In early January, the Liquor Control Board of Ontario (LCBO) made a public announcement that a cybersecurity incident on the checkout page of its online sales website may have revealed customers’ names, email and mailing addresses, Aeroplan numbers, LCBO account passwords, and credit card information.
A new year’s message that hits so close to home might shake Canadian business owners and their employees from their complacency.
A survey of 1,000 Canadian employers conducted by consultancy Terranova Security, in collaboration with research company Ipsos, revealed a surprisingly low level of concern about data theft at work.
“Only 40 per cent of employees say they work in a company where cyber security awareness training is mandatory. Forty-four per cent haven’t participated in any cyber security training, and a third indicated that their company doesn’t offer any relevant training at all.”
Perhaps these companies are not fully aware of the legal and business risks they run by being so casual.
As Mitch Koczerginski, Lyndsay Wasser and Carol Lyons of McMillen LLP write, data protection and cybersecurity in Canada are governed by a complex legal and regulatory framework.
“Failure to understand this framework and take active steps to reduce risks (or the impact of such risks when they materialize) can have serious legal and financial consequences for an organization.”
Under Schedule 1 of the federal legislation called the Personal Information Protection and Electronic Documents Act (PIPEDA), public and private organisations are required to safeguard personal information under their control.
This includes the designation of an individual or individuals accountable for the collection of personal information. They must administer appropriate safeguards to protect against loss or theft, unauthorized access, disclosure, copying use or modification. The more sensitive the information, the higher level of security is required.
That means more than just locked filing cabinets. With more employee and client information now on computers or stored in the cloud, Koczerginski, Wasser and Lyons suggest organizational actions like security clearances, limiting access to a “need-to-know” basis, and measures that include passwords and encryption.
Aside from reputational damage and potential fines, Canadian companies and entities have been subject to a number of sometimes lengthy and costly class actions related to unauthorized access to, or disclosure of, personal information by employees.
Outside attacks are also an increasing risk and can be quite sophisticated. The cyber attacker could pose as a trusted vendor, client or employee requesting payment of an outstanding invoice via wire transfer. False texts from what appears to be a managerial superior can open the door to fraud and data theft.
Dependence solely on commercial property insurance is clearly a mistake.
Alexandra Selfridge, partner with legal practice Procopio based in California, writes cybercrime losses are unlikely to be covered under conventional commercial property policies. More frequently, the necessary coverage is available through specific cyber underwritings.
Even so, although specific cyber insurance costs have reportedly stabilized in recent months, they are still increasing by over 50 per cent year-over-year and can carry restrictive clauses.
“Not all policies are equal,” says Selfridge.
“Cybersecurity is an area that requires a multi-disciplinary approach with input from a variety of experts,” write the McMillan authors.
“Organizations should conduct an audit of their existing cybersecurity status, including: an evaluation of, who and what is connected to their systems and networks; what is running on their systems and networks; and whether they have technology in place to prevent most breaches, rapidly detect breaches that do occur, and minimize the damage of such breaches.” To find answers, engaging a cybercrime investigator would be a good decision.
“The cybercrime investigator is at the forefront of the fight against financial crimes, undertaking an array of intelligence collection and investigative tasks,” writes Paul Wright, senior adviser of forensic technology and investigations at Accuracy. “This involves using multiple analytical platforms, investigative tools, open-source intelligence, and other tools, which are constantly evolving. Empowering the investigator with the right tools to automate, collate and grade intelligence will significantly aid the quality and efficiency of investigations.”
John Bleasby is a Coldwater, Ont.-based freelance writer. Send comments and Legal Notes column ideas to email@example.com.
comments for this post are closed