. “It’s taken over from business because law firms are looking to hire people with these skills.”
As of yet, those blended courses don’t exist in Canada and that’s a problem, Skillicorn says, though it is starting to pop up in other countries with graduates going into national security and military service.
“Even so, there just aren’t enough truly qualified cybersecurity experts,” he says. “It’s a case of the blind leading the blind because there’s a chronic shortage of people who can help businesses with their due diligence.”
It seems an overwhelming challenge, but lawyers are making headway, says Christine Ing, a partner at Blake Cassels & Graydon LLP in Toronto, who as co-practice group leader of the Information Technology group, is focused on technology law and intellectual property.
There’s more pressure coming from insurers, she adds: “Companies are being advised to get insurance by counsel and then [they] find insurers who want to see security practices and policies in place and this, too, is driving change.”
For counsel, getting a seat at the table to have input with large clients at the highest level isn’t a problem anymore.
“Maybe a few years ago we didn’t have a seat, but these days they’re pulling out the chair and asking us to sit,” she laughs.
At the large enterprise level, boards are much more aware and have a wealth of input from their advisors, which include legal, accounting, marketing, communications and security as well as IT, Ing says.
“They know the attack vectors are always changing, like a Whac-A-Mole game,” she says, noting the threats are as diverse as the targets.
Beyond just personal information, there is the threat of ransomware, state-sponsored terrorism, organized crime and the sometimes pure opportunism that target credit card and financial details, intellectual property, proprietary research on acquisitions or even inside information on publicly traded companies.
Then there are business-to-business contractual agreements that invoke strict penalties and even fines if one party suffers a data loss as a result of the other being hacked, especially in the financial services sector.
Each of these vectors invokes a different regulatory and legislative regime and counsel has to stay on top of changing laws and differing reporting requirements, many with varying timelines for reporting, requiring different levels of detail.
“You can’t say you have the best practices in place if you haven’t updated them and stayed consistent with the industry’s best practices,” Ing says. “It doesn’t have to be perfect; it just has to meet a reasonable standard.”
Getting a handle on those best practices, staying current and understanding the shifting legal landscape are the next horizon challenges for lawyers, suggests Sheldon Shaw, cyber analytics lead at SAS, who spent 16 years in intelligence services before joining the public sector.
He says the awareness that began at the national security agency level has permeated to the private sector.
“I think we’re seeing C-suites embrace the issue more holistically,” he says. “And that includes getting better legal advice. We saw it 15 years ago with the U.S. Department of Justice where there was a joining of IT people and legal.”
The greater issue, he says, however, may not be awareness, since the daily headlines are hard to ignore, but finding qualified legal counsel to provide prudent advice.
The U.S. is further ahead than Canada in offering IT and cybersecurity-driven courses in law schools as part of the curriculum.
“Certainly, in medical malpractice, you have some lawyers who have gone to medical school or have taken the time to learn how certain drugs interact,” he says. “I think there’s a parallel there in law and cyber-terrorism.”
With that growing awareness and maturity, says Barry Sookman, senior partner with McCarthy Tétrault LLP’s Toronto office and former co-chairman of the firm’s Technology Law Group, lawyers are looking forward to the third phase of cyberbreach: the aftermath.
“In the ‘before’ phase we tell clients to follow best practices, to have a plan in place,” says Sookman. “Because what happens in the ‘during’ and the ‘after’ phase depends on what you do in the ‘before’ phase.”
There’s also the challenge of multiple jurisdictions, each with differing disclosure demands, he says: “So you need to know which jurisdictions you need to respond to first, and at what level.”
With the issue front and centre at the board level, there are resources being deployed to that initial phase, which, as everyone agrees, will mitigate the liabilities and fallout from the other phases.
“When it happens it’s like being in the middle of a crisis,” he says. “So you want to ensure you’ve enlisted people with experience who can make decisions calmly and know what to do at every turn.”
Demonstrating due diligence is critical. When Home Depot’s network was targeted by malicious software using access credentials stolen from a third-party vendor over five months in 2014, some 56 million customers’ credit card details were stolen. Two years later, there was a US$19-million settlement.
More to the point, though, last November, Home Depot successfully repelled a class action D&O suit from derivative shareholders who took a hit when the stock fell. In his ruling the judge found the plaintiffs did not establish that the board consciously failed to act. While pace of the cybersecurity upgrades was questionable, it was a business decision and plans were in place and action was being taken, the court found.
Sookman adds that rulings like this and others are why litigators are finding slim pickings in the wake of a cyberbreach, because due diligence reduces damages, so there’s less chance of a big payday.
If you handle the first two phases according to plan, he says, then the third phase is about getting proactive. Looking forward, he says, those companies that have followed prudent counsel and done their homework are also better positioned not just to fight off lawsuits but to proactively go out and undo some of the brand and reputational damage.
“They’re not doing it now, but I think they should go out and demand that information leaked and posted on the Internet from a cybersecurity breach be taken down and de-indexed from search engines,” he says. “It isn’t rocket science and many of the media companies — those protecting copyright of music, movies or other content — do it now.”