In a digital-first era, Canadian businesses are an increasingly attractive target for cybercrimes and threats. Cybercriminals seek confidential business data including personal information of clients or customers, trade secrets, and other data to monetize.
Cyberattacks can expose target organizations to multiple risks, including financial, reputational, and legal. In the aftermath, an organization could face legal claims on behalf of the individuals whose personal information has been compromised. Such claims are often pursued collectively by way of class action lawsuits, which can have serious business and financial implications for an organization.
The risk of class action lawsuits by the aggrieved customers and clients is not the only major legal risk in cyber incidents. As cyberattacks grow in scale and complexity, and stakes grow higher by active engagement of sophisticated threat actors, they can generate more complicated and multi-faceted legal liability exposure.
The recent high-profile cyber incidents involving SolarWinds' Orion Platform, Microsoft's Exchange server, and the Colonial Pipeline highlight the vulnerability of large organizations and critical infrastructure. They also demonstrate the far-reaching implications of modern cyberattacks on our economy. Furthermore, these incidents are indicative of the breadth and depth of organizations' exposure to legal liability in the normal course of carrying on their business.
But, liability in this context is not absolute. Despite an organization's diligence and its preparedness, incidents inevitably can and do happen. While organizations should take reasonable and appropriate steps to safeguard the information in their possession or control, the law also recognizes that cybersecurity is never guaranteed. Legal risks can accordingly be managed in a manner to balance the costs and imperatives of doing business in today's highly competitive markets.
Mitigating the risk
First and foremost, any private entity that engages in commercial, for-profit activities in Canada, or handles personal information of Canadians, is required to comply with the Personal Information Protection and Electronic Documents Act. Several Canadian provinces also have a provincial privacy legislation, which imposes substantively similar requirements and obligations with respect to data collection, management, and use of personal information.
Yet, the lingering question here is not “if” but rather “when” and “how” cybersecurity threats and actors will take a run at your organization's networks and systems, and how can your organization protect itself from such incidents.
These five factors can help manage cybersecurity risks and exposure to losses before and after the occurrence of an incident.
1. Security safeguards
Security safeguards are comprised of procedural, technical, and technological measures that reasonably ensure that sensitive information is not disclosed or accessed by unauthorized parties. Some of the most notable security safeguard procedures include granting selective access privileges based on individuals' job functions within an organization, complex authentication procedures (including multi-factor authentication), data encryption, and appropriate data retention and disposal policies.
Also, organizations carrying on business across different industries have subsequently developed various sets of generally accepted information security practices.
For example, there are different sets of best industry practices for financial services organizations, healthcare providers, and hospitality companies. Therefore, security safeguards for each of these industries should consider the nature of the information and the organization's business, and aim to achieve an appropriate balance between the costs and complexity of the safeguards on one hand, and the risk and consequences of cyberattacks on the other.
To that extent, organizations should design, implement, and maintain proper security safeguards to protect the information in their possession based on its sensitivity and relevancy to the organization's business.
2. Security awareness and training programs
The vast majority of cyberattacks can be traced to avoidable human errors. What starts as a seemingly limited-scope phishing attempt to steal the login credentials of one employee can rapidly spread into a full-blown, sophisticated attack that compromises the entirety of an organization's computer networks and systems.
Organizations that succeed in stopping cyberattacks at the very first juncture often achieve greatest success in defending against complex threats.
The first, possibly most effective, and certainly least costly layer of any organization's cyber defense lies in promoting security awareness and proper training. Employee and stakeholder awareness initiatives and regular training programs ensure that an organization's members and constituencies remain vigilant in recognizing and responding to cyberthreats, keeping the gate shut to full-scale attacks.
3. Security control audits
In November 2018, Marriott International reported a security incident affecting Starwood Hotels–a Marriott subsidiary that it had acquired just two years earlier for about US$12 billion. The threat actors had compromised Starwood's reservation system and had been present within its environment for four years, meaning that Starwood's systems had already been compromised at the time of the acquisition. Reportedly, early signs of the attack had been observed but ignored. After the data security breach affecting some 500 million personal records was publicly revealed, Marriott was drawn into countless lawsuits and regulatory proceedings, incurring substantial costs. These costs could have been avoided had the entity's control systems been audited and early signs of the attack investigated.
Computer systems' security controls have been widely recognized as part of a large organization's regular internal audits and an indispensable part of business transactions, amalgamations, and mergers and acquisitions.
There may also be specific contractual requirements with respect to audits and the certification of computer system controls for public reporting companies. It is widely accepted that a healthy computer security culture and reliable computer systems can help foster productive business relationships. Thus, business partners may require computer system audit certificates as part of their regular due diligence.
Security control audits can also be tremendously helpful as a significant defense in the event of litigation arising out of a cyber incident. Organizations that can establish contemporaneous documentation that they used reasonable security safeguards may well succeed in defending against liability and/or mitigating damages and loss exposure.
4. Incident response
Effective cyber defense strategies are designed on and around the premise that, despite best efforts, the organization will inevitably be subjected to a successful cyberattack. Taking transparent, quick, and decisive steps to contain the incident in order to limit the damage and manage ongoing risks is key to ensuring a reliable and effective incident response.
The April 2021 judgment of Québec's Superior Court in Lamoureux c. Organisme canadien de réglementation du commerce des valeurs mobilières (QCCS 1093), highlights the significance of proper incident response. The case arose out of the loss of a laptop by an employee of the Investment Industry Regulatory Organization of Canada (IIROC). Although the Court found that IIROC had committed faults by losing a laptop containing unencrypted personal information of various investors, it held that the class action ought to be dismissed considering IIROC's timely and meticulous incident response.
5. Cyber insurance
Cyber insurance coverage is an integral part of risk management and defense strategies. Many insurance products are available in today's market which provide indemnity against cyberattack losses–including the costs and expenses of forensic data investigation and litigation.
Seeking out and obtaining customized cyber insurance coverage for your organization's needs is highly encouraged. In addition to providing coverage for losses in the event of a cyber incident, the process for obtaining cyber insurance can be an invaluable layer of defense in the organization's cybersecurity strategy.
Cyber insurance underwriters are typically highly sophisticated entities that conduct their own due diligence into the organization's computer systems and security measures and practices. This process can help the organization obtain a third party's perspective, and further assess the propriety of the design and efficacy of its security safeguards.
More on preventative measures and cyber insurance tips can be found in a previous BDO piece on cybersecurity and cyber insurance: how a two-pronged approach can build bulletproof cyber resilience.
How can experienced advisors help?
This article was developed in collaboration with KND Complex Litigation.
BDO's Cybersecurity team can help you safeguard your business against cyberattacks. We can assess your situation and help you map out a framework that puts cybersecurity and data privacy requirements first to mitigate any potential threats and legal ramifications.
When prospective or actual litigation arises, KND Complex Litigation works with businesses to manage the risks and protect your organization's interests. Specializing in complex litigation, class action, and risk management, the firm has acted in connection with several major privacy, data breach, and consumer class proceedings across Canada.