Minimizing risks and responding to data breaches

Data security breaches, when data is released to or accessed by unauthorized individuals, have been all over the headlines. The recent crises experienced by Sony, Target, Michael’s, Canada Revenue Agency, and others are hard to ignore, as are the growing number of privacy breach class actions.

Many security experts say it is not a matter of whether your company will have a security breach, it is a matter of when it will occur and how much damage your company will sustain. To my mind, there are really two key questions for inside counsel:

1. What can I do to minimize data breach risk in my organization?
2. How should I respond to a data breach if and when it occurs?

I have distilled the answers to these questions into two checklists to get you started.

Minimizing data breach risk

1. Comply with industry, national, and/or international IT security standards. For example, the Payment Card Industry Data Security Standard is a must for any organization that handles cardholder information for the major debit and credit cards. The International Organization for Standardization and International Electrotechnical Commission has a growing family of standards on IT security techniques that are prepared by international experts in data security. The U.S. National Institute of Standards and Technology has recently published a framework for improving critical infrastructure cybersecurity.

Even if your organization cannot become fully compliant with such standards, you should borrow from them any risk minimization strategies that are feasible for your organization.

2. Use encryption and other advanced technologies where possible.

3. Accept that cybersecurity technologies are not foolproof. People, practices, and technology need to be used together to boost cyber-defences.

Indeed, comprehensive security standards do not simply deal with technology. For example, ISO/IEC 27001: 2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization. The related Code of Practice for Information Security Management (ISO/IEC 27002) contains 11 areas of guidance, including asset management, human resources security, and business continuity management.

4.Train employees about data breach risks and best practices, including password management, protecting encryption keys, updating software, and how to detect suspicious activities.

Many of the recent media-worthy data breaches in Canada have been caused by human error. For example, in 2013, Human Resources and Skills Development Canada lost a portable hard drive containing unencrypted personal and financial information, including Social Insurance Numbers and birth dates, of more than 500,000 people who took out student loans and 250 employees.

5. Negotiate key contract terms with your third-party service providers, including covenants on the following issues:
a. Compliance with privacy laws and with your chosen data security standards;
b. Ongoing audit rights;
c. Ownership of your data, access to your data, and permitted uses by the service provider;
d. Data breach notification and investigation rights (you cannot respond to a breach if your cloud service provider does not tell you that your customers’ personal information has been compromised);
e. Retention rules and procedures for implementing a legal hold in the face of a pending law suit or investigation;
f. Parameters for termination for breach;
g. Rights to obtain all of your information on termination;
h. A procedure for ensuing deletion of confidential and personal information from the service provider’s systems.

Finally, when shoring up defences, explore cyber-liability insurance. Traditional general liability, directors and officers, and errors and omissions policies may not provide coverage for losses arising from a data breach. There are, however, insurance products available that cover both first-party losses and third-party liabilities arising from a data breach.

Data breach response checklist

When a data breach occurs, you should implement your data breach response plan. If you do not have one, take at least the following steps:

1. Bring together your data breach response team, which should include IT, legal, management, IT forensics, and, if warranted, public relations.

2. Do not power down your systems. Shutting down your systems could destroy valuable, volatile data and hamper the breach investigation.

3. Gain an understanding of what is considered sensitive data in your organization and where it resides.

4. Interview those involved in discovering the breach and, if warranted, bring in a forensics firm to begin an in-depth investigation, delete any hacker tools, and address any immediate security gaps.

5. Determine whether you have any legal notification obligations (for example, privacy regulators or insurers).

6. Even if you do not have any notification obligations, consider whether you want to notify customers whose data was compromised, privacy regulators, and/or law enforcement.

7. If the breach related to financial information, consider whether to offer free credit monitoring. The Journal of Empirical Legal Studies published a paper in its March issue wherein researchers conclude the odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but six times lower when the firm provides free credit monitoring.

8. Document your learning from the incident.

9. Address any longer term security vulnerabilities.

10. Prepare a data breach response plan for next time!

Kelly Friedman is a partner at Davis LLP. If you would like more information on data breach issues, contact her at [email protected].

Recent articles & video

Ontario Superior Court refuses to remove estate trustees despite breach of fiduciary duties

Alberta Court of King’s Bench dismisses habeas corpus application in child custody dispute

Ontario court orders return of deposit after buyer fails to complete property deal due to bankruptcy

Ontario Superior Court appoints litigation guardian for plaintiff in medical malpractice case

International Bar Association endorses first international treaty on AI governance and human rights

Illinois Supreme Court Commission releases study on bullying in the legal profession

Most Read Articles

BC Supreme Court rejects employer's attempt to move employment dispute to arbitration

BC Supreme Court dismisses claim to waive solicitor-client privilege in family law dispute

Alberta Court of King's Bench orders sale of estate lands, ending 30-year dispute among heirs

BC privacy commissioner to decide whether to tell Airbnb hosts about requests for their data