The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/777081
36 F E B R U A R Y 2 0 1 7 w w w . C A N A D I A N L a w y e r m a g . c o m Institute 11th annual Cost of Data Breach Study set the average consoli- dated total cost of a data breach at US$4 million, up from US$3.8 million globally and up 29 per cent since 2013. Each lost or stolen record with sensitive and confidential information alone cost US$158, up 15 per cent since 2013. Further, the study found, 54 per cent of all breaches in Canada came from hack- ers and criminal insiders, which in turn meant companies in the U.S. and Canada spent the most to resolve a malicious or criminal attack, US$236 and US$230 per record, respectively. Size also matters: The more records lost, the higher the cost of the data breach. The cost ranges from $2.1 million for a loss of less than 10,000 records to $6.7 million for more than 50,000 lost or stolen records. Further complicating things, for cor- porations operating globally, laws around computer technology vary and so do interpretations, notes Queen's University professor David Skillicorn, who heads the Smart Information Management Labora- tory at the School of Computing and is an adjunct professor at the Royal Military College of Canada. "The laws in Australia are written with nearly exactly the same wording," says Skillicorn, speaking via Skype from the University of Sydney where he was researching while on sabbatical. "But they are interpreted completely differently. In Australia, if an ISP sees something, mal- ware or whatever, they just go into your computer and deal with it. They'd never do that in Canada. They don't need your permission [and] the law is virtually the same." One of the issues lawyers face in advis- ing clients is that the existing legislation in most jurisdictions simply hasn't kept pace with the technology. "And often, it all hinges on interpreta- tion," Skillicorn says. "At the University of New South Wales, one of the hottest courses is law and com- puting," he continues. "It's taken over from business because law firms are looking to hire people with these skills." As of yet, those blended courses don't exist in Canada and that's a problem, Skillicorn says, though it is starting to pop up in other countries with graduates going into national security and military service. "Even so, there just aren't enough truly qualified cybersecurity experts," he says. "It's a case of the blind leading the blind because there's a chronic shortage of peo- ple who can help businesses with their due diligence." It seems an overwhelming challenge, but lawyers are making headway, says Christine Ing, a partner at Blake Cassels & Graydon LLP in Toronto, who as co- practice group leader of the Information Technology group, is focused on technol- ogy law and intellectual property. There's more pressure coming from insurers, she adds: "Companies are being advised to get insurance by counsel and then [they] find insurers who want to see security practices and policies in place and this, too, is driving change." For counsel, getting a seat at the table to have input with large clients at the highest level isn't a problem anymore. "Maybe a few years ago we didn't have a seat, but these days they're pulling out the chair and asking us to sit," she laughs. At the large enterprise level, boards are much more aware and have a wealth of input from their advisors, which include legal, accounting, marketing, communica- tions and security as well as IT, Ing says. "They know the attack vectors are always changing, like a Whac-A-Mole game," she says, noting the threats are as diverse as the targets. Beyond just personal information, there is the threat of ransomware, state- sponsored terrorism, organized crime and the sometimes pure opportunism that tar- get credit card and financial details, intel- lectual property, proprietary research on acquisitions or even inside information on publicly traded companies. Then there are business-to-business contractual agreements that invoke strict penalties and even fines if one party suf- fers a data loss as a result of the other being hacked, especially in the financial services sector. Each of these vectors invokes a differ- ent regulatory and legislative regime and counsel has to stay on top of changing laws and differing reporting requirements, many with varying timelines for report- ing, requiring different levels of detail. "You can't say you have the best prac- tices in place if you haven't updated them and stayed consistent with the industry's best practices," Ing says. "It doesn't have to be perfect; it just has to meet a reasonable standard." Getting a handle on those best prac- tices, staying current and understanding the shifting legal landscape are the next horizon challenges for lawyers, suggests Sheldon Shaw, cyber analytics lead at SAS, who spent 16 years in intelligence services before joining the public sector. He says the awareness that began at the national security agency level has perme- ated to the private sector. "I think we're seeing C-suites embrace the issue more holistically," he says. "And that includes getting better legal advice. We saw it 15 years ago with the U.S. Department of Justice where there was a joining of IT people and legal." The greater issue, he says, however, may not be awareness, since the daily headlines are hard to ignore, but finding qualified legal counsel to provide prudent advice. The U.S. is further ahead than Canada in offering IT and cybersecurity-driven