Legal Words
HR Professional
Pin It

By Justine Laurier


Cybersecurity is a growing concern for all

A simple fact of modern business is that data is everywhere and of all information created today, 98 per cent is stored electronically. This increase in electronically stored information has brought business advantages and ease-of-access, but with it comes a growing threat of data breaches and cybersecurity violations through attacks on information technology systems. According to a PwC survey, the global cost of these breaches was an estimated USD$23 billion in 2014.


Apart from the challenges this poses from a public relations perspective, the legal fallout is often much more important and potentially devastating to the companies involved. The disclosure of confidential information about the company and that of its employees and clients, breaches of privacy and infringement of intellectual property rights can have dire consequences. It is clear that cybersecurity has become a growing concern for both public and private sector organizations.


Learn from the mistakes of others
In one of the most eye-catching cases of breaches of cybersecurity of 2014, Sony Corporation became the victim of a crippling cyber-attack, making supposedly secure and confidential information publicly available. Private employee information, such as pay slips and social security numbers, and confidential corporate information, such as salary schedules, unreleased movies and movie scripts, were offered for free download on peer-to-peer data-sharing networks.


The fallout for Sony was enormous: several costly projects had to be abandoned, several high-level executives had to publicly apologize and social media erupted in negative comments. Adding insult to injury, no less than four separate class actions of disgruntled employees have since been filed in the U.S., causing a serious financial liability to the company. Some of the allegations in the lawsuits indicate that the company had, in recent years, been breached several times on a smaller scale and did not learn from those experiences. No adequate changes had been put into place – the information was not stored in a properly encrypted format; too many people had access to confidential information; the passwords of the employees were weak and stored in a list that was, unsurprisingly, one of the first targets of the cyberattack.


Perhaps even more surprising is that the data breach at Sony was not even the largest of 2014; it ranked a meagre 33rd. In May 2014, eBay suffered the biggest attack of the year: an estimated 150 million records were breached and placed online, including the personal information (email, passwords, sales history) of all eBay users.


Prevention is key
The Internet, an undeniable asset in a globalized economy, poses a serious risk to the companies that use it without care. As reported by The Globe and Mail, in 2013, 36 per cent of enterprises in Canada experienced at least one form of security breach. While it’s the hacking of large companies that make the headlines, in reality it’s small and medium enterprises of less than 50 employees that are most vulnerable and most often fall victim to cyber-attacks. So, what should a responsible company do to avoid data breaches in the first place, and, once a breach is discovered, to limit the legal and financial fallout?


The first step is simple: realizing that no matter how large or small your company is, no matter the industrial sector you are active in, the company is at risk. Public outcry is magnified through social media, criminal capabilities grow and the legal ramifications are potentially devastating. These issues cannot be seen as just a problem for the IT department; it is a company-wide issue. Simply put, it has become too risky and too costly to close your eyes to the risk, and to clean up afterwards.


The second step is less self-explanatory: a robust IT and data protection policy should be put into place no matter the size of the company. While data encryption and firewalls should be among your first investments, it cannot end there. As more and more companies provide laptops, tablets and smartphones to their employees, the loss of these devices poses an increasing security risk. All employees should be made aware of the risks of using (and losing) such a device, so that the company can take swift and decisive action as soon as a potential breach is discovered.


Include employees in fighting cyber-attacks
Your employees should be educated about what information is confidential and why, and especially the potential fallout of a breach of that confidentiality.


Recent studies indicate that only 60 per cent of Canadian enterprises have a policy on data protection. This in itself leaves them vulnerable. A company-wide confidentiality policy should therefore be devised, emphasizing the necessity for employees to not copy or use for personal purposes, or circulate confidential information in any way (including on a social media platform) and to limit the possibility of data breaches. As a result, the company as a whole is made aware of the importance of cybersecurity and employees will be well placed to recognize cyber risks and therefore notify the company accordingly and promptly.


Prioritize timelines
A responsible company should think of having a containment plan in place, in case things do go awry. The risks of regulatory action, class action suits and the preservation of the organization’s reputation – and in extreme cases, the organization’s existence – all depend on the steps taken in the very first few hours (not days) to contain the situation, mitigate the damage that has been done, fix the problem and get the organization up and running again. It is therefore essential to have a containment plan and, where needed, experts should be called in as soon as possible to minimize the negative consequences of the data breach.


Are you ready to counterattack?
It may seem impossible to prevent a massive cyber-attack or to ward it off completely. Companies, even if they are aware of cyber risks, are still reticent to deploy the much-needed investments. The reality is that the companies’ budgets available for cybersecurity are lower than what is actually needed to provide a robust responsiveness to cyber-attacks. Budgets to prevent data breaches or to address their fallout must not be neglected as, in the case of cybersecurity, the evidence shows that prevention is a lot more cost-effective than cure.


Justine Laurier is an associate at Borden Ladner Gervais LLP’s Montreal office. Nils Goeteyn provided research for this article.

Pin It