4. Data and Cyber Security Risks
The claims context
2012 • Lost HD with PI of student loan recipients (Condon)
2012 • Unauthorized access to medical records (Hopkins)
2014 •Medical marijuana mis-mailing (Doe)
2014 • Payment card theft (Home Depot)
2015 • Ashley Madison extortion affair (Avid Life)
4
5. Data and Cyber Security Risks
The claims context
5
BIG LEGAL ISSUES
Is a victimized custodian liable
when its loss of data has not
caused “compensable damages”?
Creative counsel say “yes.” Courts say maybe.
Intrusion upon seclusion and “recklessness”
Contractual breach and nominal damages
Waiver of tort
Is an organization vicariously liable
for an employee’s (intentional)
unauthorized use?
Creative counsel say “yes.” Courts say maybe.
This is a policy issue that needs to be litigated on good
facts
We have one preliminary court decision considering the
issue and one arbitrator who said “no” to vicarious liability
6. Data and Cyber Security Risks
The claims context
• PIPEDA breach notification a game changer
• "Breach of security safeguards" – loss, unauthorized
access, disclosure
• When there is a "real risk of significant harm"
• Notification and reporting to individual, to the OPC and to
organizations in a position to mitigate
• All "as soon as feasible"
6
7. Data and Cyber Security Risks
What’s really at stake?
Potential liability? Other costs and losses
Not all damages are compensable Professional fees (PR, IT, Legal)
Moral damages are capped Notification costs (mailing, call centre)
Will class counsel be rewarded? Business interruption and lost productivity
Reputational harm, lost business and
stakeholder management problems
7
8. Data and Cyber Security Risks
BIG corporate data risks (and top defences)
8
• Background screening, network monitoringRogues
• Employee awareness and training, intrusion
detectionPhishing
• Safe options, clear rules, clear enforcementGhost IT
• Balanced BYOD policyMobile
9. Data and Cyber Security Risks
The incident response process
Identify Contain Remedy Close
9
10. Data and Cyber Security Risks
Incident response best practices - timing
10
Initiate ASAP
Keep the ball in motion
Don't rush
11. Data and Cyber Security Risks
Incident response best practices - analysis
11
Assume only as necessary
Obtain objective input
Obtain technical input
12. Data and Cyber Security Risks
Incident response best practices - communication
12
Take a broad view of notification
Put yourself in their shoes
Demonstrate commitment to
doing better
14. Data and Cyber Security Risks
Data and Cyber Security Risks
Best Practices for Protection and Response
September 29, 2016
Dan Michaluk
Editor's Notes
Note: This is our widescreen format template (our new Firm standard going forward). If you require regular screen width, click on the Office Button, select ‘New’ and select the Regular Template.
If there is only 1 presenter, delete the red barrier line and ‘presenter 2’
DELETE this slide if not required
This optional SubTitle Slide is designed to include a photo of the Presenter. To change the picture, click on the picture Icon. The folder contains all of the cropped lawyer photos – alphabetized by last name. Double click on the desired photo to insert into this slide.
-we are in a new risk environment today
-you can draw a few conclusions from this slide
-data security makes headlines – daily (Yahoo – today)
-threat has evolved
-lost USB key (Durham Region)
-state sponsored hacking (Sony – The Interview)
-so people are talking about the importance of data security today
-whether they are walking is a different question
-but there’s a general recognition that companies must prioritize the risk
Here’s another view of the evolving context, this time by looking at class actions
-Condon – lost HD – simply lost – could go nowhere
-Hopkins – snooping into records
-Doe – mail to person with medial access marijuana program
-recent development in that case I’ll tell you about in a moment
-Home Depot – lost USB, settled, class counsel denied full fee
-Ashley Madison – sensational, contract claim
Actions do happen
1000 breaches a day in Canada
Should be able to manage a typical breach without getting targeted
(Hide in the noise)
In a sense that’s the goal
Some comfort that each of these is special
Let’s talk a little bit about the law
….
-two types of claims – type A and type B
-in a transition time – courts are trying to figure out what to do about them
-type A is the negligent loss of data (including hacking scenarios)
-like condon
-every day
-no harm no foul rule
-compensable damages
-” serious and prolonged and rise above the ordinary annoyances, anxieties and fears that people living in society routinely, if sometimes reluctantly, accept”
-try to get around it
-doe the court said no
–limited to costs incurred to prevent home invasion, costs incurred for other personal security, damage to reputation, loss of employment, reduced capacity for employment, and out of pocket expenses
-not Lozanski too
-type B is intentional
-more serious
-question is whether the bad acting employee is liable alone
-or whether the employer can be liable for the employee’s actions
-no authoritative law yet
-potential exposure is real
-there’s an important statutory change coming, likely in mid-2017
-breach notification under PIPEDA
-real risk of significant harm
-two parts
-risk has to be above a standard
-potential for harm has to be above a standard
-will be interpreted with a view to protection
-does not apply to your core activity
-but – there’s an expectation of notification that will be solidified
-different than even five years ago
-notification invites a whole world of pain that we’ll talk about
-so notification invites better data security – that’s the policy
-keep this in mind
-arbitrator recently ordered an employer to pay damages for conducting an unauthorized breathalyser test
-how much?
-$200
-risk of actual pecuniary harm is remote
-moral damages limited to intentional – capped and meant to be modest
-Lozanski now – courts will question actions for type A claims
…
-professional fees
-small breach taken seriously
-$15,000 in legal fees
-mailing – 65,000 person breach
-85 cents a letter
-time and effort, business interruption from hacks
-reputation and lost business
…
-keep that in mind
-talk about response in a bit
-it’s a softer problem than it might feel
-can afford to take risks in your messaging
-this is the one slide on prevention
-before we talk about response, let me say that it all starts with prevention
-four program requirements
-supported by top management
-adequately resourced
-risk based (no such thing as perfect security)
-evolves and stays current
-here’s the risks that I regularly see
-go to response
-general process – linear but there can and should be itterations
-identify
-can’t sit within your organization
-need to get them to a single POC
-who typically escalates to a IRT
-contain
-get it back, close the vulnerability…
-priority number one
-remedy
-geared at preventing harm
-notification is only one tactic – not everything
-close
-learning loop
-causal analysis
-debrief the process itself
-timing is everything!
-when did it happen?
-when did you find out?
-why you telling us now?
-three tips on timing
-initiate ASAP
-pressure to improve network detection capability
-once a human knows >>> POC
-policy that has a clear rule
-keep the ball in motion
-never sit on this
-ever…
-but don’t rush
-clock speed concept (harm, who knows, who is likely to know)
-work in accordance with clock speed
-gather as much information as you can afford to gather before making decision
-great pressure, but think don’t react
-notify the regulator before they contact me
-tips on better analysis
-watch your assumption
-e.g. the person who did it was trained?
-obtain objective input
-breach coaches
-two phenomenon, pull in opposite directions
-a) guilt
-b) wishful thinking
-obtain technical input
-what happened
-to whom
-when
-why
-not if it’s a human factor problem
-but if it requires IT analysis to understand
-communication – so much rests on communication
-themes >>> transparency >>> ownership (admit responsibility, not necessarily liability)
-tips
-take a broad view
-not every breach requires notification
-more and more expected
-even when there’s not a real risk of financial harm
-consider that… consider reputation
-consider … will they find out anyway?
-put yourself in their shoes
-anxious
-what questions
-demonstrate commitment to doing better
-avoid simplistic root cause analysis
-there’s always something systemic going on
-push towards that
-if the breach is bad… push further
-if the relationship with the regulator is bad… push further
DELETE this slide if not required
Note: This is our widescreen format template (our new Firm standard going forward). If you require regular screen width, click on the Office Button, select ‘New’ and select the Regular Template.
If there is only 1 presenter, delete the red barrier line and ‘presenter 2’