Legal departments ramp up data protection measures as remote work leads to a spike in cybercrime
As many businesses around the world were forced to shutter offices when the World Health Organization declared a pandemic in March, concerns about data security and the threat of cyberbreaches began to rise exponentially. With most office-based employees required to work remotely to try and curb the spread of COVID-19, many organizations found themselves scrambling to cope with increased security vulnerabilities. Using home servers and unsecured personal devices can create a host of security issues.
“A number of organizations were not prepared for this type of contingency,” says Ruth Promislow, a partner at Bennett Jones LLP. “This level of remote access is highly unusual, so, if an organization hasn’t prepared for this contingency and tested the security of that model, they can easily be subject to vulnerabilities.”
Many organizations have noted an increase in the number of phishing emails and criminal attempts to install malware as a result of the new dynamic of remote work. Malicious emails purporting to offer health information and updates on the pandemic are creating additional security risks.
“Cybercriminals are basking in the opportunities that are presented by this pandemic,” says Daniel Leslie, an associate at Norton Rose Fulbright LLP. “This situation has given them a playing field to be infiltrated. We have already seen a huge spike in incidents of scams and cyberattacks on the internet structure of individuals across Canada. “With people working unsupervised, there are risks around monitoring and risks around devices that are exposed to third parties, around protecting passwords and around being sanitary with the use of technology.”
At Sierra Systems, internal security protocols were established long ago to protect networks. However, with the new landscape of remote work, the legal department has increased measures to further protect company and client data. Educational chips, cheat sheets and tools were sent out to employees to make sure they are logging in safely through the correct portals, avoiding bypasses and taking enough security measures at home.
“As an organization, we use a dual-factor authentication for logging in, and we have four or five fairly sophisticated software elements that we introduced a while ago, but they are now being used extensively because of the COVID-19 situation,” says Robert Piasentin, who, at the time of interview, was general counsel at Sierra Systems, an NTT Data company. “Our business is servicing clients that have sensitive information in the health space and the justice space and other spaces, so we need to make sure we are equally ensuring the security of that information relating to our clients.”
Platforms including Zscaler and Carbon Black have been in place at Sierra for some time, but they are now being widely used to provide additional protection while employees are working remotely. Sierra’s IT teams are working hard to identify new risks as quickly as possible and to prepare employees for phishing attempts. Employees are staying connected through Zoom meetings, which raises additional concerns.
“We are making sure people are aware of vulnerabilities and they know the steps they need to take to prevent Zoom bombs and additional security breaches that could hurt us or our clients,” says Piasentin, who recently left Sierra Systems to join McMillan LLP.
Data protection has always been top of mind at Mogo, a Vancouver-based financial technology company with more than one million customers.
“As a fully digital business, one of our top priorities is to make sure we protect the company from external and internal breaches,” says Alice Davidson, vice president and general counsel at Mogo. “We designed our systems in such a way that people have the ability to work remotely and still be under the protective shield of our IT security system. The risk is certainly greater, but, as an organization, we were well prepared for that.”
While many employees were already accustomed to remote work, Mogo transitioned to a fully remote workforce at the start of the pandemic, which involved moving desk-top computers home for call-centre staff. Some employees have been permitted to use their own personal computers at home, which has not been a security concern, Davidson says.
“They are remotely connecting to the Mogo environment, so there is no way they can transfer data to personal computers or vice verse,” she says. Additional security training on the protection of data was implemented, and confidentiality agreements were required for some staff.
Imran Ahmad, a partner at Blake Cassels & Graydon LLP, has seen a global move toward an increase in privacy, data protection and governance. He notes a general awareness to have more privacy data protection and data governance built into enterprise risk management within organizations.
“From my standpoint, in-house counsel are the quarterback of everything related to cyber, privacy and data governance,” says Ahmad. “A lot of people turn to in-house counsel as the best risk management advisor within the organization because they can balance legal and business in a meaningful way.”
Ahmad advises in-house counsel to take an inventory of data by creating a detailed data map of the information they hold.
“What information do you hold? Where do you hold it and how is it held? Is it corporate data or trade secrets? Is it on the premises in a server or on a cloud? Is it encrypted or not?” he asks. Such an inventory allows organizations to take stock of the data they hold and to remove old legacy systems and data sets that are no longer needed as a good way to reduce the digital footprint and, therefore, lower the risk level.
If there is a cybersecurity breach, lawyers advise retaining outside counsel expertise. “It is not just about responding but ensuring that all boxes are ticked along the way,” says Leslie. “Legal privilege issues arise and the need to protect information is born out of this situation.” When a data breach involves client data, in-house counsel must be able to demonstrate that they took all reasonable steps to prevent such an attack.
Referring to Sierra Systems, Piasentin says: “We do work for many health authorities, so if there was a breach and personal information was disclosed and we did not have the proper security in place, we would be in trouble; so, it’s important that we can demonstrate that we took all necessary security measures and it was beyond our capability to prevent.”