Just two days after Christmas this past December, an American company called E-Sports Entertainment Association went through most of the stages that are now common episodes following a cybersecurity attack — with one notable exception.
First, ESEA learned a database containing information on its customers had been breached by hackers demanding $100,000. Next, the company informed the FBI, fixed the IT problem that allowed the hackers to get in and released a statement to the public that it would not give in to the demands.
Unlike the headline-making IT security fiascos involving Target, Yahoo and many other organizations, however, ESEA did not have the power to limit disclosure about exactly how many customers may have had their information compromised.
It’s all there on LeakedSource, an online service that launched just a few months earlier that not only claims 1.5 million records were stolen by hackers in the ESEA breach but allows individual customers to check if they’re among the victims using a Google-like search tool.
Boasting more than three billion records, LeakedSource, whose owners remain anonymous, describes its site as a security monitoring tool. “We are a full disclosure site so we provide all data to the user so they can be better informed of what data (emails, passwords, etc.) have been breached,” the site’s FAQ page claims. Never mind that it’s impossible to verify everything on LeakedSource or that it might serve as a gift of sorts to other hackers: In-house counsel who have had the benefit of keeping the full details of a security breach under wraps may now find their organizations fielding difficult questions from customers who use such tools to take a DIY approach to protecting personal information.
Meanwhile, the ongoing rise of technology to host and manage customer data, the increased sophistication and complexity of cyberattacks and consequences of a breach that go way beyond reputational damage have corporate legal teams looking at IT security much more carefully.
“If you operate in the technology sector — and at my company we do — you deal with user data and employee data, so you have to be concerned with that,” says David Laliberte, general counsel and chief legal officer with Groupe Média TFO, the French-language broadcaster based in Toronto. “You’re absolutely vulnerable, so you have to have a proper policy. Just last week, we had a board meeting where one of the things on the agenda was to review our policy with regards to confidential information and how we protect it.”
Laliberte has the advantage of previously working as in-house counsel at two companies well known for their prowess in technology in general and security in particular: Microsoft and BlackBerry.
“I would say at Microsoft and BlackBerry, this is basically their top priority: ensuring that they are not only protecting all their data but also that they are leaders in that industry, and making sure the rest of the industry follows them,” he says. “We’re a much smaller organization; our resources are on a different scale. But there’s still a lot smaller organizations can do, and one is to ensure they handle data in a way that makes sense and reduces the risk of intrusion.”
The safe way to share IT security secrets
Of course, that may be easier said than done, given the many ways organizations interact with customers online or offline and the myriad ways hackers can steal data. That’s one of the reasons behind the launch last year of the Canadian Cyber Threat Exchange, a not-for-profit organization formed by the Canadian Council For Chief Executives and companies such as Air Canada, RBC and CP Rail. According to Bob Gordon, CCTX’s executive director, board-level interest in cybersecurity is on the rise, which means legal counsel will be expected to help educate, advise and act on areas they might have once considered outside their domain.
“It’s going to be interesting to see how the courts look at what’s reasonably diligent,” he says. “Incidents are going to be happening and that doesn’t necessarily mean that because someone has breached that they were bad. It means someone was able to defeat the technology.”
Part of the historical challenge, of course, is that dealing with cybersecurity incidents has been a lonely business: No one wants to share the sordid details of what went wrong or how they’ve interacted with hackers. Gordon says the CCTX is trying to create an online platform where critical knowledge can be exchanged anonymously so that even competitive firms can learn from and support each other.
Some organizations and GCs have no choice but to be proactive, even without the benefit of collective resources such as the CCTX. Take Howard Simkevitz, general counsel and chief privacy officer at the Ontario Institute For Cancer Research. One of the OICR’s major programs involves a registry that stores tumour samples linked to a complementary database. Besides the obvious importance of ensuring the database isn’t compromised, Simkevitz says policies to get on top of IT security were driven by two major factors: PHIPA regulation requirements and the maturity of services to deal with liability issues.
“One of my first priorities was to evaluate our insurance for cyber events,” he says. “Of course, not surprisingly, we found that our existing coverage would not be sufficient to the extent that we would need if we have a hacking event and needed to engage a forensic specialist. I think a lot of organizations are under the assumption that their general liability insurance will cover cyber events when it will not, or won’t in its entirety.”
Simkevitz says after talking to a number of brokers, he discovered there are some compelling packages, and he encourages his peers to shop around. “It’s a very edifying process,” he says. (Laliberte agrees that good cyber-insurance “absolutely helps” in giving senior leadership peace of mind.)
The cybersecurity effect on class action litigation
Cyber-risk insurance may be getting more popular because of the scope of what constitutes fallout from an IT security breach. There is financial loss if hackers successfully sell customer data or use it to steal from bank accounts. More common has been the suggestion from experts and vendors that a high-profile cyberattack will result in reputational damage to the victim.
Simkevitz, for one, isn’t buying it.
“How many customers stopped going to TJ Max? How many stopped using their Sony PlayStation?” he asks. “My sense is that not many people changed their behaviour.”
More notable in recent years has been victims banding together seeking restitution of some kind, says Imran Ahmad, a partner with Miller Thomson LLP.
“You’re seeing a lot of litigation on the tort side of things — very creative class action lawyers proposing intrusion upon seclusion — typically things we would not historically see in this space,” he says.
Intrusion upon seclusion, which has only emerged recently in certain Canadian jurisdictions, allows plaintiffs to sue if a person has intentionally invaded their private affairs without permission and if a reasonable person would view the invasion as highly offensive. Ahmad points to a Jane Doe case where a man released a video of a sexual nature after their relationship ended without her consent.
“The court recognized there was an impact of disclosing without the authorization of subject,” he explains. “Now class action lawyers are looking at whether that might be used in a cyberbreach.”
Examples of intrusion upon seclusion in a cybersecurity scenario includes Evans vs. the Bank of Nova Scotia, a 2014 case where a bank employee was alleged to have provided customer information to others that resulted in fraud. The case was certified as a class action with leave to appeal the certification decision dismissed. A more recent case, still pending, involves Bell Mobility, where the disclosure of information for advertising purposes has plaintiffs seeking $750 million for intrusion upon seclusion, among other things.
Jean-Francois De Rico, a partner with Montreal-based Langlois LLP, said class action cybersecurity cases will likely depend on whether lawyers can find precedent that puts a high price tag on privacy breaches.
“If you can get to predictability — what kind of money can we get out of this — we may see a higher number of class action lawsuits,” he says. “These first ones are probably going to be very scrutinized and important in order to determine whether the firms that do those cases should support the significant financial burdens they have until they get to the end of the day.
It’s a very financial, analytic-oriented process.”
Ahmad believes many will find it worth their while. “It’s not like the courts are rejecting these arguments offhand. They’re entertaining them and applying them to other circumstances,” he says, adding that the potential for perceived negligence is higher given the army of suppliers, subcontractors and other people who come close to customer data in any given organization.
“Target is the one I like to use,” De Rico says, referring to the massive attack on the retailer a few years ago. “It was one of their smallest solution providers, an HVAC provider, who made the data accessible to hackers. That demonstrates that IT security isn’t something you can address in a silo or independent of all other activities. It’s a horizontal issue.”
It’s also an issue that spans not only problems with IT but with people. Ahmad refers to “whaling” attacks where hackers try to impersonate the email of senior executives to dupe administrative assistants.
“The weakest link is going to be your staff,” agrees Simkevitz. “That is because social engineering techniques have gotten so that they look like normal emails. It’s only once you’ve clicked on that link that the cat’s out of the bag.”
The long-term problems are not limited to class action lawsuits but the scrutiny put on an entire industry. Though there were many cybersecurity horror stories over the course of 2016, for instance, none stands out like Yahoo, which went through not one but two major incidents where millions of its customers’ records may have fallen into the wrong hands.
That kind of situation would be dire for any major company, but matters were made infinitely worse based on the timing: Over the course of months where the attacks were disclosed, most of Yahoo was also in the process of being acquired by Verizon.
“In the first breach, Verizon said they may consider renegotiating [the terms of the deal]. Now they said they will definitely do so. It’s having an adverse impact on the transaction,” Ahmad says. “Maybe two years before the Verizon issue, nobody talked about this here in Canada. The only time I came across it was when a U.S. private equity deal was happening and they were insisting [cybersecurity due diligence] be done. Now you have investment bankers brokering deals, wondering, ‘How can I make myself attractive?’ Buyers are asking these questions.”
Laliberte agrees, arguing the impact will go well beyond Yahoo. “It affects valuation for every company.”
CCTX’s Gordon sees all these consequences as linked.
“Reputational [damage] becomes financial, and the financial hit becomes a reputational piece,” he says. “The other thing that becomes interesting in cyberattacks is you usually think of customers, but often when you’re losing data, that’s also your employees’ data.”
The action plan evolves
Most in-house lawyers, including Ian Kyer, have to think about cybersecurity amid many other things because they’re busy — so busy in Kyer’s case that he offered his advice via email.
The legal counsel for Toronto-based RPM Technologies, a maker of wealth management software, sums it up in four points. First, research cybersecurity and become familiar with it (“Not in the detail that a technology specialist would, but as a management and legal issue,” he says). Next, bring it to the attention of the board and management. Work with them to establish a committee to address the issue from the perspective of the company; and, finally, work with the committee to make sure that a policy is developed and implemented.
If that sounds familiar, it should: IT security experts have been saying much the same thing for years. What’s changing, perhaps, is the way in which technology can not only introduce risks and vulnerabilities into an organization but help better protect it from those same security holes.
In a report that outlines key findings from the 2017 Global State of Information Security Survey, for example, consulting firm PwC positions the cloud as less of a danger and more of a safeguard. Already, 63 per cent of firms surveyed said they run much of their IT in the cloud, and 62 per cent use managed services for cybersecurity. More than half, or 57 per cent, are using biometric technology to ensure that only the right people have access to certain data, and 51 per cent are even using “big data” — unstructured information that is more often touted for its potential in marketing and sales functions — to protect things such as customer records.
David Craig, a partner with the Risk Assurance, Cybersecurity & Privacy practice at PwC Canada in Toronto, suggests in-house counsel not only be an advocate for these kinds of investments and strategies. They can work with the chief information security officer, or CISO, to become what he describes as a “data protection officer” — raising awareness without necessarily being alarmist.
“Their challenge is to become more operational, and to understand they have to make those investment decisions or help build the business cases and not be driven purely by compliance,” he says.
GCs could start by better understanding the very nature of their organization’s data, Craig says. Is it going to exist everywhere, will it grow exponentially and what will be controlled by the company? Legal teams can also assist with “data classification,” recognizing that not everything can be protected equally all the time but that some is more sensitive than others.
From a policy perspective, Craig says in-house lawyers could also take the lead on things such as “extortion planning.” While some companies have a stance on whether they would pay someone who kidnaps an employee, they may not have defined a response to data loss or theft. This could be as important as preparing for data breach notification laws that may be on the horizon, he adds.
“When you have a breach, just investigating that breach can be an expensive proposition,” Laliberte says. “Fixing it is another big cost. The PR might be even more expensive.”
To be an in-house lawyer who not only steers the policy but collaborates on the strategic use of technology to avoid such disasters, on the other hand, may become nearly as priceless as customer data itself.
The AI answer to cybersecurity challenges
In early January, a report commissioned by the federal government concluded that the public sector is “simply not up to the overall challenge” of defending against cyber-threats. Donald Trump, meanwhile, admitted in a press conference prior to becoming the U.S. president that Russian hackers may, in fact, have attacked the Democratic party’s IT systems.
This probably provides little consolation to in-house lawyers at private sector firms who already feel overwhelmed by the potential risks they face. According to the experts, however, there may be hope in some of the most bleeding-edge technology being developed today: artificial intelligence software, or AI.
In “Toward New Possibilities In Threat Management,” consulting firm PwC suggests AI do a lot more than automate household tasks or help brands learn how to better target the ads they run:
“In the near future, technologies that enable organizations to ingest and compare threat feeds in real time will continue to rapidly evolve,” it said. “This includes technologies such as machine learning, artificial intelligence and big data analytics . . . We believe that the application of data science to threat intelligence and security-incident management will be the future of how companies address threat intelligence.”
How that may work in practice may be a little hard to imagine, but David Craig, a partner at the firm’s Toronto office, said it’s not as far off as you might think.
“People will give machines the benefit of the doubt when it comes to recognizing patterns,” he points out. “Machines that track logs or other behavioural things that follow into a certain pattern will look for the anomaly — would certain activity be viewed as acceptable use? That’s where a machine can alert a human.”
Picture this: Machines might have established a pattern that Craig logs into his work computer at 8:30 a.m. and works until 5 p.m. This activity becomes what’s recognized as “normal” behaviour. If he’s suddenly not logging in or using applications as often, it might be seen as an anomaly, unless the machine was smart enough to look at other databases to see that he was on vacation, for instance, or that he was taking some emergency time off to deal with a family situation.
It sounds simple enough, but Craig says the real value of AI will be in reducing the number of “false positives” that trip up such systems and recognize significant variations in the way employees, customers and entire systems behave or operate on a 24/7 basis.
“It takes an advanced level of analytics to see that there’s not something else that would explain that anomaly,” he says. “You’re marrying up a number of different data sets.”
The predictive variables in question could be authentication credentials such as user names and passwords but also more complex things such as what files or applications tend to be used as part of specific business processes. PwC’s most recent global survey suggests that less than a quarter, or 23 per cent, are actually planning to invest in machine learning and artificial intelligence this year. That’s still a significant portion given much of the technologies in question are relatively new. If IT vendors can prove it makes the life of security teams — including corporate counsel — a little bit easier, expect those numbers to jump significantly in 2018 and beyond.