Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/129296
managing director and head of Kroll Advisory Solutions' cyber investigations practice, an organization often brought in after a data breach has occurred. "I would suggest the number of those not prepared to handle this is a much greater percentage," says DuBose. "I think there is a gap between the concern and knowing what to do because for so long IT security has been left to the IT staff and they're very good at their jobs but when it comes to preventing and investigating breaches that's not their specialty." When corporations are putting together policies around IT they will often bring in the business unit owners, but Milrad says it doesn't seem in-house counsel are top of mind for inclusion in those discussions. But they should be because they are the ones who can help develop strategy and create policies to protect the business."Inhouse legal departments need to be more aware and get more involved in working with their IT directors and chief information officers," says Milrad. Piasentin says Sierra Systems' IT department is partially based in the U.S. and they are "often hyper-sensitive to the nature of cyber threats" given the kind of work the company does."They're always going further than most businesses might consider necessary to make sure we're protected against a cyber threat," says Piasentin. "They will try and bring me in when they think there's something that needs to be decided from a policy level, or if there's an actual attack on-going — not that we've had very many. I try to insert myself to the extent I can to make sure we're not doing anything in violation of any applicable legislation." In the event of a data breach, Piasentin says he would be the first person the IT department would contact to inquire what the response should be from the legal and business perspective."In some situations I've gone to external counsel when I needed to get additional advice," he says. Often, he says actions would probably depend on what was lost. In some cases loss of data around clients could trigger an investigation from the privacy commissioner."The first question is always, 'What has actually been breached?' We've fortunately never got to that stage where client information was lost of any sensitive nature." One of the things DuBose says Kroll recommends to companies that have concerns is to get an independent information risk assessment by a third party firm. "We do them, others do them, but it's a way of getting a network health check up on your system — both on policies and data retention procedures, vulnerabilities in software — and really gives a good sense of where you are and where the state of your data security is," says DuBose. Barry Sookman, a technology and intellectual property lawyer with McCarthy Tétrault LLP in Toronto says there are more class action lawsuits emerging around data breaches. For example, when Sony's PlayStation Network was hacked and personal information of account holders was exposed it gave rise to a class action in Canada. "Every major corporation in this country is either at risk of being infiltrated, has been infiltrated and knows it, or more likely has been infiltrated and doesn't know it, and their trade secrets and personal information is all going overseas. It's a huge problem," says Sookman. "There is also the threat to crippling power grids, water supplies, and other utilities as well as the financial system. That is a clear and present danger we're facing." Sookman says he is getting more questions from general counsel on cyber threat risks."I definitely get those kinds of questions. It can be about social media policies or they've had a data breach. They may not have had to work through them before. GCs are very interested in these issues, and is very top of mind for CEOs, CIOs, and general counsel. But it's also a concern for lawyers in the bigger companies who are specialists in these areas who go internally because they have developed expertise in this area themselves. If it's a big data breach case though they're going to call outside counsel." While some general counsel may feel it's not their territory to call for the kind of review DuBose recommends it may be time for data security to become just as important as other areas of risk the inhouse department oversees. "We have seen breaches where we're retained by outside counsel for privilege issues but the general counsel has a major decision making role in what happens and what they're willing to pay to clean up the mess," says DuBose. While there's no such thing as a 100per cent secure network, DuBose says 95 per cent of all breaches can be avoided with some medium cost security measures implemented. When it comes to cyber threats of trade secrets and other proprietary data, over two thirds of that type of cyber threat is a result of activity by malicious insiders such as ex-employees or angry IT administrators on their way out. With increased focus on the issue of cyber security DuBose predicts there will be more civil actions litigating liability for negligence or recklessness on the part of companies in breach situations, he says. "It's already starting in insurance companies who are looking at cyber liability insurance and requiring from their clients certain conditions and measures be implemented before they are eligible for that kind of insurance." IH Every major corporation in this country is either at risk of being infiltrated, has been infiltrated and knows it, or more likely has been infiltrated and doesn't know it, and their trade secrets and personal information is all going overseas. It's a huge problem. Barry Sookman, McCarthy Tétrault LLP w w w. c a n a d i a n law y er m a g . c o m / i n h o u s E june 2013 • 37