Canadian Lawyer

w w w . C A N A D I A N L a w y e r m a g . c o m F E B R U A R Y 2 0 1 7 35 here are three types of entities in the world of cybersecurity: Those whose systems have been hacked, those who don't know they've been hacked and those whose systems are about to be breached. The liabilities are palpable; not just because of the brand and reputational damage or the financial cost but because it opens doors for lawsuits. Case in point: It took less than 24 hours for Ted Char- ney of Charney Lawyers to team with Sutts Strosberg LLP and announce a $50-million class action lawsuit following last November's revelation that personal data and financial credit card details from thousands of employees, players and guests at Ontario's Casino Rama had been breached. Cybersecurity isn't just the IT department's issue any- more; every C-suite office has a stake, including and not least, legal. "I think the bigger companies are getting it, but not so much the mid-size and smaller enterprises, who, to be fair, don't always have the same resources," says Imran Ahmad, a business law partner at Miller Thomson LLP who also sits on the Canadian Advanced Technol- ogy Alliance Cyber Council, an industry group seeking to raise aware- ness about online security. Advanced planning is the key to mitigate legal liabilities, he says, and to be successful counsel should be involved early on in any discussion of network and data security. Sadly, it isn't always the case, says Katherine Thompson, chair of CATA's Cyber Council, and compounding the issue isn't a lack of security expertise, it's the inability to see the bigger picture and formulate a planned response. Given the myriad regulatory burdens, the risk to brand, the impact to the bottom line and the damage that may accrue going forward, she says, it's a stunning oversight. "Too often, they only bring the lawyer in when there's a hack," she says, leaving counsel to fight a rearguard action and oversee damage control. It's too short-sighted, she says. If clients pru- dently follow industry best practices of security precautions and keep protocols up to date, it's more likely a court will mitigate any claims for damages because of their due diligence, Ahmad says. He finds it shocking that many companies have a disaster recovery plan on hand but have never considered a cyberbreach response plan. Like any crisis plan, it should have a response team identified for immediate notification and include C-suite executives, notifying the board of directors along with media relations experts, government rela- tions specialists and contacts at the insurance company. Others also need to be on deck for an immediate and reasoned public response as well as meeting any regulatory or legislative require- ments. And that includes having experienced legal counsel. "You can't go to the local police or even the RCMP and expect them to do anything for you," he says. "They don't have the resources. You're on your own so you have to have a plan." And even if a trace back is possible, he says, it's unlikely there will be a fingerprint on a smoking keyboard. Being proactive is the only assurance, he says. As such, more companies are also including a cybersecurity audit of third-party vendors to qualify them. "In one case, a hospital's data was com- promised because they hacked in through an HVAC contractor's credentials," Ahmad says. "So you have to look at access. Why does the parking lot contract have access, for example?" Thompson says companies collecting customer data are also going to have to up their game in 2017 as changes flow from last June's passage of the Digital Privacy Act, amending the Personal Information and Protection of Electronic Documents Act, and address reporting, notification and doc- umentation. They're expected to be flagged and then enacted by the summer, increasing the legal liability on any entity that stores personal information and requiring a log of all activities. Legislative penalties aside, the costs of a breach add up quickly. The IBM Ponemon

• Cover