The COVID-19 pandemic has resulted in a sea-change for many businesses by changing work patterns, moving to new corporate structures, and accelerating the process of digitalization. This workplace revolution has been accompanied by a corresponding rise in hackers targeting businesses seeking to breach cybersecurity protections and steal data. We asked Norton Rose Fulbright’s Canadian Technology and Innovation Group leader Imran Ahmad to explain the hazards businesses are facing, precautions they can take to anticipate these threats, and how to respond in case of a breach.
What strategies are hackers using to target businesses, and how can firms minimize their risk exposure to these threats?
Over the past twelve (12) months, hackers have been changing their tactics. Where historically they used to either target data theft or operational disruption (e.g., encrypting data), they are now employing “double extortion” techniques whereby they are stealing and encrypting the target business’ data. The rationale behind this strategy is that even if a business has viable back-ups and can restore systems safely and completely, they may still be incentivized to pay a ransom in an effort to avoid having their data publicly leaked on the dark web.
Another trend we have seen grow in the past year is the rise of “ransomware-as-a-service” (RaaS) which has resulted in a net increase in cyberattacks on businesses. This technique allows various criminal groups to use a pre-built ransomware attack infrastructure to target organizations in exchange for a percentage of any ransom that is ultimately paid. This technique has resulted in an increase of ransomware attacks.
With these threats on the rise, businesses can take two important steps to minimize the likelihood of being a victim of a major cyberattack that will adversely impact their organizations. First, ensure that the business has viable back-ups that can be used to restore systems quickly, completely and securely. There are many types and methods to backing-up systems and data – this should be discussed with IT on a priority basis.
Second, understanding what data the business has and where it is kept. Hackers will make all kinds of claims around data theft – some true, others false. In the immediate aftermath of a cyberattack, it can be difficult to assess what information may have been taken and what the business’ exposure may be. However, having a data inventory and knowing where the most valuable or sensitive data is kept can go a long way to speed up the subsequent forensic investigation, and to determine whether any sensitive data (including personal data of employees or customers) was taken.
How can Canadian firms deal with cyber security threats and attacks coming from international sources, and what data protection challenges do Canadians face from cross-border transactions?
Broadly speaking, attackers behind cybersecurity incidents are often located outside of Canada, thereby impeding or delaying criminal action against them. Given the borderless nature of data, cyber-attacks are considered to be borderless crimes.
While attackers may be located in foreign jurisdictions, what they are attempting to exploit is human error or curiosity. The majority of cybersecurity incidents are the direct result of phishing attacks targeting company staff. These phishing emails are sufficiently credible to encourage staff to provide their credentials, inadvertently download malware, or click on a malicious link which subsequently allows the attacker to gain a foothold in the organization’s IT environment and engage in nefarious activities.
Canadian firms can counter these threats by implementing frequent employee training. This measure may seem obvious but remains the most important step that can be taken by any business. Training should be coupled with testing to see how employees respond to company mandated phishing campaigns. The results of these tests should be carefully analyzed and remedial steps should be taken to further train staff in achieving a minimum acceptable threshold.
Beyond the “human factor”, on cross-border deals, firms should be very careful on what data they share with any third-party. The moment data leaves an organization’s custody, there is always a risk that it may be accessed or stolen by attackers. To minimize such risk, Canadian firms should conduct a comprehensive risk assessment on the other party’s security safeguards and satisfy itself that sufficient measures have been implemented to allow data sharing. Further, the contract should provide for very specific language ensuring appropriate level of notification, cooperation, and indemnification in the event of a cybersecurity incident.
What legal options do businesses and individuals have when a data or privacy breach occurs?
First, understand the facts. It is human nature to think of the worst-case scenario. It is worth taking a moment to assess the situation, understand the fact as known at that point in time, and then take appropriate next steps.
Second, if there is evidence of unauthorized access to or theft of personal information, assess whether it meets the threshold of “real risk of significant” harm. Also, determine whether there may be notification obligations outside of Canada.
Third, move quickly and intently to notify affected individuals. If an incident has occurred, speed is of the essence. Make sure it is clear who will be notified, when, in what sequence and by whom. It is at this stage that details matter and understanding the finer details such as whether you have an email or current mailing address of the affected individual, language of preference, reporting the incident to regulators before, after or at the time you notify the affected individuals will be important to determine.
How much legal liability do firms have in the event of a data breach? How can hacked companies protect themselves from litigation?
There at least three types of common legal liability that victim organizations should worry about in the aftermath of a cybersecurity incident: (i) class action litigation; (ii) regulatory investigations; and (iii) contractual liability.
Class action exposure typically stems from when an organization experiences a cybersecurity incident that results in the unauthorized access to, or theft of, personal information from customers. This is followed by notifying affected individuals. That said, it is not the fact that the organization had an incident which is in question but rather, did the organization respond appropriately given the circumstances. An organization that can effectively demonstrate that it took reasonable steps to prepare for, and respond to, a cybersecurity incident will be in a much better position to respond to allegations by the plaintiff’s counsel.
The same standard usually applies to regulatory investigations. Again, the regulators typically understand that organizations may be victim of a cybersecurity incident. What they are trying to assess is whether these organizations were generally prepared and if they acted quickly and appropriately. It is the standard of reasonableness which is the key here.
More recently, cybersecurity incidents impacting business partners (upstream and downstream) have increased significantly – especially where the victim organization holds sensitive data belonging to its business partners. While litigation between business partners remains rare, the fact is that the contract between the partners may contemplate significant penalties or indemnification.
The best way to avoid these types of liability is for an organization to be prepared to respond quickly and methodically to a cybersecurity incident. Having a cyber-incident response plan which is regularly tested and which outlines who to contact and when will result in much better outcomes.
How have e-commerce and work from home trends during the pandemic affected cyber security risk, and do you expect this pattern(s) to continue in the future?
When thinking of a business’ IT infrastructure, consider these three key components: hardware, software and data. Attackers attempt to access one (or more) of those three in order to launch a cyber-attack. In this regard, as organizations moved quickly to remote work during the pandemic, attackers were able to exploit one or more of those components. For example, many organizations moved to cloud email rollout but in the interest of time and limited resources, were not able to implement multi-factor authentication. This allowed attackers to compromise a mailbox with only a username and password and conduct financial fraud.
During the pandemic, the number of cybersecurity attacks increased several folds and has remained high ever since. It is anticipated that the number of attacks will remain high and we may even see an additional uptick once individuals come back to the office physically as devices may have been infected with latent malware waiting to be exploited.
You mentioned the migration to cloud computing technology. What are the main risks to companies’ data collection, protection, and disposition as a result of this process?
Cloud computing and digital transformation initiatives generally yield positive outcomes such as economies of scale, increased computing power, and innovations. However, businesses should understand that while there are several advantages of moving to the cloud, there are also risks and therefore experts should be consulted when setting up cloud storage or computing strategies – specifically when it comes to the security in the cloud. As a general rule, cloud storage is based on a principle of “shared responsibility” whereby the cloud provider is providing space on its network and the customer is responsible to ensure the security of such space.
Additionally, as digital transformation continues to accelerate, businesses are collecting and processing an ever growing quantity of data, including personal information. The risk is that the digital footprint increases and that in turn makes the legal liability risks much more pronounced in the event of a cybersecurity incident. Having a robust data retention policy which is not only in place but implemented and monitored can be extremely effective in reducing the risks associated with the collection of large volumes of data.
Do you have any other insights on helping clients navigate privacy and data protection issues in the legal landscape post/during COVID?
While it is unclear when businesses will “go back to normal”, it is clear that post-COVID, there will be some form of hybrid in-person and remote work. This means that the management of IT infrastructures will become more complex, raising the possibility of attackers taking advantage of any weaknesses or oversights. It will be important for organizations to invest in security on a more frequent basis. Coupled with employee training and awareness of cyber risks, will do a long way to improve an organization’s cybersecurity readiness posture.
Imran Ahmad is the Canadian head of Norton Rose Fulbright’s technology and innovation industry group and the Canadian co-head of the data protection, privacy and cybersecurity practice.
Imran advises clients across all industries on a wide array of technology-related matters, including outsourcing, cloud computing, SaaS, strategic alliances, technology development, system procurement and implementation, technology licensing and transfer, distribution, open source software, and electronic commerce.
As part of his cybersecurity practice, Imran works closely with clients to develop and implement practical strategies related to cyber threats and data breaches. He advises on legal risk assessments, compliance, due diligence and risk allocation advice, security, and data breach incident preparedness and response.
In addition, Imran often acts as "breach counsel" in the event of a cybersecurity incident, such as a data or privacy breach, and has extensive experience in managing complex security incidents and cross-border breaches.
In his privacy law practice, he advises clients on compliance with all Canadian federal and provincial privacy and data management laws, with a particular focus on cross-border data transfer issues and enterprise-wide governance programs related to privacy.