Brave new world: navigating privacy breaches
By Rob Lamberti, AdvocateDaily.com Contributor
New requirements for businesses to report data breaches to the Office of the Privacy Commissioner and alert their clients will not likely result in many fines, says Tyler Hatch, founder and CEO of DFI Forensics Inc.
The mandate that clients be notified if their personal data has been breached on a company's website came into effect last Nov. 1. The Personal Information Protection and Electronic Documents Act (PIPEDA), also requires firms to notify the privacy commissioner of the incident.
Failure to do so could result in fines of up to $100,000. However, Hatch says the government doesn't appear to be on a hunt, but rather is using legislation to get organizations to take cybersecurity seriously.
"This isn't some big hammer," he tells AdvocateDaily.com. "As I understand it, the option is there for the government to issue fines, but the likelihood of that happening is pretty low — that seems to be the consensus."
Before the recent changes to the legislation, companies that were hacked had no responsibilities to communicate the breach to those affected, and the majority of incidents only garnered attention once they were reported in the media, Hatch says.
"They had no obligation to tell their clients that their information had been accessed," he says.
Now, in certain conditions, organizations must notify breaches to the Privacy Commissioner. The office has to ensure that compromised organizations are following proper safety practices to prevent a violation from reoccurring, Hatch says.
"But more importantly, the legislation says anytime a client's data is accessed, whether it's an address, a credit card, or an email address, you must notify that person that somebody may have their private information and doing who knows what with it," he adds.
"That's the big one because organizations don't necessarily want to tell their large customer base that their information wasn't kept safe because it may lose half of its clients," Hatch says.
He suspects the government would not take it lightly if a business only opts to notify the privacy commissioner, but not the people affected.
Hatch cites a recent breach where a hacker exploited a multinational company's files for about five years.
"People can't ignore this kind of situation any longer, and I'm talking about the decision-makers in an organization,” he says. "The CEOs and the directors are kind of aware that this is an issue, but they're not sure whose problem it is."
Hatch says by being proactive and talking to their lawyers, companies could enhance their reputations — even if they may not always succeed in keeping cybercriminals out.
"Being a victim of circumstance doesn't mean you're to blame, but how are you going to react to it?" he says. "Are you going to hide it from your clients because you're afraid of how they'll react or will you tell them because they might want to check their credit reports and change account passwords?"
DFI performs forensic investigations to determine what may have occurred in a breach or other suspected wrongdoing.
"I come in when something bad has occurred, and I try to tell the story of what happened so we can properly react to it,” Hatch says.
A company’s natural first instinct is to turn to IT staff when a breach occurs, but the skill set for investigating security hacks requires specific expertise to accurately collect and analyze evidence, he says.
"Someone who’s not properly trained could wipe the intruder's tracks and remove their fingerprints from the digital evidence," Hatch says. "We can work with IT to help them accomplish their goals while effectively collecting the evidence.
"It's important for us to be involved in the incident response plan," he says, and outline how
a firm the organization will respond to the cyber attack. The response team includes a lawyer, the IT staff, a cybersecurity firm, and other key staff from the company who will reach out to media, staff and clients.
Hatch says notifying the privacy commissioner is "several steps down the road," because it takes at least a week for the response team to act, and depending on the size of the organization, two to four weeks to complete the forensic work to determine what happened.
“Employing forensic firms like ours is vital for affected companies because we use advanced tools to find out exactly how the network was penetrated, what the perpetrator did while they were inside and whether they still have access,” he says.
At that point, the organization strategizes its reaction and seeks legal advice, Hatch says.
It's becoming an important task not only for the hacked company but also for firms like DFI because "we can't guess about this, we need to know exactly what happened to determine the legal obligations," he says.
"Lawyers need to know what files were accessed," Hatch says, "because not all cybercriminals want to look at everything. The objective of an attack is not always to find confidential information. Sometimes they want to encrypt all the data, shut down the organization and demand a ransom."
Hackers use readily accessible military-grade encryption tools to lock that data, he says.
"It's classic extortion, and they're getting away with it," Hatch says. "There is literally no consequence for doing this. And there is now a defined market of people who broker these deals."
He recalls a case he worked on where the firm paid a ransom through a broker who had dealt with the same cybercriminal on numerous occasions.
"There was no attempt by the hacker to disguise his identity from case to case, proceeding like it was normal business," Hatch says.
DFI investigated to determine what that intruder did while the data was encrypted, and found the purpose was extortion rather than theft.
"We will submit a report, which outlines the ‘fact pattern’ that a legal opinion will be based on," Hatch says. "If the opinion indicates that no data was accessed, the business would not need to notify its clients.
"We highly recommend that companies in similar situations speak to a privacy lawyer to see if they have to report it to the privacy commissioner," he says.
The government will seek information to determine if the affected organization was negligent by not installing effective security measures, and if it took appropriate steps to prevent future breaches, Hatch says.
"We have to remember, these firms are victims of crime, and you can't blame them unless they were flagrantly disregarding their security," he says. "The government is not always going to fine you, especially if you’ve taken reasonable precautions — it wants to see that companies are paying attention to network security.
"The obligations are not so stringent that they should be afraid to abide by the legislation or report to the government," he says. "The government wants to ensure security is being prioritized and one of the ways we change our view is through legislation."