Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/970863
31 CANADIANLAWYERMAG.COM/INHOUSE MAY/JUNE 2018 These are just two examples, one fic- tional and one very real, of the potential consequences of cybersecurity breaches and just how easily they can occur, even to sophisticated individuals or well-resourced organizations. The need to try to defend continually against these breaches or attacks taking place and having a plan to respond immediately if they do is not lim- ited to the world of international intrigue and hostile foreign actors. Technology experts and lawyers who specialize in this area say it is an issue that needs to be top of mind for all businesses whether they are rela- tively small or are publicly traded and have operations outside of Canada. As well, new regulatory requirements with greater reporting obligations about privacy breaches are about to take effect in the European Union and in the coming months in Canada. The increased awareness has also resulted in the creation of "cyber- insurance" as a way of trying to mitigate the expenses of responding to a breach. "This is not just about multi-nationals anymore," says Nathalie David, a partner at Clyde & Co. in Montreal. "I think the message is sinking in. You should have a cybersecurity response plan already in place or be working on one. Even a small incident can lead to devastating consequences," says David, whose practice focuses on the insurance sector, regulatory compliance and cyber-risks. While cybersecurity issues may now be a much greater priority for businesses and governments in this country, it has not al- ways been the case, suggests Imran Ahmad, a partner at Miller Thomson LLP in To- ronto who also heads the firm's cybersecu- rity and data breach practice. "Canada has historically been lagging behind the U.S. and the E.U.," he notes. In the U.S. for example, nearly every state has mandatory breach notification requirements. Many states such as California also post online the names of companies with a reported breach so the details can be accessed by the public and not just affected individuals. In Canada, the only province currently with mandatory notification is Alberta. By the end of this year though, the provisions of the federal Digital Privacy Act that deal with reporting requirements are expected to come into effect. While that statute was originally passed in 2015, the aspects that dealt with mandatory reporting did not be- come law at the time. The federal Liberal government has been engaged in a lengthy consultation process over the regulations that will apply to privacy breaches. The proposed rules around reporting privacy breaches to the Privacy Commis- sioner of Canada and affected individuals are expected to be similar to the General Data Protection Regulations drafted by the E.U., which come into force May 1. In the federal budget announced in Feb- ruary, a commitment of $155 million was pledged over five years for a new Canadian Centre for Cyber Security. As well, the RCMP will receive $116 million over the next five years to establish a National Cy- bercrime Coordination Unit. While the additional funding from the federal government to increase the focus on fighting cybercrime is a good idea, this is unlikely to reduce the burden on the private sector in preparing against and responding to security breaches, says Ahmad. "More often than not, you should have the mindset that you will not be getting sig- nificant initial help from law enforcement. You need to make sure you have your own cyber-response plan and that your vendors of record have been properly vetted. That will help you when you go to law enforcement. You can show them, here is the research and investigation we have done," Ahmad says. He adds that police do not have the resources currently to address the volume of crime in this area and may not have the expertise if it takes place outside major urban centres. Co-ordinating with police is worthwhile, but it might be at a later stage, after a com- pany has initially responded to any breach, suggests David. "It is important that there is information and data accumulated about these types of incidents. This will increase resiliency [to future attacks]," she says. Daniel Tobok, chief executive of Cytelli- gence Inc., a Toronto-based security com- pany, says police in Canada currently have backlogs of as long as 18 months in dealing with cybercrime cases and it is not difficult for individuals to escape detection. "You can buy all the tools you need for ransomware on the dark web for about $10,000. It is like a 'do-it-yourself kit.' It will even tell you how to launder the money [in a crypto-currency]. This is an easy crime compared to a bank robbery," says Tobok. For businesses, the immediate priority should be self-interest. "This is not about discovering the identity of the perpetrator. It is about minimizing and containing the damage," Tobok explains. Ransomware, where a victim's computer is locked and the attacker demands a pay- ment in return, was the method of attack against Claire Danes' character. It is also a rising real-world issue, Tobok observes. "On a monthly basis, it is now about 50 per cent of our activity," he says. "This is the new pickpocket," states Paige Backman, a partner at Aird & Berlis LLP in Toronto and the chairwoman of the firm's privacy and data security group. "What makes this crime appealing is it can be done from anywhere in the world," she adds. To reduce the risks a company faces will You should have a cybersecurity response plan already in place or be working on one. Even a small incident can lead to devastating consequences. NATHALIE DAVID, Clyde & Co.