How should legal departments prepare for, respond to and remediate data breaches?

Experts discuss strategies for strengthening your cyber security practices

How should legal departments prepare for, respond to and remediate data breaches?

In today’s data-hungry era, the volume of information being gathered, stored and rapidly exchanged around the world has generated vast cybersecurity risks to businesses. As ransomware attacks have become more intelligent and targeted to extract specific information, legal departments are ramping up defence strategies to protect the business from financial and reputational risk.

“We’ve certainly seen an uptick in cyber attacks and ransomware attacks in Canada in recent months,” said Sean Lynch, director of client strategy and outcomes at Ricoh Canada, who spoke during the Canadian Legal Innovation Forum’s recent webinar on cyber security. “The US is a much richer target than the Canadian market, but we tend to follow along. Attackers are getting much more sophisticated, and targeting things that are of high value.”

In preparation for the likelihood of cyberattacks, organizations should prepare a strong breach response plan which outlines the specific roles of each department including legal, communications, IT and senior management, according to John Salloum, partner, privacy and data management at Osler.

“You don’t want to have to figure out who is going to be doing what in the middle of a ransomware breach,” said Salloum, who also spoke at the webinar. Finding the right experts to step in and remediate to identify the full scope of the breach is also critical, he added.

Companies need to be aware of exactly what data they are holding and where it is at all times, according to webinar panelist, Nasim Ghaseni, associate lawyer, data privacy, cyber security and technology law at Deloitte Legal. Data mapping and strict data retention policies are essential, in addition to training for employees, she suggested.

“The more data you hold, the more vulnerable you will be, so make sure you follow those policies and don’t hold on to unnecessary data,” said Ghaseni.

Putting a proactive plan in place is not expensive compared to the cost of dealing with a breach, Lynch added.

Salloum recommends that organizations follow four steps when a breach occurs:

Containment of the breach: Making sure the right teams investigate the scope of the breach

Evaluating the risks: Assess the cause and extent of the breach and who has been affected by it

Notifying stakeholders: All parties should be notified – not just when legally required, but also in terms of a customer trust and employee trust perspective

Prevention: What can be done to ensure this does not happen again?

Third-parties with whom data is shared – such as vendors and service suppliers – must also be informed of a breach within certain deadlines according to your contact, Ghaseni added.

The panelists agreed that organizations may wish to consider breach insurance. As the number of ransomware attacks increases and ransomware payments rise, insurance products become more sophisticated and therefore more expensive.

“Insurers are getting more sophisticated with learnings around the types of things that they will insure and the types of things that they will exclude, and requirements they have in place to get that insurance,” said Salloum.

In the event of a breach, notifying the insurer quickly is a critical step. Even if your insurance policy does not specifically include cyber insurance, Salloum recommends notifying the insurance company in case a portion of the incident may be covered by another part of the policy.

Remediation and recovery should also be included in the insurance policy, Ghaseni added.

“It’s very important that organizations strengthen their system and do a very hardcore restoration right after a breach, because they are more vulnerable than before,” she said.

After a breach, once regulators and insurers have been contacted and the incident has been logged, legal teams should hold a debrief with all stakeholders to establish policies and procedures that must be implemented as an organization to prevent further breaches. Building and following good retention policies is key.

“Retention is a painful topic,” said Salloum. “I don’t know too many organizations that have nailed it. It’s easy to store data but it’s really hard to get rid of it for a variety of reasons, both human and technological.”

Different types of data may require different retention policies, Lynch added, which can be challenging to manage.

“Building a policy takes a significant amount of time and effort because you need to understand how your organization is creating data, how they are managing that data, where it is living within the organization, and what is the purpose of holding it,” said Lynch. When the policy is in place it must be carefully audited to ensure it is being properly followed, he added. Policies should also be revisted regularly to ensure they accurately reflect the business.

“In the event of a breach, if you know exactly what is on your servers at any given moment, the response component will be much faster and less expensive,” said Lynch.

Recent articles & video

BC Court of Appeal overturns ruling requiring disclosure of privileged information on birth alerts

Ontario Superior Court finds Ottawa negligent in response to Uber's entry, damaging taxi industry

BC Supreme Court upholds drivers' liability in car crash injuring cyclist

Ontario Superior Court orders child's return from Alberta in custody dispute

Alberta court rules expert evidence inadmissible following settlement in medical negligence case

New metric developed to assess socioeconomic challenges of US law school applicants

Most Read Articles

Alberta court refuses to stay bankruptcy proceedings in favour of family law proceedings

New CRA audit powers proposed in federal budget raise uncertainty, say Davies tax lawyers

Mergers and acquisitions in the AI space need unique due diligence considerations: Dentons lawyers

Poilievre's plan to trample Charter rights won't stop at tough-on-crime measures