Canada: Cyber Security: What The Hack?

Posted in Corporate finance

The cyber security risk

Although businesses have been ramping up their information security systems, the pace of cyber security breaches is not slowing down. One study estimates that cybercrime will cost businesses $2.1 trillion globally by 2019. And, as recent security breaches have taught us, a security breach can have reputational, moral, and deeply political complications. The 2014 hack of Sony Pictures cost the company $100 million, derailed plans for the distribution a movie concerning North Korea, and raised ethical questions about the appropriate response to cyber terrorism.

Safety concept: data security on digital background

On top of this, businesses will soon face stricter legal requirements around the disclosure of security breaches in Canada. New rules regarding the mandatory disclosure of security breaches were approved by Parliament in June 2015 and may come into force at any point. The Digital Privacy Act amends the Personal Information Protection and Electronic Documents Act and requires that an organization report any breach of security safeguards that reasonably creates a real risk of significant harm to an individual. Notification must be made to the Privacy Commissioner and to the individual involved. Significant harm under the statute includes financial loss, bodily harm, damage to reputation or relationships, and loss of employment, business or professional opportunities.

Cyber security breaches and their associated financial, reputational, and regulatory risks are here to stay.

Insurance as part of the solution

While the key to managing cyber security breaches will always be to implement strong data protection systems, cyber security insurance is becoming a popular way to address the financial consequences of cyber security breaches. A cyber security policy insures against risks to a company’s information technology and data assets, and leaves the insurance company with the uncertainty of actual damages in the case of a breach.

In the context of M&A, the problem with cyber security risk is valuing and allocating risk among parties. Similar to reps and warranty insurance (which we discuss here), cyber security insurance allows a company to allocate risk by transferring some to the insurance company and leaving the buyer and seller to allocate any remaining risk that falls outside the policy. Cyber security insurance is also valuable before M&A. Having a policy in place may help ease concerns of acquirers as the insurance would cover security breaches that may have already occurred prior closing but have yet to materialize. This has been found to hold true in jurisdictions that have data breach notification laws like the ones currently pending in Canada. Coverage can be a standalone product or can be built into existing policies such as business continuity insurance or supplier chain insurance.

Cyber security risk represents a new and significant risk to businesses. Simply being aware of this risk is critical in an M&A deal. Once recognized, however, placing appropriate security measures, conducting IT due diligence, and allocating risk by way of negotiation or insurance will help all parties cut through data breach uncertainty and settle material issues efficiently.

Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global legal practice. We provide the world’s pre-eminent corporations and financial institutions with a full business law service. We have more than 3800 lawyers based in over 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members (‘the Norton Rose Fulbright members’) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Companies turn to cyber insurance after Ashley Madison and other high profile hacks

In the wake of the Ashley Madison hack and other high-profile data breaches, Canadian companies are turning to so-called cyber insurance to protect themselves from the fallout of data leaks.

In July, adultery website Ashley Madison made headlines after hackers broke in to the company’s network and leaked customers’ personal information, including their messages to other members and sensitive financial data.

The ensuing class-action lawsuit – and founder and CEO Noel Biderman’s decision to step down in late August – were the latest in a series of incidents that experts say represent a wake-up call for executives about the real-world consequences of digital vulnerabilities.

Duncan Stewart, director of technology research at Deloitte, said the past year has seen a surge in awareness about cyberattacks, and companies are turning to insurers to prepare for what seems an inevitability in an increasingly interconnected world.

“The number of attacks are rising, the severity is rising, and when they come, they’re more difficult to deal with,” he said.

There is no legal requirement for companies to report a hack in Canada, making the true number difficult to determine, but security company Websense said in August 2014 that 36 per cent of Canadian businesses had observed a breach in their IT security last 12 months.

In a KPMG survey of Canadian property insurance executives, data security even beat out unexpected catastrophic events as the third-biggest risk facing Canadian companies in 2015 after regulatory burdens and low interest rates.

Stewart compared significant breaches like the Ashley Madison hack to automobile collisions that result in a total write-off, yet he said companies also require coverage for the small attacks and fender-benders of cybersecurity that happen far more often.

Insurance against cyberattacks is now just a part of the cost of doing business, he said.

“You wouldn’t have a factory and not have fire insurance, so why would you think about not having cyber insurance?”

Technology analyst Carmi Levy said in an email that insurance providers are stepping in to meet the needs of companies as they find themselves handling more and more data on behalf of their clients and suppliers.

“In the process, they are increasingly liable for what happens when hackers manage to break in and snag some of that data,” he said.

Insurance expert Paul Kovacs, president and CEO of the industry-funded oversight body PACICC, said insurance companies are expanding their offerings to provide more than just compensation and protection from liability in the event of a cyberattack.

“When this happens, you are going to need professional help with communications, with forensic investigation, with restoring your systems and putting the protections back in,” he said.

Kovacs pointed to the example of Sovereign General, part of the Co-Operators Group, which offers coverage for privacy breaches, business interruptions, extortion, and data recovery stemming from a cyberattack, as well as crisis management services.

He said companies and organizations used to dealing in sensitive information, such as hospitals and financial institutions, were among the first to become targets and have developed comprehensive cybersecurity policies.

Yet what used to be a concern just for the obvious targets is now a business risk for almost everyone, he said, and it’s not just customer data that’s at risk.

In July, security company Symantec issued a report detailing the “Butterfly” hacking group that it said is responsible for at least 40 attacks since 2012 meant to steal trade secrets and industrial data in order to sell it to the highest bidder.

Kovacs said industrial espionage is spreading out from the large companies that have long been in the crosshairs as hackers become more sophisticated.

“Now, they’re still going after the big companies but they’re going after the mid-size companies and even some relatively small companies,” he said. “The threat is spreading.”


Hard drive with personal info on 3.4 million B.C. and Yukon students lost

A team of 50 bureaucrats spent much of the summer rummaging through boxes in a secret Victoria warehouse, searching for a hard drive containing records of 3.4 million British Columbia and Yukon students and teachers, some dating back almost 30 years.

Extensive physical and electronic searches came up empty, and on Tuesday the B.C. government officially declared the unencrypted hard drive lost.

Technology, Innovation and Citizens’ Services Minister Amrik Virk said the province’s chief information officer will review the government’s management of personal information.

He said information and privacy commissioner Elizabeth Denham will conduct her own review.

Virk said there is no indication that data from the lost hard drive has been accessed or used, adding he believed the risk to individuals was low because the data does not contain social insurance or driver’s licence numbers or financial or banking information.

But he said he was concerned the hard drive had disappeared.

“This should not have happened. Any time personal information may be at risk, it is a cause for concern,” Virk told a news conference.

“I’m troubled to have learned that government is unable to locate the backup hard drive that contains a variety of reports, data and information.”

He said data from 1986 to 2009 contains names, grades, postal codes and personal education numbers. It also includes potentially sensitive information about children in care, teacher retirements and graduation dates for cancer survivors who participated in a research project.

From the years 1991 to 2009, the hard drive contains more detailed information on 3.16 million people, including each student’s full name, birth date and home address on their Grade 12 transcript.

The government said a second file on 1.8 million students from kindergarten to Grade 12 contained data on special needs status of students, including intellectual difficulties, physical disabilities or chronic health impairments.

Yukon students write B.C. exams and are taught the province’s curriculum. The province and territory have a agreement to store Yukon student data.

The drive also contains a list of children under custody orders and those involved with the Ministry of Children and Family Development, including health and behaviour issues, participation in intellectual disability programs and adoption status.

The Education Ministry discovered the drive was lost while reviewing records to ensure compliance with data-storage standards.

Jim Iker, president of the BC Teachers’ Federation, said the data breach impacts students, parents and teachers.

“This is such a serious breach of security,” he said in Victoria. “The biggest impact here is on our students and those students who are now adults, and some of those adults could be teachers, and there’s all sorts of information about them that shouldn’t fall into the wrong hands.”

Opposition New Democrat education critic Rob Fleming said British Columbians need more answers from the government about how the information disappeared.

“Now we have disturbing details that at an unsecured location, in an unsecured server, three and a half million files are now potentially in the hands of someone who could use it.”

Virk said residents can call Service BC, a government information line, to find out if their information was on the drive.


In wake of Ashley Madison data release, experts warn of risks related to online personal data

By Bree Fowler


NEW YORK _ The Ashley Madison hack is a big reminder to all Web users: If you submit private data online, chances are it will never fully be deleted.

The hackers, who stole the data about a month ago and then posted it online this week, claimed in a statement that part of the reason for the theft was Ashley Madison’s fraudulent promise to fully delete users’ information if they paid the company a $19 fee.

The website whose slogan is “Life is short. Have an affair” is marketed to people looking for extramarital relationships. It purports to have about 39 million members.

The hackers said the company failed to delete the information, even though it collected the fees. Toronto-based Avid Life Media Inc., Ashley Madison’s parent company, hasn’t commented on the hackers’ accusation. A company spokesman didn’t respond to multiple emails seeking comment.

It’s virtually impossible to exist in modern society without putting at least some personal information online. Many people can’t get through a day without using the Internet to shop, pay a bill, or check their credit card balance.

People have become accustomed to trusting their most precious personal information to companies. But they also need to know that all of that information is being shared more than they would expect, privacy experts say.

Before you hit “submit,” stop and think before giving up your personal information to any kind of website, said Michael Kaiser, executive director of the National Cyber Security Alliance, an industry-funded group that educates consumers about cybersecurity.

“Personal information is like money, and you don’t just give away your money,” Kaiser says. “In the environment we’re in right now, you have to value it and think about protecting it everywhere you go on the Internet.”

That means taking a look at a website’s business to get an idea of how much they value information security and even asking them about their data retention practices. Banks, which deal in financial information, and large retailers, who have a vested interest in getting people to shop online, are probably safer bets than a dating site.

“Ashley Madison actually charges you to remove your information when you remove your account,” he says. “That’s a big clue about how they feel about your personal information.”

People also need to sometimes take a pass on convenience in the name of online security.

Many consumers like it when e-commerce sites have their credit card and other information on file, or when Web browsers automatically fill in forms with their name, address and other details, says Peter Tyrrell, chief operating officer of the data security firm Digital Guardian. Meanwhile, worries about data theft and loss have prompted companies to back up important information in multiple places.

But both practices increase the likelihood that information could be leaked or shared. And it means that even when a person thinks that their information has been permanently deleted, chances are there are still copies floating around somewhere.

“Ashley Madison is a company with a service that’s completely predicated on privacy,” Tyrrell says, adding that that characteristic sets it apart from many traditional e-commerce sites such as retailers.

“Here the capital, so to speak, isn’t a credit card or consumer goods. The capital is personal information that if released could be ruinous personally, and financially too.”

Breaches, whether they be at a major retailer such as Target Corp., a health insurance company such as Anthem Inc., or Ashley Madison, have become so common that people should give some serious thought before putting personal information online, says Caleb Barlow, a vice-president at IBM’s security division.

And while Social Security numbers weren’t involved Ashley Madison hack, people should be especially wary of using them as a backup password to access online information, given the potentially disastrous consequences that could result if they’re intercepted, he says.

“Why are we using Social Security Numbers for both identification and access?” he questions. “Any data that can never be changed can be used for identity, but should never be used for access.”

And no matter how legitimate a company or website may be, people need to be aware that they’re rolling the dice every time they hand over personal information.

Scott Vernick, partner and head of the data security and privacy practice at the law firm Fox Rothschild LLP, says consumers have the right to expect a certain level of online security, depending on the industry standards of the company they’re dealing with.

“But those expectations have to be muted by the knowledge that they’re always taking a risk, whether they’re ordering from Amazon Prime or from Ashley Madison,” Vernick says.




Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest