The hackers have gotten in. Now what?

Seth Rogan’s brow furrows, then his eyes widen. He is sitting next to James Franco and he clearly cannot believe what he is hearing.

“Are you saying . . .” he begins.

It is a scene from The Interview, the recent film in which Rogan and Franco star as members of a TV program who are asked by the CIA to assassinate North Korea’s Kim Jong-un. While the reaction of Rogan’s character to this request is understandable, it is probably just a fraction of the surprise and horror that ran across the faces of executives at Sony Pictures Entertainment, the studio which produced The Interview, when the entire company was hit with a data breach that exposed highly confidential information and rendered most of its computer systems inoperable.

Unfortunately, the Sony Pictures cyber attack is only the latest in an increasingly high-profile set of incidents involving brand-name organizations. In fact, 2014 may go down as a banner year in which Target, Home Depot, and several others found themselves trying to explain not only what information was lost, but how it could have happened in the first place. Although many of the major headlines concerned firms in the United States, Canada has hardly been immune, with the Treasury Board Secretariat responding to data breaches at the National Research Council, Canada Revenue Agency, and others.

All this means the role of general counsel in helping to prevent data breaches, or contribute to the response plan, will be more important in the coming year than ever before. Consider the following elements as you develop a more proactive cyber-security strategy in 2015.

Turn panicked headlines into an action plan

The media coverage of a hacker attack may raise uncomfortable questions about how well-prepared your own organization would be in similar circumstances. General counsel shouldn’t hide from these questions but capitalize on the interest.

“You always kind of say, ‘There but by the grace of God go I,’” says Alexis Kerr, general counsel for Fraser Health Authority in British Columbia. “It does help to have those types of stories to bring it to the attention of the board, of senior management or your executive, depending on what kind of organization you are. You’re able to say, ‘These things do get a lot of attention,’ particularly when there was some kind of failing by the organization to do the groundwork it should have done.”

Adam Kardash, privacy law leader at Osler Hoskin and Harcourt LLP, agreed. “We’re already seeing a palpable change across our client base and in a number of different sectors in how senior management and those at the board level are addressing cyber-security threats,” he says. “One of the main reasons for that are the press reports and blog reports about the increase in the sophistication and volume of cyber-security threats. Companies now are just beginning to focus much more significantly on making sure that they have the appropriate data governance in place.”

If it’s not already an agenda item, use some of the recent news to kick-start a conversation among the stakeholders who can help get that plan going.

Determine legal’s role and contribution to ongoing organizational reviews

Some of the attacks and data breaches that have taken place involved techniques that would have been unthinkable years ago. As a result, corporate counsel may not be prepared to know all the potential threats, but the scope of their responsibility for data-breach mitigation or notification needs to be well-understood.

“Legal is always the quarterback in these matters,” says Jason Maloni, senior vice president and litigation practice chair at Levick in Washington, D.C. In March Maloni will be in Ottawa for a Conference Board of Canada event dedicated to cyber security, where he will discuss tips for addressing the fallout from data breaches.

Of course, the in-house team may turn to external counsel, but avoid a jack-of-all-trades, Maloni says. “I can’t state how important it is not just to have a lawyer involved, but the right lawyer involved. With health-care records, you need someone who understands the health-care legislation. If you’re dealing with payment data, it’s got to be someone fluent in those transactions. One lawyer is not like another lawyer.”

Kerr says she serves in more of an advisory capacity at Fraser Health Authority, where data protection falls under the information management team. However Chantal Bernier, counsel with the privacy and security practice at Dentons Canada LLP, suggested there is sometimes an “over-delegation” of IT security to the CIO.

“General counsel has a crucial interpretative role, almost a translator’s role, in the sense of interpreting the legal principles to ensure they are met in a variety of constantly changing technical applications,” she says.

Kerr suggests in-house lawyers may also help remind the organization that organizational reviews of risks and data-breach plans are never fully complete.

“You’re always a step behind the changes in technology, but that’s part of the reason why the idea of doing a privacy and risk assessment is a living process, a living document,” she says.

Answer the question, “What have we got to lose?”

Part of what makes data-breach mitigation and notification so challenging is what Kardash calls “data ubiquity” — the fact that information is now distributed across organizations, fed to mobile devices, sitting on the servers of third-party vendors and suppliers via cloud computing and in some cases hosted outside of Canada entirely.  

“The harder it is to identify the data in your company and being able to keep that clear, the more you’re going to have natural challenges,” he says. “That doesn’t mean it can’t be overcome, it just requires a more vigilant data governance.”

Daniel Caron, legal counsel at the Office of the Privacy Commissioner of Canada, suggests data governance should start with minimizing what kind of information is collected. Perhaps because of all the various channels that can collect customer or employee information, too many organizations have a tendency to hoard as much as possible just in case it might prove valuable later. This is one of the concerns U.S. federal telecommunications chairwoman Edith Ramirez recently raised in a speech about what’s called the “Internet of Things,” which could potentially mean data gets exchanged between everything from laundry machines to thermostats.

“If you don’t have the data in the first place, you can’t get breached,” Caron says.

After minimizing data collection, consider isolating or at least making sure what’s critical has a greater degree of encryption or other protection, Bernier suggests.

“You know you’ll be breached, but the breach will not be consequential, because the personal information, the critical information, is secured or is segregated in a manner that makes it hard to reach,” she says.

Information also changes shape considerably over time. Just ask Kerr, who points out that what we once thought of as a patient record — a piece of paper with a doctor’s near-illegible scrawl — now may be just one component of a multimedia file exchanged across institutions.

“It does make things very complicated in terms of figuring out how to strike the balance between the need to share information, which is legitimate, but also the need to protect information appropriately so that people who don’t need it don’t have access to it,” she says.

Maloni offers a good way to test this: Once you know what’s valuable, where do you keep it? “Too many folks would struggle to answer that question,” he says.

Take the data breach plan beyond the boardroom

Conversations about risk mitigation and notification may start out at the top, but that’s not where they should end.

“It’s about discussing [the plan] with front-line managers to make sure they put into practice whatever is set up. It’s not a job for one person,” Caron says. “You can have those at the top setting up the strategy and the structure, but employees must know what the strategy is and know the importance of protecting information.”

For Kerr, it’s a matter of articulating when the alarm bells should go off, and who should hear them. “I think a big issue is whether or not your employees recognize that there’s been a privacy breach,” she says. She gives the example of a home-health nurse who may have lost her bag on a subway or B.C.’s SkyTrain. That should prompt an immediate discussion about what might have been in the bag — physical records, a BlackBerry, or laptop with electronic patient files — and what can be deleted remotely.

“Staff need to know both what they should and shouldn’t be doing with information, but when it gets compromised, to recognize it immediately and report it up the chain as your breach policy requires,” she says.

Before you notify, think through what you’re saying — and how

When the worst happens and an organization suffers a data breach, Caron says organizations need to make sure that not only the affected individuals but other entities, including the police, insurance companies and, yes, the relevant privacy commissioner are told. In terms of the form used, he says the information shared in a specific notification will vary depending on the type of breach.

“I think that at a minimum, what happened and the type of information at issue or what was compromised should be conveyed,” he says. “They should also possibly say what the organization is doing, [and] what it has done, to control the situation at the outset. What are the next steps? I don’t think there’s a specific form, but I think something that contains those elements will be ultimately constructive.”

Maloni warns against giving in to “Internet culture,” where there’s a tendency to expect in-depth information immediately. “People don’t realize the length and the depth it takes to get to the bottom of these things. It’s not as simple as, ‘The bank was robbed, and here’s what they took,’” he says, adding that printed letters may be more effective in some cases than sending people an e-mail or taking out an ad. “There’s an advantage to old technology. That is the default option.”

Part of what guides the notification process should be the potential impact of the breach on individuals, says Kerr. “[With health care], you’re talking about some of the most sensitive information someone may have,” she says. “Whether or not it is particularly damaging to them as identity theft might be, in many cases it’s the most humiliating information to have exposed.” Could the lost information, if it were exposed, cause someone discrimination in getting a job because they have a health condition they haven’t made public, for example?

Establish the post-crisis metrics that matter

As bad as data breaches are, they need not cripple a company. Maloni, who says he has been involved in more than 100 cases, noted that in the case of public companies, a data breach might cause a stock price to dip, but some of those involved in high-profile incidents years ago are now trading up 10 times what they were. Instead, organizations should spend time thinking about how they could better gauge the success of their mitigation and notification strategy — and it shouldn’t just be that nothing bad has happened lately.

“It comes back to the fact that somebody’s going to look at a Home Depot and they might think, ‘You’re not as safe as if I take a left turn and go into Lowe’s,’” he says. “In some firms, it could be looking at traffic in stores. It’s anything you can use to show that people have perceived what you’ve done is there, and that they still trust you.”

Maybe this is the ultimate goal of data-breach mitigation and notification: If your story ends well, the rest of the world will be all too eager to hear it. Except this time, you’ll be in charge of the storytelling.