Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/786678
21 CANADIANLAWYERMAG.COM/INHOUSE MARCH 2017 danger and more of a safeguard. Already, 63 per cent of fi rms surveyed said they run much of their IT in the cloud, and 62 per cent use managed services for cybersecuri- ty. More than half, or 57 per cent, are using biometric technology to ensure that only the right people have access to certain data, and 51 per cent are even using "big data" — unstructured information that is more of- ten touted for its potential in marketing and sales functions — to protect things such as customer records. David Craig, a partner with the Risk As- surance, Cybersecurity & Privacy practice at PwC Canada in Toronto, suggests in-house counsel not only be an advocate for these kinds of investments and strategies. They can work with the chief information security offi - cer, or CISO, to become what he describes as a "data protection offi cer" — raising aware- ness without necessarily being alarmist. "Their challenge is to become more op- erational, and to understand they have to make those investment decisions or help build the business cases and not be driven purely by compliance," he says. GCs could start by better understanding the very nature of their organization's data, Craig says. Is it going to exist everywhere, will it grow exponentially and what will be controlled by the company? Legal teams can also assist with "data classifi cation," recognizing that not everything can be pro- tected equally all the time but that some is more sensitive than others. From a policy perspective, Craig says in-house lawyers could also take the lead on things such as "extortion planning." While some companies have a stance on whether they would pay someone who kidnaps an employee, they may not have defi ned a response to data loss or theft. This could be as important as preparing for data breach notifi cation laws that may be on the horizon, he adds. "When you have a breach, just inves- tigating that breach can be an expensive proposition," Laliberte says. "Fixing it is another big cost. The PR might be even more expensive." To be an in-house lawyer who not only steers the policy but collaborates on the strategic use of technology to avoid such disasters, on the other hand, may become nearly as priceless as customer data itself. IH THE AI ANSWER TO CYBERSECURITY CHALLENGES I n early January, a report commissioned by the federal government concluded that the public sec- tor is "simply not up to the overall challenge" of de- fending against cyber-threats. Donald Trump, meanwhile, admitted in a press conference prior to becoming the U.S. president that Russian hackers may, in fact, have attacked the Democratic party's IT systems. This probably provides little consolation to in-house lawyers at private sec- tor fi rms who already feel overwhelmed by the potential risks they face. According to the experts, however, there may be hope in some of the most bleeding-edge tech- nology being developed today: artifi cial intelligence software, or AI. In "Toward New Possibilities In Threat Management," consulting fi rm PwC suggests AI do a lot more than automate household tasks or help brands learn how to better target the ads they run: "In the near future, technologies that enable organizations to ingest and compare threat feeds in real time will continue to rapidly evolve," it said. "This includes tech- nologies such as machine learning, artifi cial intelligence and big data analytics . . . We believe that the application of data science to threat intelligence and security-incident management will be the future of how companies address threat intelligence." How that may work in practice may be a little hard to imagine, but David Craig, a partner at the fi rm's Toronto offi ce, said it's not as far off as you might think. "People will give machines the benefi t of the doubt when it comes to recognizing patterns," he points out. "Machines that track logs or other behavioural things that fol- low into a certain pattern will look for the anomaly — would certain activity be viewed as acceptable use? That's where a machine can alert a human." Picture this: Machines might have established a pattern that Craig logs into his work computer at 8:30 a.m. and works until 5 p.m. This activity becomes what's recognized as "normal" behaviour. If he's suddenly not logging in or using applications as often, it might be seen as an anomaly, unless the machine was smart enough to look at other databases to see that he was on vacation, for instance, or that he was taking some emergency time off to deal with a family situation. It sounds simple enough, but Craig says the real value of AI will be in reducing the number of "false positives" that trip up such systems and recognize signifi cant variations in the way employees, customers and entire systems behave or operate on a 24/7 basis. "It takes an advanced level of analytics to see that there's not something else that would explain that anomaly," he says. "You're marrying up a number of different data sets." The predictive variables in question could be authentication credentials such as user names and passwords but also more complex things such as what fi les or applications tend to be used as part of specifi c business processes. PwC's most recent global sur- vey suggests that less than a quarter, or 23 per cent, are actually planning to invest in machine learning and artifi cial intelligence this year. That's still a signifi cant portion given much of the technologies in question are relatively new. If IT vendors can prove it makes the life of security teams — including corporate counsel — a little bit easier, expect those numbers to jump signifi cantly in 2018 and beyond. IH e ec- f de- anwhile, admitted in a ent that Russian hackers T systems. use lawyers at pri riva vate sec- ential ri risk sks they face. According e of the most bleeding-edge tech- software, or AI. ent " consultin fi P