The exponential growth of data risks

A junior employee used his access to US military databases to download and share top military secrets with his friends in a Discord private chat. Twenty-one-year-old Jack Teixeria was arrested for leaking the documents, and the investigation continues into how the young cyber transport systems specialist got access to the sensitive documents.

On April 21, the American Bar Association notified nearly 1.5 million users that their username and password information had been hacked. The letter, sent by Annaliese Fleming, senior associate executive director and general counsel, outlined how an unauthorized third party had stolen user information from the ABA’s old website, updated in 2018. So far, it’s unclear how the third party accessed the information.

These recent data breaches are a reminder of the need for data security. The “2023 Canadian In-House Counsel Report” indicated that 50 percent of in-house counsel expect to spend more on data privacy in the next year. With new legislation, the rapid adoption of AI technology, and increased costs in cybersecurity insurance, in-house counsel are facing new challenges in keeping up with data security.  

David Mousavi knew from the beginning of his career that he wanted to work in-house. After completing a dual JD/MBA program at York University, he worked for a few years in private practice before moving in-house at the Toronto Real Estate Board. He joined NRT Technology, a global fintech company, in 2021, where he oversees data security and privacy issues as senior vice president legal, compliance, and general counsel.

_{David Mousavi}

“Data wasn’t as valuable 10 to 15 years ago as it is today,” says Mousavi. “There are new challenges because we have changed the way we use data. Now in-house counsel have to consider, ‘How does my organization use data, and what are the risks to that?’ These challenges are progressing. Data is like toothpaste. Once it comes out, it’s out, and there’s no way to get it back in.”

For in-house counsel, the best thing to do is build relationships with your IT and privacy departments. Mousavi decided to be proactive and began having quarterly meetings with the IT department to discuss ongoing projects and safeguards. He worked with the IT department to create a “data security matrix” that looks at where the data is, who accesses it, where it’s stored, and how it is managed and used.

“From our data matrix, it helps inform how we train employees and make sure our team members in the organization know their obligations,” says Mousavi. “That’s where we talk about logging off computers when you leave, other basic practices. It sounds simple, but these things are how breaches can happen.”

Data and privacy

Significant legislative changes are happening that will affect data, privacy, and cybersecurity. Bill C-27, the proposed artificial intelligence and data act, deals with reforming the Personal Information Protection and Electronic Documents Act (PIPEDA), creating a new privacy tribunal, and implementing AI regulation. Bill C-27 would significantly increase fines for non-compliance. The legislation aligns with Europe’s General Data Protection Regulation (GDPR). Quebec passed similar privacy legislation last year and is the first province in Canada to do so.

“Privacy laws were vanilla in the past,” says Helen Deschamps Marquis, national leader in cyber, privacy, and digital law at Deloitte Legal Canada. “Privacy officers know about the data, IT knows about performance, and general counsel know about legal risk. Privacy officers were managing data and dealing with processes. Once you have stronger laws, you need to look at legal risk. You need to have a different approach.”

_{Helen Deschamps Marquis}

Organizations that incorporate privacy into their systems are at a competitive advantage with consumers and in recruiting employees. Deschamps Marquis recommends that organizations do a gap assessment to determine where their data is stored and identify policy gaps.

“The challenge for GCs is not understanding the law but getting information and asking the right questions,” says Deschamps Marquis. “Some people think their organization doesn’t have data. They say no, but then you find out they track people, for example, through marketing applications. You need an assessment to find out what is the current situation.”

Another central area for improvement is the use of multiple systems. Many organizations use various databases and software that don’t necessarily share information easily. Deschamps Marquis says this is a serious cybersecurity issue when employees are given access to large amounts of data because systems can’t talk to each other.

“I was talking to a financial institution yesterday, and they mentioned how people need access to this one system for work, and they have access to everything,” says Deschamps Marquis. “That’s a problem. We shouldn’t be sharing all the information, just what you need. Most general counsel don’t have a complete picture of who has access, who is giving access, and how information is deleted.”

Deschamps Marquis recommends incorporating privacy-by-design principles into systems, which includes having privacy as a default setting, ensuring data is destroyed when no longer needed. Also, “You need to take a privacy-by-design approach where your systems are transparent, and people are able to see how the data is being used,” says Deschamps Marquis.

Managing data and legal risk

As the amount of data increases, so does the work. The new legislation takes a big step toward more user protection but needs to be more comprehensive. There are still ongoing issues in data privacy and risk.

Cybersecurity is a growing practice that’s come into prominence in the past 10 years. Imran Ahmad started his cybersecurity practice in 2013. His practice picked up when the Target breaches occurred in 2014, affecting millions of Americans and Canadians. He wrote the first cybersecurity textbook, Cybersecurity in Canada: A Guide to Best Practices, Planning and Management, in 2017. He recommends that in-house counsel look for support when making data decisions.

“The bigger issue is timelines and having to make quick decisions,” says Ahmad, partner, head of technology, and co-head of information governance, privacy, and cybersecurity. “You have to have the right vendors, and you need a plan on how to manage this. For example, when you’re handling a merger, you have to make a decision in a few hours, and you can have a forensic firm there for advice about the cybersecurity risks.”

More data breaches have led to increased costs in cybersecurity insurance. Cybersecurity insurance covers various costs, from legal and PR expenses to credit monitoring, ransom payments for any ransomware, and business interruption costs. Getting cybersecurity insurance doesn’t replace the need to invest in new systems. Even if there’s a data breach, organizations can expect to pay out-of-pocket costs to update their technology.

“It’s important to remember cybersecurity insurance is meant to bring you back to the beginning, not to upgrade your tech,” says Ahmad. “If you have a sedan, you don’t get an SUV.”

The due diligence involves managing cybersecurity insurance, reviewing contracts, and ensuring employees have the proper training. What used to be a few lines in contracts can make up two to three pages covering where data is stored, how it’s used, and notice periods for any breaches. That means extra time and effort to review contracts and incorporate third parties into incident response plans. Mousavi and his team have procedures for dealing with different issues ranging from third parties wanting to notify customers directly about a data breach to knowing who needs to be informed first. It’s part of the growing necessary work in-house counsel must do to manage data security.

“You should build relationships in your organization and understand how your data systems work,” says Mousavi. “You have to do your due diligence so you can manage the risk.”

Top Priorities for In-House Counsel

Data privacy: 50 percent

Risk & compliance: 50 percent

Contract management: 44 percent

Source: 2023 CCCA Canadian In-House Counsel Report

Cybersecurity Trends in 2022

30 percent of organizations experienced a data breach

15 percent of organizations reported a loss of customers following a cyberattack

Source: Canadian Internet Registration Authority (CIRA) 2022 Cybersecurity Report