Cas cyber prez

4. Data and Cyber Security Risks The claims context 2012 • Lost HD with PI of student loan recipients (Condon) 2012 • Unauthorized access to medical records (Hopkins) 2014 •Medical marijuana mis-mailing (Doe) 2014 • Payment card theft (Home Depot) 2015 • Ashley Madison extortion affair (Avid Life) 4

5. Data and Cyber Security Risks The claims context 5 BIG LEGAL ISSUES Is a victimized custodian liable when its loss of data has not caused “compensable damages”? Creative counsel say “yes.” Courts say maybe.  Intrusion upon seclusion and “recklessness”  Contractual breach and nominal damages  Waiver of tort Is an organization vicariously liable for an employee’s (intentional) unauthorized use? Creative counsel say “yes.” Courts say maybe.  This is a policy issue that needs to be litigated on good facts  We have one preliminary court decision considering the issue and one arbitrator who said “no” to vicarious liability

6. Data and Cyber Security Risks The claims context • PIPEDA breach notification a game changer • "Breach of security safeguards" – loss, unauthorized access, disclosure • When there is a "real risk of significant harm" • Notification and reporting to individual, to the OPC and to organizations in a position to mitigate • All "as soon as feasible" 6

7. Data and Cyber Security Risks What’s really at stake? Potential liability? Other costs and losses Not all damages are compensable Professional fees (PR, IT, Legal) Moral damages are capped Notification costs (mailing, call centre) Will class counsel be rewarded? Business interruption and lost productivity Reputational harm, lost business and stakeholder management problems 7

8. Data and Cyber Security Risks BIG corporate data risks (and top defences) 8 • Background screening, network monitoringRogues • Employee awareness and training, intrusion detectionPhishing • Safe options, clear rules, clear enforcementGhost IT • Balanced BYOD policyMobile

9. Data and Cyber Security Risks The incident response process Identify Contain Remedy Close 9

10. Data and Cyber Security Risks Incident response best practices - timing 10 Initiate ASAP Keep the ball in motion Don't rush

11. Data and Cyber Security Risks Incident response best practices - analysis 11 Assume only as necessary Obtain objective input Obtain technical input

12. Data and Cyber Security Risks Incident response best practices - communication 12 Take a broad view of notification Put yourself in their shoes Demonstrate commitment to doing better

13. Data and Cyber Security Risks Questions & Answers

14. Data and Cyber Security Risks Data and Cyber Security Risks Best Practices for Protection and Response September 29, 2016 Dan Michaluk

Editor's Notes

Note: This is our widescreen format template (our new Firm standard going forward). If you require regular screen width, click on the Office Button, select ‘New’ and select the Regular Template. If there is only 1 presenter, delete the red barrier line and ‘presenter 2’
DELETE this slide if not required This optional SubTitle Slide is designed to include a photo of the Presenter. To change the picture, click on the picture Icon. The folder contains all of the cropped lawyer photos – alphabetized by last name. Double click on the desired photo to insert into this slide.
-we are in a new risk environment today -you can draw a few conclusions from this slide -data security makes headlines – daily (Yahoo – today) -threat has evolved -lost USB key (Durham Region) -state sponsored hacking (Sony – The Interview) -so people are talking about the importance of data security today -whether they are walking is a different question -but there’s a general recognition that companies must prioritize the risk
Here’s another view of the evolving context, this time by looking at class actions -Condon – lost HD – simply lost – could go nowhere -Hopkins – snooping into records -Doe – mail to person with medial access marijuana program -recent development in that case I’ll tell you about in a moment -Home Depot – lost USB, settled, class counsel denied full fee -Ashley Madison – sensational, contract claim Actions do happen 1000 breaches a day in Canada Should be able to manage a typical breach without getting targeted (Hide in the noise) In a sense that’s the goal Some comfort that each of these is special
Let’s talk a little bit about the law …. -two types of claims – type A and type B -in a transition time – courts are trying to figure out what to do about them -type A is the negligent loss of data (including hacking scenarios) -like condon -every day -no harm no foul rule -compensable damages -” serious and prolonged and rise above the ordinary annoyances, anxieties and fears that people living in society routinely, if sometimes reluctantly, accept” -try to get around it -doe the court said no –limited to costs incurred to prevent home invasion, costs incurred for other personal security, damage to reputation, loss of employment, reduced capacity for employment, and out of pocket expenses -not Lozanski too -type B is intentional -more serious -question is whether the bad acting employee is liable alone -or whether the employer can be liable for the employee’s actions -no authoritative law yet -potential exposure is real
-there’s an important statutory change coming, likely in mid-2017 -breach notification under PIPEDA -real risk of significant harm -two parts -risk has to be above a standard -potential for harm has to be above a standard -will be interpreted with a view to protection -does not apply to your core activity -but – there’s an expectation of notification that will be solidified -different than even five years ago -notification invites a whole world of pain that we’ll talk about -so notification invites better data security – that’s the policy
-keep this in mind -arbitrator recently ordered an employer to pay damages for conducting an unauthorized breathalyser test -how much? -$200 -risk of actual pecuniary harm is remote -moral damages limited to intentional – capped and meant to be modest -Lozanski now – courts will question actions for type A claims … -professional fees -small breach taken seriously -$15,000 in legal fees -mailing – 65,000 person breach -85 cents a letter -time and effort, business interruption from hacks -reputation and lost business … -keep that in mind -talk about response in a bit -it’s a softer problem than it might feel -can afford to take risks in your messaging
-this is the one slide on prevention -before we talk about response, let me say that it all starts with prevention -four program requirements -supported by top management -adequately resourced -risk based (no such thing as perfect security) -evolves and stays current -here’s the risks that I regularly see
-go to response -general process – linear but there can and should be itterations -identify -can’t sit within your organization -need to get them to a single POC -who typically escalates to a IRT -contain -get it back, close the vulnerability… -priority number one -remedy -geared at preventing harm -notification is only one tactic – not everything -close -learning loop -causal analysis -debrief the process itself
-timing is everything! -when did it happen? -when did you find out? -why you telling us now? -three tips on timing -initiate ASAP -pressure to improve network detection capability -once a human knows >>> POC -policy that has a clear rule -keep the ball in motion -never sit on this -ever… -but don’t rush -clock speed concept (harm, who knows, who is likely to know) -work in accordance with clock speed -gather as much information as you can afford to gather before making decision
-great pressure, but think don’t react -notify the regulator before they contact me -tips on better analysis -watch your assumption -e.g. the person who did it was trained? -obtain objective input -breach coaches -two phenomenon, pull in opposite directions -a) guilt -b) wishful thinking -obtain technical input -what happened -to whom -when -why -not if it’s a human factor problem -but if it requires IT analysis to understand
-communication – so much rests on communication -themes >>> transparency >>> ownership (admit responsibility, not necessarily liability) -tips -take a broad view -not every breach requires notification -more and more expected -even when there’s not a real risk of financial harm -consider that… consider reputation -consider … will they find out anyway? -put yourself in their shoes -anxious -what questions -demonstrate commitment to doing better -avoid simplistic root cause analysis -there’s always something systemic going on -push towards that -if the breach is bad… push further -if the relationship with the regulator is bad… push further
DELETE this slide if not required
Note: This is our widescreen format template (our new Firm standard going forward). If you require regular screen width, click on the Office Button, select ‘New’ and select the Regular Template. If there is only 1 presenter, delete the red barrier line and ‘presenter 2’

Cas cyber prez

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cas cyber prez

Similar to Cas cyber prez (20)

More from Dan Michaluk

More from Dan Michaluk (18)

Recently uploaded

Recently uploaded (20)

Cas cyber prez

Editor's Notes