It’s a sign of the times we live in that when I speak to clients about “future data breaches,” we no longer use the word “if” but rather the more certain “when.” Alas, it really is just a question of time before your business joins the ranks of many others that have experienced a data breach.
The reasons for this state of affairs are fairly obvious. To begin with, virtually all information today is in digital form and stored in a computer somewhere. Ironically perhaps, the old practice of recording data on paper, and keeping the paper in locked filing cabinets, was actually quite a safe environment from a data theft perspective. Nowadays, not only is the data digital, but the computers are all networked together and plugged into the Internet. Indeed, if you were a criminal and wanted to design a system vulnerable to your bad behaviour, today’s Internet-enabled world is pretty much your nirvana.
Of course, we have technical measures that attempt to thwart the cyber-hackers and data thieves, but they all have their limitations and shortcomings. And computer users today don’t help themselves either. Studies show the most popular passcode today is “123456” — so we’re not exactly talking super strength cryptography!
As a result, data breaches are becoming inevitable. In the current environment, moreover, it’s likely that a material data breach today will be followed by one or both of the following types of litigation being brought against your organization. One will be a class action brought on behalf of all customers (or other users of your website) and other persons adversely affected (or potentially affected) by the breach. The second, if your company is listed on a stock exchange and your share price dropped on news of the data breach, will be a lawsuit on behalf of shareholders alleging that your company’s disclosure on cyber-risk was inadequate or misleading.
These types of litigation are expensive — and not just in terms of settlement payouts, legal costs and the significant management time and distraction. The reputational harm can also be very important. So, what steps can you take now – before the data breach – to reduce the fallout from this risk? The good news is that there are some practical, discrete actions you can do right away, in advance of the incident. They won’t bring the risk to zero — but they will help materially manage the risk.
> Pre-breach Public Disclosure
If you are with a public company, you should be providing reasonable disclosure about the risk of data breaches in your prospectuses, annual information form, and other continuous disclosure documents. In Canada, the instructions to Form 51-102F1 (Management Discussion and Analysis) require a discussion of risks that have, or could have, impacted financial statements, which would encompass many data breach situations.
In the United States (where many Canadian companies trade publicly), the SEC has published guidance for cyber-security risk disclosure, which could include: aspects of your business that give rise to material risks for data breaches; the degree to which you outsource those risks; a description of previous data breaches; particular risks if the breach incident is undetected for a period of time; and any relevant insurance coverage.
In contemplating your approach to data breach risk disclosure, of course keep in mind that you don’t want this disclosure to ironically assist the bad guys who are planning to unleash the cyber-attack against you — so, care and judgment and legal review need to inform this disclosure.
> Board Oversight
Your board of directors has an important role to play in your data breach preparedness program. Last year, SEC Commissioner Luis Aguilar spoke to the New York Stock Exchange about cyber-security risks in the boardroom, noting that cyber-security incidents have become more frequent and sophisticated, and also more costly to companies. He emphasized the role of boards, noting that “ensuring the adequacy of a company’s cyber-security measures needs to be a critical part of a board of director’s risk oversight responsibilities.”
Courts have also begun to consider the role of individual directors in managing cyber-security risk. Recently, an American court dismissed a shareholder derivative suit that sought damages from the directors and officers of a public company for several data breaches. This decision is the first decision issued in the United States in a shareholder derivative claim arising out of a data breach. The decision provides examples of approaches to data breach risk oversight that directors and officers may implement to help shield them from liability in the context of data breach.
The following sets out some examples of steps that could be considered by managers and directors in identifying and assessing an organization’s cyber-security risks. First, adopt written cyber-security policies, procedures and internal controls, including when and how to disclose. As well, implement methods to detect the occurrence of a cyber-security event.
Second, management and board members should discuss the appointment of a chief information officer or perhaps a chief information security officer with the requisite expertise, who would then meet regularly with and advise the board. Equally, consideration could be given to appointing a board member with cyber-security expertise and experience, and to appointing an enterprise risk committee.
Third, the board should review annual budgets for privacy and IT security programs. The board should receive regular reports on breaches and cyber-risks. As well, directors should have a clear understanding of who in management has primary responsibility for cyber-security risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices.
Fourth, the role of insurance needs to be explored. There are now a range of insurance products addressing cyber-risks. Accordingly, consideration should be given as to which risks are to be addressed and mitigated directly and which may be transferred through insurance.
Finally, as part of the board’s risk-management mandate for data breach preparedness, organizations should consider related regulatory guidance. For example, if you have operations in the United States, you may have to deal with the Federal Trade Commission from a general privacy regulatory perspective; in Canada, the equivalent would be the Privacy Commissioner in Ottawa (for federal privacy law) or provincial counterparts in BC, Alberta, Manitoba and Q uébec. And if your organization uses payment cards, you need to be current on guidance in this area from the Payment Card Industry Security Standards Council, and particularly their PCI-DSS requirements.
The key point here is that the ability to demonstrate in any subsequent litigation that you discharged the all requisite “standard of care” (and therefore you are able to mount a robust “due diligence defence”) will hinge on whether the organizations employed best practices, as found in regulatory pronouncements.
> Legal Components
Another pillar of your risk-mitigation strategy will depend on creating – and regularly updating - a robust data breach preparation plan. The “DBPP” should cover a number of operational items. But it should also address the following legal considerations.
The first step in addressing legal considerations in and around your DBPP is to evaluate your organization’s risk profile regarding data breaches. In doing so, certain questions must be asked. One is whether the organization is in an industry with a regulatory framework that dictates certain cyber-protection measures. (An organization in the financial services industry in Canada, for example, will have to comply with existing and emerging regulations promulgated by OSFI, IIROC, and CSA.)
Other questions to consider may include the following examples:
Does the organization do business in multiple jurisdictions? Where is it collecting, processing, and storing data? Is the organization a private company, or a public company with many shareholders and subject to stock exchange oversight? Will the organization be handling personal information or personal health information? If so, existing and evolving privacy protection laws will come into play. If an IT solution has been contracted for, is it B2B or B2C? And will the IT solution involve third-party components, such as hosting or payment providers?
In order to craft a legally sound DBPP, you need to understand your IT environment, and in that regard, the ecosystem you have of vendors who have access to your own IT systems and organizational data. The following questions regarding vendors serves to illustrate some of the primary concerns that should inform this stage of legal due diligence:
What is the state of the vendor’s security framework? What policies and procedures does it have in place to maintain the integrity of the framework? Will the vendor permit penetration testing and other exploration of vulnerabilities? Are the vendor’s facilities audited for industry-recognized internal controls? Does the vendor perform internal audits, and is it willing to share the results with you? Where are the vendor’s service delivery centres? Where does it process and store data? What data breach risk insurance does the vendor carry, and has it made any claims in the past five years?
Having assessed your organization’s legal risk profile for data breaches, you can now proceed to craft an appropriate DBPP with the other departments and units of your organization. In terms of what should be in the DBPP, and how you should handle an actual data breach when it arises (note, again, not if but when).
To those important topics we turn in our next column.
George Takach is a senior partner at McCarthy Tétrault LLP and the author of Computer Law.
The reasons for this state of affairs are fairly obvious. To begin with, virtually all information today is in digital form and stored in a computer somewhere. Ironically perhaps, the old practice of recording data on paper, and keeping the paper in locked filing cabinets, was actually quite a safe environment from a data theft perspective. Nowadays, not only is the data digital, but the computers are all networked together and plugged into the Internet. Indeed, if you were a criminal and wanted to design a system vulnerable to your bad behaviour, today’s Internet-enabled world is pretty much your nirvana.
Of course, we have technical measures that attempt to thwart the cyber-hackers and data thieves, but they all have their limitations and shortcomings. And computer users today don’t help themselves either. Studies show the most popular passcode today is “123456” — so we’re not exactly talking super strength cryptography!
As a result, data breaches are becoming inevitable. In the current environment, moreover, it’s likely that a material data breach today will be followed by one or both of the following types of litigation being brought against your organization. One will be a class action brought on behalf of all customers (or other users of your website) and other persons adversely affected (or potentially affected) by the breach. The second, if your company is listed on a stock exchange and your share price dropped on news of the data breach, will be a lawsuit on behalf of shareholders alleging that your company’s disclosure on cyber-risk was inadequate or misleading.
These types of litigation are expensive — and not just in terms of settlement payouts, legal costs and the significant management time and distraction. The reputational harm can also be very important. So, what steps can you take now – before the data breach – to reduce the fallout from this risk? The good news is that there are some practical, discrete actions you can do right away, in advance of the incident. They won’t bring the risk to zero — but they will help materially manage the risk.
> Pre-breach Public Disclosure
If you are with a public company, you should be providing reasonable disclosure about the risk of data breaches in your prospectuses, annual information form, and other continuous disclosure documents. In Canada, the instructions to Form 51-102F1 (Management Discussion and Analysis) require a discussion of risks that have, or could have, impacted financial statements, which would encompass many data breach situations.
In the United States (where many Canadian companies trade publicly), the SEC has published guidance for cyber-security risk disclosure, which could include: aspects of your business that give rise to material risks for data breaches; the degree to which you outsource those risks; a description of previous data breaches; particular risks if the breach incident is undetected for a period of time; and any relevant insurance coverage.
In contemplating your approach to data breach risk disclosure, of course keep in mind that you don’t want this disclosure to ironically assist the bad guys who are planning to unleash the cyber-attack against you — so, care and judgment and legal review need to inform this disclosure.
> Board Oversight
Your board of directors has an important role to play in your data breach preparedness program. Last year, SEC Commissioner Luis Aguilar spoke to the New York Stock Exchange about cyber-security risks in the boardroom, noting that cyber-security incidents have become more frequent and sophisticated, and also more costly to companies. He emphasized the role of boards, noting that “ensuring the adequacy of a company’s cyber-security measures needs to be a critical part of a board of director’s risk oversight responsibilities.”
Courts have also begun to consider the role of individual directors in managing cyber-security risk. Recently, an American court dismissed a shareholder derivative suit that sought damages from the directors and officers of a public company for several data breaches. This decision is the first decision issued in the United States in a shareholder derivative claim arising out of a data breach. The decision provides examples of approaches to data breach risk oversight that directors and officers may implement to help shield them from liability in the context of data breach.
The following sets out some examples of steps that could be considered by managers and directors in identifying and assessing an organization’s cyber-security risks. First, adopt written cyber-security policies, procedures and internal controls, including when and how to disclose. As well, implement methods to detect the occurrence of a cyber-security event.
Second, management and board members should discuss the appointment of a chief information officer or perhaps a chief information security officer with the requisite expertise, who would then meet regularly with and advise the board. Equally, consideration could be given to appointing a board member with cyber-security expertise and experience, and to appointing an enterprise risk committee.
Third, the board should review annual budgets for privacy and IT security programs. The board should receive regular reports on breaches and cyber-risks. As well, directors should have a clear understanding of who in management has primary responsibility for cyber-security risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices.
Fourth, the role of insurance needs to be explored. There are now a range of insurance products addressing cyber-risks. Accordingly, consideration should be given as to which risks are to be addressed and mitigated directly and which may be transferred through insurance.
Finally, as part of the board’s risk-management mandate for data breach preparedness, organizations should consider related regulatory guidance. For example, if you have operations in the United States, you may have to deal with the Federal Trade Commission from a general privacy regulatory perspective; in Canada, the equivalent would be the Privacy Commissioner in Ottawa (for federal privacy law) or provincial counterparts in BC, Alberta, Manitoba and Q uébec. And if your organization uses payment cards, you need to be current on guidance in this area from the Payment Card Industry Security Standards Council, and particularly their PCI-DSS requirements.
The key point here is that the ability to demonstrate in any subsequent litigation that you discharged the all requisite “standard of care” (and therefore you are able to mount a robust “due diligence defence”) will hinge on whether the organizations employed best practices, as found in regulatory pronouncements.
> Legal Components
Another pillar of your risk-mitigation strategy will depend on creating – and regularly updating - a robust data breach preparation plan. The “DBPP” should cover a number of operational items. But it should also address the following legal considerations.
The first step in addressing legal considerations in and around your DBPP is to evaluate your organization’s risk profile regarding data breaches. In doing so, certain questions must be asked. One is whether the organization is in an industry with a regulatory framework that dictates certain cyber-protection measures. (An organization in the financial services industry in Canada, for example, will have to comply with existing and emerging regulations promulgated by OSFI, IIROC, and CSA.)
Other questions to consider may include the following examples:
Does the organization do business in multiple jurisdictions? Where is it collecting, processing, and storing data? Is the organization a private company, or a public company with many shareholders and subject to stock exchange oversight? Will the organization be handling personal information or personal health information? If so, existing and evolving privacy protection laws will come into play. If an IT solution has been contracted for, is it B2B or B2C? And will the IT solution involve third-party components, such as hosting or payment providers?
In order to craft a legally sound DBPP, you need to understand your IT environment, and in that regard, the ecosystem you have of vendors who have access to your own IT systems and organizational data. The following questions regarding vendors serves to illustrate some of the primary concerns that should inform this stage of legal due diligence:
What is the state of the vendor’s security framework? What policies and procedures does it have in place to maintain the integrity of the framework? Will the vendor permit penetration testing and other exploration of vulnerabilities? Are the vendor’s facilities audited for industry-recognized internal controls? Does the vendor perform internal audits, and is it willing to share the results with you? Where are the vendor’s service delivery centres? Where does it process and store data? What data breach risk insurance does the vendor carry, and has it made any claims in the past five years?
Having assessed your organization’s legal risk profile for data breaches, you can now proceed to craft an appropriate DBPP with the other departments and units of your organization. In terms of what should be in the DBPP, and how you should handle an actual data breach when it arises (note, again, not if but when).
To those important topics we turn in our next column.
George Takach is a senior partner at McCarthy Tétrault LLP and the author of Computer Law.
Lawyer(s)
George S. Takach