Potential for exposure increases in a hybrid work environment, attendees told
As the growth of data that companies have access to continues unabated, legal counsel for businesses need to understand how they can help their clients prepare for and respond to potential cyber breaches, attendees at a webinar on tech innovation and privacy heard recently.
“I really see an explosion of risk,” Ryan Berger, a Vancouver-based partner at Lawson Lundell LLP, said during a discussion on privacy and cybersecurity organized by the Canadian Legal Innovation Forum. “Managing that data and limiting access is a huge area that organizations need to pay more attention to.”
He added that organizations dealing with a data breach will often say, ‘Gosh, you know, we didn’t realize we had this [data] anymore,’ or ‘We thought we had purged this,’ or ‘We didn’t realize that we collected it in the first place.’ But then it gets caught up in some sort of exposure, either by misuse by an employee or a ransomware incident.”
With most organizations adopting hybrid work models under which employees regularly work offsite, the potential for exposure to cyber-attacks increases. And because a hybrid organization’s data is distributed across multiple users, platforms, and devices, breach response is often very complex.
In 2021, data breaches cost Canadian companies up to $7M in recovery, and the potential costs for litigation are significantly higher.
Data forensics is now a critical part of legal counsel’s response to any cyber breach, webinar attendees were told, whether they are in-house or external counsel. Their job is to mitigate the impact of the breach on the organization. However, to do that, counsel needs to know what data was accessed, whose information was accessed and whether there is an obligation to report.
Natasha Anzik, in-house privacy counsel at WealthSimple, said that learning about cyber threats and incidents through the media has meant the online financial planning company has been preparing for those risks. For example, WealthSimple focuses on “ensuring that we have a lot of automated controls in place to manage and mitigate any exposure and ensuring we are destroying information that we don’t need anymore.”
She added: “So we’re really taking a wholesome view of our practices, whether it’s in response to a breach or whether it might be in response to something else and making sure that we’re being transparent [with customers] and that we’re staying on top of our privacy controls.”
As well, new federal privacy legislation now being passed through parliament, along with more provincial regulation in provinces such as Quebec, has “added a whole new layer” in how firms must assess and prepare for cyber breaches, Anzik said. It’s a sentiment that Bradley Freedman, a partner with Borden Ladner Gervais LLP, echoed.
“Organizations are realizing that things are getting serious here in Canada, particularly with respect to the ability of regulators, whether it be privacy commissioners, or sector specific regulators, to impose binding orders and impose administrative monetary penalties,” Freedman said. “So that’s really changing the risk-based calculus.”
Bill C-27 introduces three new acts: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA), which would replace the current Personal Information Protection and Electronic Documents Act (PIPEDA). Bill C-27 is the successor to Bill C-11, which died on the docket when parliament dissolved in the fall of 2021.
Freedman says there are three principles behind the proposed legislation. “First it gives all individuals some rights with respect to personal information that they don’t yet have in Canada. Second, it imposes obligations and liabilities on organizations, and their service providers, that control data. And the third is the potential for more robust enforcement and compliance provisions, including the ability to impose administrative penalties.” Also, courts could impose fines for specific infringements of the law.
Freedman said: “Organizations that have experienced a data security incident know the costs and potential liabilities, but organizations that have not have this sort of issue have maybe not paid the attention that they ought to have.”
He also noted that security and privacy issues are increasingly important in mergers and acquisitions. “So having to do cyber due diligence, which drives adjustments to risk allocation provisions in the transaction agreement, is becoming more important,” he said. He added it is a phenomenon underscored by the Privacy Commissioner’s decision in a data breach investigation following the Marriott hotel chain’s purchase of Starwood in 2016.
In September 2018, Marriott discovered a breach of the Starwood network involving unauthorized access to a Starwood guest reservation database of up to approximately 339 million customer records (including up to 12.8 million records of Canadian individuals). This included guest profiles and contact details, account and reservation information, and for some individuals, passport details (which in some cases were unencrypted) and encrypted payment card details.
The breach occurred over four years, from July 2014 until September 2018. The unknown attacker took steps to prepare to exfiltrate data from the Starwood network, but Marriott was unable to determine whether the attacker had successfully done so.
The Privacy Commissioner’s decision, published in September 2022, ruled that Marriott contravened the Personal Information Protection and Electronic Documents Act (“PIPEDA”) regarding personal information in the compromised Starwood database.
Sean Lynch, director of client strategy for digital business solutions provider Ricoh Canada, said “risk and associated components of the business that touch on data” is increasing because “we’re holding more data than we ever had, and it increases on a daily basis.” If businesses are not paying attention to data management risk and actively managing it, the reputational and financial consequences could be severe.
“We need to make sure that organizations are properly managing that risk, especially for those organizations that have never had a data breach before and don’t understand or appreciate what the consequences could be.
Ricoh Canada’s cloud and IT infrastructure portfolio manager, Prerna Pandey, said that companies need to “100 percent get it right” to prevent cybersecurity breaches, but “bad actors only need one time to be successful.” That is why consistency is so important.
On the positive side, Pandey said, “there are many tools and software solutions on the market, which can help you in that disaster recovery plan.” There are also tools and solutions available that can help quickly determine the source of the breach and how much data was encrypted.
“So that’s the magic of evolving technology,” she said, noting that in the past, data security teams could take two or three days to find the source of a breach.
“I feel that investing in the right solutions and software is very important,” she said, adding that insurance to cover such cybercrime should be considered, as the case for return on investment is easy to make.
She said that even applying for cyber insurance is a step in the right direction, as “many insurers want you to implement several preventive solutions before they consider offering insurance.”