Cybersecurity Liability Comes to the Boardroom

Liability for data breaches is no longer isolated to the IT department. Lawyers, executives and boards of directors are scrambling to provide protection and manage risks for cybersecurity

There are two
types of large companies in the United States, according to FBI Director James Comey: those that have been hacked by the Chinese and those that don’t know they’ve been hacked by the Chinese.

Anyone who thinks it’s a different story in Canada might be interested to know how many cyberattacks the government of Alberta faces every day. We’re not talking Home Depot, which saw 56-million debit and credit card accounts compromised when a vendor had a password stolen last year, or Target Corp., which held the financial data of 40-million people when it was hacked. We’re talking Alberta – four million residents, some not old enough to have their own credit cards – hardly a global giant.

Yet the government of Alberta faces an average of 500 cyberattacks a day across 200 websites. Presumably, those are just the ones it knows about.

With computers so wired into the DNA of doing business that they have become nearly invisible, those who would break in to steal an organization’s most valuable information are increasingly finding a back window left unlocked.

“It seems like every two to three days now we are learning through the media of data breaches at one level or another and it can be a nightmare for the company,” says Ira Nishisato, a partner at Borden Ladner Gervais LLP in Toronto. “Hyatt, eBay, Dairy Queen, Sony, Kmart, Neiman Marcus, JPMorgan, Home Depot, Target, the list just goes on and on.”

In Canada, that list would start with AshleyMadison.com, with hackers dumping 10 gigabytes of data on to the Internet in August, providing personal information including real names and email addresses of at least 273,000 formerly anonymous Canadian users.

A group called the “Impact Team” claimed responsibility, saying although the company promised to wipe customers’ data from the site for a $19 “Full Delete” fee, it hadn’t. “Full Delete netted ALM $1.7mm in revenue in 2014,” the group said in a statement, calling it “a complete lie.”

Bell Canada was also caught in a hack, with 22,421 customer user names and passwords posted on the Internet last year when a third-party supplier’s IT system was breached. The RCMP charged a 15-year-old Quebecer believed to be a member of NullCrew, a hacktivist group that blamed Bell for “leaving clients’ credit card information in unencrypted/raw format.”

The fact that anyone from a fired-up teenager to a foreign government may be able to access a company’s most closely guarded secrets has transformed one of any organization’s most valuable assets – its corporate data – into one of its most deadly potential landmines.

The ramifications of being hacked are swift and the after-effects long and costly. Target was hit with more than one hundred lawsuits just in the US.

Earlier this year the company offered US$10 million to settle with customers who filed a class action. While it is believed to be among the first settlements ever by a retailer for claims that its lack of security led to foreseeable losses, no one thinks it will be the last.

Hacking for profit is big business. It’s estimated that more than two million of the credit and debit card numbers lifted from Target were successfully sold on the black market for an average of US$27 each.

Can a company install the cyber equivalent of steel bars around its data? Not really. Some days, hackers seem to be able to find new holes in systems as fast as companies patch the old ones.

That’s moved the issue of cybersecurity from the IT department into the boardroom and into the lawyers’ offices.

 

Once the stuff of fiction, hack attacks have become the stuff of daily headlines as C-suite executives and boards of directors grapple with how to provide adequate protection.

Whitelisting, patching applications, operating system vulnerabilities and restricting administrative privileges are matters officers and directors suddenly need to be concerned about.

“In the US there are a number of class actions brought against the boards and directors personally – personally – for failing to have taken the necessary steps to protect the company,” says Nishisato. “One thing that is certain about litigation is that trends begin in the US. So if you see claims of that sort in the US it’s entirely reasonable to expect that they’ll be brought here.

“This is a situation where the obligations on directors have increased because, at the end of the day, they will be held accountable. Cybersecurity today is as much a legal problem as a technical problem.”

Professor John Coffee of Columbia University’s law school in New York has predicted cybersecurity suits are going to become a “regular constant area of litigation because these hacker attacks are not going away.

“I think we’ll see boards of directors put security as their number-one priority. I know for a fact this is the area most boards think they face the greatest exposure.”

The risk of cyberattacks, and how that risk is being managed, has become a matter of disclosure for publicly traded companies, says Steve Tenai, a partner at Norton Rose Fulbright Canada LLP in Toronto.

“The reason it’s a board issue and not an IT issue is because regulators, including the OSC and the SEC, recognize cyber risk as a risk that needs to be assessed and needs to be considered as part of the board’s oversight,” he says.

“The other reason is because when there is a breach, there’s not just the reputational and cost consequences to the organization. In some of the larger breaches, we’ve seen people targeting the board and senior management through derivative litigation, shareholder class actions, or with institutional shareholders or groups who use the occasion to suggest there be a change.”

Target’s holiday-season data breach, for example, led to the resignation of the CEO and a shareholder challenge to the board.

“It’s got the attention of regulators and it’s got the attention of shareholders,” says Tenai. “There’s a lot more attention focused on the board and the risk and the controls being used to manage it.”

If the company has any part of its business in the cloud, that board scrutiny needs to be just that much higher.

 

With the amount of data companies now store, many quickly reach a crossroads: Do they spend the money to store and maintain their own data, possibly their own data centre, or start using a cloud service provider?

For all but the wealthiest, the cloud option is the obvious answer.

“Very often when a company starts looking at cloud solutions, the first question that comes to mind is: ‘How fast can we sign up and why didn’t we do this yesterday?’” says Paul Armitage, a technology and IP partner at Gowling Lafleur Henderson LLP in Vancouver. “There’s this overwhelming overriding business proposition behind these decisions to procure cloud solutions.

“That can cause companies to put a lot of considerations they might normally think about when acquiring computer systems or software right out of their minds.”

Moving to the cloud can potentially expose the company to the risk of cyberattacks many officers and directors never dreamt of, says Lisa Abe-Oldenburg, associate counsel in Miller Thomson LLP’s Markham, Ont. office.

“There are a lot of vulnerabilities, not just in the services themselves but even in how the service is accessed, in the interfaces or portals that are used to transfer your information back and forth with the cloud service provider,” she says. “There’s been a lot of research on how virtual machines could extract cryptographic keys that are on the same server.

“There are multiple tenants in a cloud service and if there’s a flaw in one application, it could allow an attacker to access not just one client’s data but other clients’ data as well.”

Cyber criminals are also using cloud computing to launch so-called botnets – also referred to as zombie armies – which piggyback on a corporation’s computers to spread viruses, install malware or deliver spam without the company being aware of it, she says.

And the cloud’s not just for storage anymore. Popular new applications are being developed and sold and hacked.

Companies can now sign up for personalized infrastructure, for example, that allows them to install operating-system images and their own application software on the cloud infrastructure. They can also use full cloud-based platforms that provide access to an operating system, a programming-language execution environment, databases and web servers.

Abe-Oldenburg says these newer areas are the ones being targeted.

She calls the climate around cybersecurity in the cloud “very scary” right now and says many businesses don’t seem to take the time to do proper due diligence, which is a big mistake.

“The reason criminals are actually using cloud computing is because many of the cloud services are relatively anonymous,” Abe-Oldenburg says. “Pretty much anyone with a credit card can sign up and the registration models don’t vet who their customers are. They could be letting criminals access their servers.”

While there is no way guaranteed to prevent attacks, she says, clients should be strongly advised to do a really thorough due diligence and make sure the cloud provider they choose is adhering to specific and auditable security standards.

“People don’t spend enough time drafting the security standards in a lot of these agreements, which often just talk about ‘the cloud provider shall use industry best practices’ or ‘commercially reasonable measures.’ What does that mean?

“Sometimes, as lawyers, we need to advise our clients that they should be doing proper risk assessment and understanding what the standard level should be. They may need to hire an outside consultant to advise on those types of technical issues. They certainly shouldn’t be overlooked.”

Kirsten Thompson, counsel in the National Technology Group at McCarthy Tétrault LLP in Toronto, says there are also physical considerations to take into account when you’re talking about cybersecurity, starting with where the cloud provider’s own servers are located.

“It’s popular to locate them in the Nevada desert but there can be issues with fault lines or fire. In Canada you’ve got other issues, in winter it’s cold and power supplies can be cut. Servers are real physical things, so you want to know who has access.

“Also, increasingly server farms are becoming targets for terrorist threats and hacktivists. Hacktivists generally go online but you can see that moving to infrastructure as well.”

Cyberattacks generally fall into one of a few categories. There’s hacking for profit, hacking for identity theft, hacking for espionage and hacking for the sheer glee of embarrassing an organization that’s done something someone disapproves of think of Sony, or the paralyzing denial-of-service attacks on the government of Canada websites.

For those who would hack for financial gain, companies that accept payments are the low-hanging fruit.

Trustwave Holdings, an information security group, investigated 574 incidents of compromised data last year. It says 43 per cent of attacks involved retailers, 13 per cent food and beverage companies and 12 per cent businesses in the hotel and hospitality sector.

George Pollack, a litigator at Davies Ward Phillips & Vineberg LLP in Montréal, says many people who deal in credit card information don’t realize that if their servers are hacked, aggrieved customers may end up being the least of their worries.

“The biggest problem they’re going to have to deal with if they have a data breach is not dealing with the class actions that inevitably ensue and it’s not dealing with disclosure requirements,” he says. “The biggest problem they’re going to face is dealing with the credit card brands and that often comes as a surprise. The credit card companies are very, very, tough.”

Over the years, card companies have fined businesses in the tens and hundreds of millions of dollars in connection with data breaches.

In Canada, ALDO Group got into a dispute with MasterCard following a data breach the credit card company said traced back to cards used at the shoe retailer.

MasterCard said ALDO had breached a number of data security obligations an allegation with financial implications. ALDO countered that while malware had been installed on its system, forensic tests showed its firewall was strong enough to withstand the attack and no data had actually been compromised.

MasterCard debited Bank of Montreal, the MasterCard member, for US$4.93 million following the attack. Two days later, ALDO’s accounts were debited by Moneris, the payments processor used by the bank, by the same amount. ALDO filed a lawsuit accusing Moneris of, among other causes of action, failing to act in good faith and MasterCard of unjust enrichment.

While the proceeding is no longer active, a decision on jurisdiction that forms part of its legacy may prove significant to other Canadian retailers that find themselves in a similar predicament.

MasterCard requires payment processors to sign a contract that stipulates all disputes will be governed by the law of New York State and litigated there. Processors must also waive any claim of lack of personal jurisdiction, improper venue and forum non conveniens.

ALDO challenged that in an Ontario court, saying it was not a party to that contract with MasterCard and has every right to litigate where it chooses.

The court agreed, as did Ontario’s Court of Appeal, which said: “Whether ALDO’s pleaded claim succeeds is a matter for merits adjudication, but its essential character does not require that it be litigated in accordance with the New York forum selection clauses.”

The Supreme Court of Canada declined to hear an appeal.

Pollack, who acted for ALDO but declined to discuss specifics of the case, says the best way to try and avoid a problem is to stay far out in front of cybersecurity. “I’d periodically have somebody come in and try and test how vulnerable my systems are and to what extent I am in compliance with PCIDSS [the Payment Card Industry Data Security Standard].

“The cards require that merchants undergo periodic audits but the potential for harm is so significant that I would recommend high-volume merchants do their own spot checks, check the robustness of their own systems.”

He also suggests clients sit down with a good public-relations firm – before there is a problem – and have a communications strategy worked out.

“If this becomes public, experiences show that loss of consumer confidence can be as much of a problem, if not more, than the actual financial outcome of a data breach.”

The actual financial outcome, starting with the cost of remediation and regaining public trust, can still be pretty brutal.

 

JPMorgan chase servers were hacked last year, compromising the names and emails of 76-million personal account-holders and seven million businesses. While it’s believed no financial information was compromised, the bank pledged to enhance its security with measures that will reportedly cost US$250 million a year and require a team of one thousand people.

Home Depot has said it expects to spend about US$62 million this year to recover from its hack, including costs for call-centre staffing and legal expenses.

Then there are the lawsuits. There hasn’t exactly been a tsunami in Canada so far, more like a trickle.

Lyndsay Wasser, Co-chair of the Privacy Group at McMillan LLP in Toronto, says everyone should brace for more. “It may just be that the plaintiffs’ Bar in that particular area isn’t as developed here but we’ll see them. We’re starting to see class actions in the privacy domain and there’s no reason that wouldn’t apply to breaches.”

In fact, when the Ashley Madison hack occurred, a $760-million Canadian class-action lawsuit was filed within two days, making news in Time Magazine.

In the past, says Wasser, some companies have been reluctant to spend on areas like data security “because companies haven’t seen it’s costing them a ton of money to put off thinking about it.”

Perhaps not for much longer.

More are investing in privacy and security “because it’s all over the news. The legal fees associated with this type of negative publicity and class-action lawsuits… companies are really starting to pay attention.”

There is no legal standard for liability in the case of a breach, she says, instead, “it’s always fact-driven, and it’s going to depend on the sensitivity of the information and the reasonableness of the expectations the information relates to.”

Tenai at Norton Rose says hacking methods are simply changing too fast to draw a bright line. “It’s not one of those things where we turn our minds to it so we never have to look at it again. Things are constantly evolving, and the risks are constantly being changed in the sense hackers are making strides and using different things. What the regulators are live to is that this is a reality in any organization. The degree to which it can be material varies, but the risk is there and you have to be paying attention to it.

“The regulators are sending the message that this is part of our landscape, and we have to deal with it.”

To the extent clients need further convincing, he points to a US decision in Wyndham Worldwide Corp. and its directors, who were sued last year for an online data breach that led to hackers obtaining personal and financial information.

A New Jersey federal court dismissed the case, noting that the Wyndham board had met and discussed cyberattacks, security policies and proposed security enhancements 14 times during the relevant time frame, and that the audit committee had reviewed the topic at least 16 times.

It’s vital to keep cybersecurity on the board’s agenda and minutes, stresses Armitage at Gowlings. “Corporate boards are under a legal obligation to protect the assets of the company, so that would include the data assets. They absolutely have a role to play in ensuring their assets are adequately protected and that would include while their data is in the hands of cloud providers. So there’s definitely a role for board oversight.”

Armitage also advises his clients to look into cyber insurance if they don’t have it, which can help cover the cost of dealing with regulators, disclosure requirements and third-party services that help consumers deal with identity theft.

Those using cloud services also need to examine the provider’s insurance, he cautions. “Cloud providers typically have hundreds of thousands of clients so even if they have cybersecurity insurance, as a practical matter if they suffer a security breach that costs a company on average $5 million, and the cloud provider has a thousand customers affected by the same breach, that’s a $5-billion loss and they won’t have $5-billion worth of insurance.

“So if you’re a customer, you can’t get a false sense of security out of the fact your cloud provider has cybersecurity coverage.”

If protecting clients from the effects of cyberattacks causes them trepidation, Abe-Oldenburg says that’s not a bad thing.

“If reading about this puts fear into people’s hearts, that’s okay. It’s important to get them to take action, to make sure they’re looking in the right places and getting the proper advice.”