One hour cyber july 2013

1,457 views

Published on

one hour presentation to risk management professionals on liability risks related to data loss and tracking lawsuits

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,457
On SlideShare
0
From Embeds
0
Number of Embeds
1,026
Actions
Shares
0
Downloads
4
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

One hour cyber july 2013

  1. 1. Cyber liability issues – risks, prevention and response July 17, 2013 Jeff Goodman and Dan Michaluk
  2. 2. Cyber liability • Risks – Data loss through inadvertence
  3. 3. Cyber liability • Risks – Rowlands (2012) • Lost USB key – personal and confidential info of 83,524 people who had received H1N1 shot • Claim - info could be used to facilitate identity theft • No evidence supporting theory 2.5 years later • Class action certified and settlement approved • Claims admin process (no special damages cap) • $500,000 in fees (inclusive or risk premium)
  4. 4. Cyber liability • Risks – Mazzonna (2012) • Lost data tape: personal info (name, address, SIN) • Petitioner alleged “inconvenience, pain, suffering and/or fear” due to the loss of personal info • No evidence of ID theft 3.5 years after incident • Motion for certification of class action dismissed because there was no claim to legally compensable damages (Culligan principle)
  5. 5. Cyber liability • Risks – But now… U.S. Director of National Intelligence lists cyberattacks as #1 security threat (03/12/13) BYOD and other business computing trends making corporate networks significantly less secure National breach reporting rule is pending (Bill C-12) MAJOR INCREASED RISK!
  6. 6. Cyber liability • Risks – Maksimovic (2013) • April 2011 cyber attack on three Sony online services (4.5 million Canadian users) • 24 day outage, PI loss included birthdates, e- mail, passwords, credit card info • No evidence supporting ID theft two years later • Settlement approved – refunds, free services, claims process for ID theft capped at $2,500, counsel fees of $265,000
  7. 7. Cyber liability • Risks – CASL • Likely in force in late 2013 or early 2014 • Regulates SPAM, alteration of transmission messages and installation of computer programs • Hefty administrative monetary penalties • Plus a private right of action that allows recovery of special damages and capped general damages (to promote compliance)
  8. 8. Cyber liability • Risks – Facebook (ongoing) • BC residents whose name, portrait, or both have been used by FB in a „Sponsored Story‟ • Alleges that FB receives significant revenue from its Sponsored Stories advertising but does not compensate its members and provide sufficient notice • Certification hearing in June 2013 adjourned
  9. 9. Cyber liability • Risks – Apple (2013) • Quebec class action for failure to properly inform of consequences of downloading “free” applications from the Apple Store • Claim – failure to inform causing loss of computing resources and over-payment for devices • Certified in late June – issues in dealing with consent dispute on class-wide basis brushed aside
  10. 10. Cyber liability • Prevention – information governance • Risk assessment structures • Intrusion detection and security audit structures • Records management • Human resources policy • Physical transfer of personal information policy • Disposal procedures • Privacy breach procedures
  11. 11. Cyber liability • Prevention - low hanging fruit • Company issued • USB keys • Laptops and portable devices • Sending work home • Bad actors in IT • Recycling versus shredding
  12. 12. Cyber liability • Prevention – service provider problem • An organization is accountable for the handling of personal information by its service providers • Due diligence = duly diligent selection, contracting and relationship administration • Anticipate breach response conflicts
  13. 13. Cyber liability • Prevention – enforceable policy • Consistent with express contract terms • Clear and unequivocal • Brought to employees‟ attention • Reasonable • Consistently enforced
  14. 14. Cyber liability • Prevention – departing employee protocol • Terminate access rights • Conduct an exit interview • Administer return of property checklist • Preserve electronically stored information for a “cooling off” period • Administer a misuse audit program
  15. 15. Cyber liability • Response – Do‟s • Have a plan • Have a team • Take what appears small seriously • Beware of conflicting interest
  16. 16. Cyber liability • Response – Do not‟s • Rush to notify • Be slow in investigation • Expect perfect knowledge • Think over e-mail • Give an opinion on the risk
  17. 17. Cyber liability • Response – The long road to liability • No strict liability • Causation requirement – breach of standard must cause damage • Damage claimed must be compensable and not too remote
  18. 18. Cyber liability issues – risks, prevention and response July 17, 2013 Jeff Goodman and Dan Michaluk

×