In the current season of the television drama Homeland, the character played by Claire Danes is hot on the trail of a mysterious woman who may be involved in the poisoning death of a treasonous military general — at the request of a chief of staff serving under an authoritarian president.
However, the former top CIA agent Danes plays on the show is temporarily derailed in her investigation and her life put in danger by a very sloppy mistake. She clicks on a link sent to her anonymously by a person in an online forum, which she believes contains crucial evidence. Instead, it immediately freezes her laptop and the hacker demands money and sexual favours or he will make public data on the computer that could bring down the United States government.
The online security breach in this case was a plot device in the long-running and popular fictional television program. But in the real world of American politics, the result of the 2016 presidential election may have been impacted by the careless information technology practices of the campaign team of Hillary Clinton. Thousands of emails related to the Gmail account of campaign chairman John Podesta were ultimately made public as a result of a “phishing” attack. Podesta was sent an email that appeared to be from Google that indicated he needed to change his password. Instead, it was actually sent by Russian-linked hackers. According to subsequent media reports in the United States, while the email was flagged, there was confusion over the response from the Clinton IT team, the fake link was clicked and the hackers obtained his password.
These are just two examples, one fictional and one very real, of the potential consequences of cybersecurity breaches and just how easily they can occur, even to sophisticated individuals or well-resourced organizations.
The need to try to defend continually against these breaches or attacks taking place and having a plan to respond immediately if they do is not limited to the world of international intrigue and hostile foreign actors. Technology experts and lawyers who specialize in this area say it is an issue that needs to be top of mind for all businesses whether they are relatively small or are publicly traded and have operations outside of Canada.
As well, new regulatory requirements with greater reporting obligations about privacy breaches are about to take effect in the European Union and in the coming months in Canada. The increased awareness has also resulted in the creation of “cyber-insurance” as a way of trying to mitigate the expenses of responding to a breach.
“This is not just about multi-nationals anymore,” says Nathalie David, a partner at Clyde & Co. in Montreal. “I think the message is sinking in. You should have a cybersecurity response plan already in place or be working on one. Even a small incident can lead to devastating consequences,” says David, whose practice focuses on the insurance sector, regulatory compliance and cyber-risks.
While cybersecurity issues may now be a much greater priority for businesses and governments in this country, it has not always been the case, suggests Imran Ahmad, a partner at Miller Thomson LLP in Toronto who also heads the firm’s cybersecurity and data breach practice. “Canada has historically been lagging behind the U.S. and the E.U.,” he notes. In the U.S. for example, nearly every state has mandatory breach notification requirements. Many states such as California also post online the names of companies with a reported breach so the details can be accessed by the public and not just affected individuals.
In Canada, the only province currently with mandatory notification is Alberta. By the end of this year though, the provisions of the federal Digital Privacy Act that deal with reporting requirements are expected to come into effect. While that statute was originally passed in 2015, the aspects that dealt with mandatory reporting did not become law at the time. The federal Liberal government has been engaged in a lengthy consultation process over the regulations that will apply to privacy breaches.
The proposed rules around reporting privacy breaches to the Privacy Commissioner of Canada and affected individuals are expected to be similar to the General Data Protection Regulations drafted by the E.U., which come into force May 1.
In the federal budget announced in February, a commitment of $155 million was pledged over five years for a new Canadian Centre for Cyber Security. As well, the RCMP will receive $116 million over the next five years to establish a National Cybercrime Coordination Unit.
While the additional funding from the federal government to increase the focus on fighting cybercrime is a good idea, this is unlikely to reduce the burden on the private sector in preparing against and responding to security breaches, says Ahmad.
“More often than not, you should have the mindset that you will not be getting significant initial help from law enforcement. You need to make sure you have your own cyber-response plan and that your vendors of record have been properly vetted. That will help you when you go to law enforcement. You can show them, here is the research and investigation we have done,” Ahmad says. He adds that police do not have the resources currently to address the volume of crime in this area and may not have the expertise if it takes place outside major urban centres.
Co-ordinating with police is worthwhile, but it might be at a later stage, after a company has initially responded to any breach, suggests David. “It is important that there is information and data accumulated about these types of incidents. This will increase resiliency [to future attacks],” she says.
Daniel Tobok, chief executive of Cytelligence Inc., a Toronto-based security company, says police in Canada currently have backlogs of as long as 18 months in dealing with cybercrime cases and it is not difficult for individuals to escape detection.
“You can buy all the tools you need for ransomware on the dark web for about $10,000. It is like a ‘do-it-yourself kit.’ It will even tell you how to launder the money [in a crypto-currency]. This is an easy crime compared to a bank robbery,” says Tobok. For businesses, the immediate priority should be self-interest. “This is not about discovering the identity of the perpetrator. It is about minimizing and containing the damage,” Tobok explains.
Ransomware, where a victim’s computer is locked and the attacker demands a payment in return, was the method of attack against Claire Danes’ character. It is also a rising real-world issue, Tobok observes. “On a monthly basis, it is now about 50 per cent of our activity,” he says.
“This is the new pickpocket,” states Paige Backman, a partner at Aird & Berlis LLP in Toronto and the chairwoman of the firm’s privacy and data security group. “What makes this crime appealing is it can be done from anywhere in the world,” she adds.
To reduce the risks a company faces will require a comprehensive cybersecurity strategy and meaningful training of employees. This includes a number of measures, notes Backman. “Insiders who used to work with you may want access to information. Make sure once the relationship is terminated, all avenues of communication [access] are terminated. Ensure your security protocols require two-factor identification. Look at how data is handled and separate the information that can identify individuals,” which will reduce the potential liability if there has been a security breach, Backman explains.
Employees at all levels within a company must also receive proper training about potential breaches, which can happen as easily as clicking on an email that appears genuine. “Training is not a once-a-year lunch. It needs to be done regularly, it should be very specific and the results of the training should be audited,” says Backman.
Tobok agrees that companies must approach this type of training for employees very differently than the ways they may have in other areas. “It should not be like the ethics course where you click away while eating a cheeseburger at your desk. That won’t work. You have to make it real,” he stresses.
Law firms, for example, have been susceptible to cyberattacks, says Tobok, because lawyers are used to accessing documents online, yet often without first checking to see if they are authentic. Smartphones, with screens much smaller than computers, are an even greater risk when it comes to confirming the identity of the sender’s address. “Mobile has been great for the bad guys,” he says.
Maryann Besharat, vice president, corporate legal & compliance at Intact Financial Corporation, agrees it is vital that employees not only undergo training but understand that the risks of a breach are not just from the stereotypical image of a teenaged, hoodie-wearing hacker operating out of his parents’ basement. “It can be regular things employees do that expose us to malfeasance,” she says.
As well, the way training is conducted impacts on its effectiveness and using humour is sometimes a good device. “You want the employees to be engaged and for the message to sink in,” says Besharat.
A purported hack that only a small number of very senior employees know is fake is also more effective than a tabletop simulation exercise to assess the effectiveness of a company’s incident response plan, she notes.
The training must also extend up to senior employees and the board of directors in larger companies, so they know what to ask, says Ahmad. “The questions they should be asking are what kind of data do you hold, what implementation processes do you have for compliance? It is not just about having a training protocol. You have to have a strategy,” he states.
Sean Boyle, a partner at Blake Cassels & Graydon LLP in Vancouver, agrees that assessing the type of data that should be stored — either about the company or its customers — is a necessary part of any cybersecurity plan. “Some companies are looking at collecting less private information to reduce its exposure,” says Boyle, a litigator who regularly acts on regulatory compliance issues. One way to do that, he explains, is to require a “self-selected password” as an additional step for a customer to access a service.
Given the “reputational damage” that can happen if there is a privacy breach, “the communications aspect should also be part of the planning process,” says Doyle.
In one of the only privacy breach class actions to date in Canada, an Ontario Superior Court judge ordered much lower damages against Home Depot than what the plaintiffs were seeking, in part because of the quick response by the company, an apology and assurance that customers would not be responsible for any fraudulent charges.
Another area where concerns about privacy breaches have had an impact is in the field of cyber-insurance. “It is still developing in Canada,” says David, who notes a potential benefit is the expertise that an insurer can bring if there has been a breach. “You need to determine what your risks are” when considering this type of coverage and the IT team should be one of those consulted in the process, he says.
Given that it is still relatively new, there should be a careful review of the terms, suggests Backman. “The language is not yet standard. What are the carve-outs? Are there a lot of pre-conditions?” she asks.
For smaller to medium-sized companies, cyber-insurance can include ongoing advice that is not available in-house in addition to “assisting with cost recovery if there is any damage,” says Besharat, comparing it to that of an on-site consultant.
Comprehensive response plans, effective training of employees, strong firewalls and regulatory compliance are all now essential tools in the corporate world for dealing with the threat of cyberattacks. As for the character played by Danes (spoiler alert), she agreed to meet with the lone hacker in a nearby deserted warehouse and, after a few harrowing moments, beat him senseless to within an inch of his life to get her computer unlocked. It was a response plan that never would have been necessary if she had resisted the urge to click on the corrupted link in the first place.