Cyber security is everybody’s business
Business leaders may fail to uphold their legal responsibilities if they don't take reasonable steps to prepare their companies for cyberattacks and information security breaches, says Toronto technology and business lawyer Peter Murphy, who has acted as counsel on some of Canada’s most notorious privacy breaches.
The impact can be as debilitating to an organization as a major product liability lawsuit, he tells AdvocateDaily.com.
Given the importance of data in business today, "we have reached the point where the failure to take reasonable steps to protect information in the possession or control of the organization may be a breach of the fiduciary duties owed by senior officers and board of directors of the organization," Murphy points out.
He advises firms to craft and implement policies and procedures around information protection and security incident response, as the risk of a data breach is “huge.”
"Businesses must take prudent steps to protect against loss or unauthorized use of data — and even then, they won’t be able to completely eliminate the risk of an incident. Hackers and the tools available to them are too sophisticated. So the question is not so much if a cyber breach will occur, but when.
"If a data security incident does occur, will the board and management be seen to have acted responsibly? When they respond to the incident, will they follow best management practices and comply with all legal obligations?” says Murphy, a partner with Shibley Righton LLP.
Privacy law in Canada requires companies to use physical, technical and administrative safeguards to protect the personal information they hold. That includes having locked doors and cabinets and controlled physical entry, while technical protections involve passwords and encryption, Murphy explains.
Administrative safeguards are the broadest category, and may involve tracking of data access, user background checks and other controls, as well as the implementation of security policies, plans and protocols, he adds.
"Many smaller or medium-sized organizations might be reluctant to prepare data protection and incident response policies and plans because of the time and effort required, but this exercise should not pose a material drain on resources if it is incorporated into the organization’s strategic and overall governance planning," Murphy says.
He says the responsibility to develop policies begins with the board of directors and top management, but that staff at all levels throughout the organization should be involved in cybersecurity planning.
"It's a common mistake for organizations to think that data protection is just an IT problem," Murphy stresses. "All staff need to have input and bear responsibility to comply with the resulting policies.
"The assistance of experienced legal counsel is highly recommended to ensure the policies reflect the organization’s obligations and, if implemented, will place it in an advantageous legal position.”
Murphy suggests firms start by identifying the information they possess and ranking it in value and importance.
“Then they should assess their vulnerabilities. From there, a data security policy can be created to ensure the necessary safeguards are applied,” he says.
Recording the cyber trails of staff who use the system is a useful precaution, Murphy points out.
“Even more important is exercising control over information access by former employees and contractors. Many incidents I see involve a former employee or independent contractor whose password was never turned off,” he says.
Once a data security policy has been created, the organization should prepare a data breach response policy, so it has a clear and effective response plan available to implement in the event an incident occurs, Murphy adds.
“This plan will cover breach identification and immediate IT response, creation of a management response team, breach investigation, notification, public relations, involvement of law enforcement authorities where appropriate, the offering of data theft services, and steps to ensure the breach never happens again.
"Legal counsel should be involved to ensure the plan reflects the organization’s privacy breach-reporting obligations and places the organization in the best possible position when responding to a data breach,” he says.
Murphy points out there has been phenomenal growth in class-action lawsuits against companies that experienced cyber breaches in recent years.
“The involvement of legal counsel early in the process can help the organization prepare for resulting litigation. A lawyer is best positioned to manage its relationship with privacy authorities and to ensure its disclosure obligations are followed.
“In addition, having a lawyer conduct breach-investigation interviews with staff may invoke legal privilege for those discussions. If the organization is sued for a privacy breach, that protection may be crucial,” he says.
Institutions that take action to mitigate harm to clients — such as providing identity theft services for those affected — could reduce the damages awarded against them, Murphy says.
“In a number of cases, courts have viewed the offering of identity theft services as a very important step," he says.
Organizations should also consider adding cyber-insurance to their risk-mitigation strategies, Murphy says.
Finally, he warns that organizations should not think this exercise ends when the policies and plans are completed.
“A policy is worthless if not properly implemented. That involves staff training, compliance assessment and regular policy review. Cyber security is a new aspect of management that must be attended to regularly. These issues are not going away anytime soon,” Murphy says.