agenda - cpd live cyber...1 may 21, 2019 cybersecurity and data breaches imran ahmad, partner email:...

11

May 21, 2019 Cybersecurity and Data BreachesImran Ahmad, Partner

Email: [email protected]: 416.863.4329

Blake, Cassels & Graydon LLP

22

Agenda1. Canadian cyber landscape

2. Legal Overview

3. Pre-breach best practices

4. Post-breach best practices

On the

Blake, Cassels & Graydon LLP – Privileged and Confidential

mailto:[email protected]

33

1Canadian cyber landscape

4Blake, Cassels & Graydon LLP – Privileged and Confidential

Types of Bad Actors

4


Most Common Types of Cyber Threats

Theft of data Ransomware Insider threat DDoS Attack

Phishing Social engineering

5

666 | DM# Blake, Cassels & Graydon LLP – Privileged and Confidential

According to Stats Canada


Types of Personal Information

NamesDate of

birthSIN Passwords

Phone numbers

Account numbers

Home address

Credit card numbers

Email addresses

Financial Information

Behavioral information

7


Dark Net

8

99

2Legal Overview


Types of RisksLegal liability

(including litigation)

Regulatory enforcement & investigations

Failure to meet contract terms

Economic harm (e.g., loss of confidential

info/IP)

Reputational harm

Business interruption

Physical

Blake, Cassels & Graydon LLP – Privileged and Confidential 10


Risks to Organization• Director and Officer liability

• Legal liability including litigation• Regulator enforcement and

investigations• Failure to meet key contract terms

• Economic harm (e.g. loss of confidential information/IP)

• Reputational harm • Business interruption• Physical harm


Privacy & Regulatory

2013• OSFI

• Cyber Self-Assessment Guidance

2015• Digital Privacy Act (amends

PIPEDA)• Investment Industry

Regulatory Organization of Canada (IIROC) – Cybersecurity Guidance

2016• Canadian Securities

Administrators (CSA)• Staff Notice 11-332 –

Cybersecurity• Mutual Fund Dealers

Association of Canada – Bulletin on Cybersecurity

2017• Canadian Security

Administrators (CSA)

• Staff Notice 51-347 – Disclosure of cybersecurity risks and incidents

• Staff Notice 33-321 – Cybersecurity and Social Media

2018• Breach of Security

Safeguards Regulations• EU’s General Data

Protection Regulations (GDPR) comes into force

• All 50 US states have mandatory breach notification laws

2019• OSFI

Technology and Cyber Security Incident Reporting

• New York State Department of Financial Services – Cybersecurity Regulations (NYSDFS)

• California Consumer Privacy Act



Privacy and Cyber Laws Applicable Laws

– PIPEDA and other provincial private sector, public sector and health privacy legislation

• QC/AB/BC - private sector and ON/NS/NB/NL - health privacy laws substantially similar

– Canadian Criminal Code

– Vital Cyber System Legislation

• Consultation process to launch once draft legislation is released

– Quebec:• Civil code (sections 35-41)• Act to Establish Legal Framework for

Information Technology– US Defend Trade Secrets Act

– Global Data Protection Regulation (Europe)


Canadian Privacy Laws


PIPEDA and Digital Privacy Act• Applies to the collection, use or

disclosure of personal information by every organization in the course of a commercial activity.

• Digital Privacy Act amendments

require mandatory reporting of security breach by organizations– Fines of up to $100k for failure to

report breach or keep logs.

– Mandatory breach reporting regime came into force November 1, 2018


Third Party Exposure

Company

Vendor 1

Vendor 2

Vendor 3

• Source of breach– Internal

• within business– External

• from vendor

• Ensure:– Vendor selection,

management and rating program

– Contractual language for cyber response



Litigation Exposure❑ Litigation exposure from:

❑ Affected individuals (e.g., customers)❑ Affected partners/vendors (who were impacted due to incident)

❑ Risk of class actions❑ New privacy torts recognized ❑ Director liability❑ Need to ensure legal privilege when dealing with a

cybersecurity incident


1818

3Pre-Breach Practices


General – Managing Cyber Risk• Duty to exercise care,

diligence & skill• Use of “best judgement” rule

– Informed basis– Good faith– Best interest of corporation

• Focus on Board and SLT engagement in cybersecurity matters (being informed not sufficient)

Board Oversight

Situational Awareness

Assessing Cyber Risk & Preparedness

Role During Cyber

Incident

Post-Incident Assessment



Situational AwarenessInformation to

Board/SLT

Digital Assets Held

Type of data

How its kept

Where its kept

Risk Level Matrix

Insignificant

Minor

Significant

Enterprise-wide (existential)

Cyber Threats

Theft of data

Ransomware

DDoS

Phishing

Third Party Assessment

Overall preparedness

level

Strength & Areas for

Improvement

Budgetary needs

Ongoing cyber preparedness

initiatives

Past Performance

Breaches in the past?

Response performance

Remedial steps taken



Assessing Cyber Risk & ReadinessAssessing Readiness

Empowering management

Ongoing cyber monitoring

Response protocols and policies in place

Incident response plan in place

Testing (tabletop exercises and penetration testing)

Cybersecurity vendors identified

Interplay with other critical plans (business continuity, disaster recovery, BYOD)

Allocating Resources

Sufficient budget for technology, people and protocols?

Ongoing staff training

Resources to hire external vendors with expertise

Allocation appropriate to risk level and type of threat(s)

Benchmarking to industry norms

Cyber Insurance

Sufficient level of coverage

Coverage include key services (e.g., legal, forensics, public relations, credit monitoring)

Comparable to others in industry

Cover first party and third party litigation exposure

Any coverage restrictions

Reporting to Board

Board process of intake of information

Information to be provide to Board

Frequency of reporting

Need to retain cybersecurity experts to assist Board

Board process for responding to information provided



Assessing Cyber Risk & Readiness


Data Governance•Data mapping (incl. identifying “Crown

Jewels”)•Record retention policy •Privacy Impact Assessments

Build a Cyber Monitoring Team•Bring together the right people (IT, HR, Legal)•Have a clear mandate•Have the right resources•Understand deliverables

Audit & Test Security•Assess effectiveness of current security•Consider hiring cyber experts•Tabletop exercises•Penetration testing

Educate & Train Staff•Cyber hygiene•Develop and disseminate cyber policies•Refresh training

Supply Chain Management•Due diligence on vendors•Include contractual language around

cybersecurity obligations•Consider indemnification clauses

Cyber Incident Plan•Plan should map our what to do in case of an

attack•Key considerations: pubic relations, legal,

financial losses, etc.

Cyber Insurance•Not a perfect solution•Assess whether this is something that makes

sense for business•Make sure right coverage


Know Where You Stand• Important to have a clear understanding of what

data organizations holds, where it is kept and how it’s kept.

• Three key phases:

– Build a data inventory

– Classify the data

– Conduct periodic revisions

Key considerations• Which departments within your organization

are most likely to have data?• Who within each department would you need

to speak with to find out what data exists?• Is it more efficient to send the relevant people

a questionnaire or to speak with them directly?• What is the best way to receive information

from each person in the organization that collects data so that the information provided can be organized and sorted with information received from others?

• How much time will it take to complete the data map?


Data MapWhat you should have in your data map• The types of data collected.• Where the data is physically housed (e.g., the

building or location).• Where the data is logically housed (e.g., the

electronic location within a server).• Whether encryption is applied to the data in transit

(e.g., when it is moving). If it is, what encryption standard is being used?

• Whether encryption is applied to the data at rest (e.g., when it is being stored). If it is, what encryption standard is being used?

• The custodian of the data (e.g., who is responsible for it).

• Who has access within the organization to the data.• Who has access outside of the organization to the

data.• Whether the data crosses national boundaries.• The retention schedule (if any) applied to the data.


Supply Chain ManagementReps & Warranties

•No recent security incident, claims or regulatory action (threatened or pending) related to a security incident not disclosed to purchaser•No processing, storage or transmission of purchaser’s info by 3rd party no disclosed•Obtain/maintain sufficient cyber insurance coverage

Confidentiality

•Sharing of info with vendor’s affiliates and downstream vendors and subcontractors•Return/destruction of information•Incident management (e.g., definition of incident, notices, access to info about incident, remediation, costs)

Security Program

•Vendor should have and maintain security program•Monitoring and assessment of vendor’s performance (including audits)•Purchaser audit•Vendor self-assessment and certification•Third party audit

Remedies

•Elements of loss that will be compensable as damages•Liquidated damages•Specific performance•Limitations and disclaimers•Termination


Cyber Incident Plan• This will be your key document in the case of a breach• Elements your incident response plan should:

• Clearly delineate roles and responsibilities for all relevant stakeholders in the organization, such as IT, legal, communications, operations, and senior management

• Contain clearly-defined severity ratings and triggers for escalation to legal and senior management

• Require workforce members to report suspicious emails and other potential cybersecurity incidents

• Include a summary of the key cybersecurity regulatory requirements for each jurisdiction

• Provide guidance on how to interact with law enforcement and governmental authorities in the event of an incident

• Include information on key vendors of forensics, identity theft protection, and other technology services that can be immediately mobilized should they be needed


Not typically covered May be covered in some cases Typically covered

Note: All insurance coverage is subject to the terms, conditions, and exclusions in the applicable individual policies. Marsh cannot provide assurance that insurance can be obtained for any particular client or risk.

Cyber InsuranceCyber Threat

Traditional Insurance Policies Potential Cyber Insurance SolutionsProperty General Liability Crime Policy D&O

Corporate IP

Confidentiality of Corporate IP Specialty IP Infringement

PoliciesIntegrity & Availability of Corporate IP Data Restoration CoverageThird-Party DataConfidentiality, Integrity, and Availability of Third-Party Data

Comprehensive

Cyber PolicyTechnology Infrastructure

Availability of Operational Technology, Core and General Information Systems

Network Business

Interruption / Extra Expense Coverage

Availability of Outsourced Information Systems

Dependent Business

InterruptionCoverage

Relationship CapitalIntegrity (Value) of Relationship Capital (B2B & B2C)

Specialty

Reputational Risk PoliciesFinancial Assets

Availability (Theft) of Financial Assets Cyber Crime Policiesand Endorsements

Cyber-exposed Physical AssetsIntegrity (Physical Damage) of Cyber-exposed Physical Assets

Specialty Cyber Property Damage Policies


Cyber Insurance CoverageCoverage Description Covered Costs

First Party Cover

1st Party Insurance coverage: direct loss and out of pocket expense incurred by insured

Business Income/Extra Expense

Interruption or suspension of computer systems due to a network security breach. Coverage may be added to include system failure.

• Loss of Income• Costs in excess of normal operating expenses required to restore

systems• Dependent business interruption• Forensic expenses

Data Asset Protection Costs to restore, recreate, or recollect your data and other intangible assets that are corrupted or destroyed.

• Restoration of corrupted data• Vendor costs to recreate lost data

Event Management Costs resulting from a network security or privacy breach:

• Forensics• Notification• Credit Monitoring• Call Center• Public Relations• Sales Discounts

Cyber Extortion Network or data compromised if ransom not paid • Forensics• Investigation• Negotiations and payments of ransoms demanded

Third Party Cover

3rd Party insurance coverage: defense and liability incurred due to caused to others by the insured.

Privacy Liability Failure to prevent unauthorized access, disclosure or collection, or failure of others to whom you have entrusted such information, for not properly notifying of a privacy breach.

• Liability and defense• Third party trade secrets• Notification to individuals• Investigation costs• Costs related to public relations efforts• Sales Discounts

Network Security Liability Failure of system security to prevent or mitigate a computer attack. Failure of system security includes failure of written policies and procedures addressing technology use.

• Liability and defense• Bank lawsuits• Consumer Lawsuits• Sales Discounts

Privacy Regulatory Defense Costs

Privacy breach and related fines or penalties assessed by Regulators.

• Investigation by a Regulator• Liability and Defense costs• PCI / PHI fines and penalties• Prep costs to testify before regulators• Consumer / Bank lawsuits


Practical Strategies

Information Managers

Help IT to develop and disseminate

security protocols

Regular staff training

Close accounts of former employees

Stress disciplinary consequences for non-compliance

Confirming with IT level of access

required for post

Looking for triggers for

malicious conduct (e.g., demotion, transfers, etc.)

Clear policies on BYOD, remote

work and use of Wi-Fi


Practical StrategiesFive Quick Wins

Cyber Protocols

and Policies

• Do you have them?

• When were they last updated?

Training

• How often?• What does it

cover?• What are the

results?

Compliance

• What happens if employees ignore cybersecurity protocols?

Limit former staff access to PII

• Do you have a process in place?

Reporting

• How often do you report to management on cyber?

3131

4Cyber Incident Response


Best Practices - During/Post-Breach•Notify all relevant staff (Privacy Officer, IT, SLT, Security)•Team should diligently record all steps taken•Include external legal counsel for privilege reasons

Implement Breach Protocol

•Block unauthorized access to network•Implement steps to recover and/or restore lost PII•Determine whether there are ongoing vulnerabilities

Containment

•Identify affected individuals•Review circumstances surrounding the breach•Review adequacy of existing policies/procedures/training/systems

Investigation and Assessment

•Determine whether mandatory notification requirements•Consider relevant factors to determine best method of notification•Develop internal/external communication planNotification

•Consider retaining a public relations firm for external messaging•Determine what information needs to be communicated to whom internallyRemediation


1. Initiate Internal Breach Protocol• Initiate as soon as potential breach is

identified: – Mobilize response team and resources – Initiate internal investigation process– Follow organizational policies and procedures


1.Initiate Internal Breach Protocol– Record all steps – due diligence– Early involvement of legal counsel

• Establish solicitor/client or litigation privilege to protect investigation / reports

• Breach coach – Consider obligation to report to insurer


2.Containment• Identify scope of potential breach and take steps to

contain it: – Determine whether isolated incident or ongoing– Retrieve and secure PII – Identify if copies of PII were made/retained– Engage IT/security/forensic experts– Contact police – May need to contact system partners (shared systems, third

party vendors)


2. Containment • Determine whether breach would allow

unauthorized access to other PII and take appropriate steps– Suspend access– Change passwords/identification numbers – Temporarily shut down system– Immediate steps to reduce risk of identity theft


3. Investigation Conduct internal investigation - objectives1. Ensure immediate requirements of containment and

notification have been addressed2. Review circumstances around breach3. Review adequacy of policies, procedures and security

safeguards in protecting PII


3. Investigation• Gather and assess all information – audits, technical reports,

interviews, policies and processes• May need to initiate lookback program to identify affected

individuals or categories of individuals• Use a systematic process

– Audit/tracking tool – Identification and follow up

• Risk Assessment – Breach or no breach?– Risk of harm and implications?


4. Notification• Notification to individuals and regulators

– Mandatory or voluntary? – Harm threshold?– Are there prescribed requirements?– If voluntary, when is notification advisable?


Mandatory Notification Jurisdiction Legislation Test for Mandatory Notification

Federal Personal Information Protection and Electronic Documents Act

Effective November 1, 2018. Mandatory reporting to individual and Commissioner where it is reasonable to believe the breach creates a “real risk of significant harm to the individual”. Significant harm includes, among other things, bodily harm, humiliation, damage to reputation or relationships, financial loss and identity theft. “Real risk” requires consideration of the sensitivity of the information, the probability of misuse, and any other prescribed factor.

Alberta Personal Information Protection Act

Mandatory notification to Commissioner of any incident involving loss or unauthorized access to or disclosure of personal information where a reasonable person would consider there exists a “real risk of significant harm to an individual” as a result.

Alberta Health Information Act Effective August 31, 2018. Mandatory notification to Commissioner, Minister and individual of any loss of or unauthorized access to individually identifying health information if there is a risk of harm to the individual.

Newfoundland and Labrador

Personal Health Information Act

Mandatory notification to Commissioner where a custodian reasonably believes there has been a material breach involving unauthorized collection, use or disclosure of PHI. Factors to assess material breach set out in s. 5 of Regulation 38/11.


Mandatory Notification Jurisdiction Legislation Test for Mandatory Notification

New Brunswick Personal Health Information Privacy and Access Act

Mandatory notification to Commissioner where personal health information has been stolen, lost, disposed of in a manner not permitted by the Act, or disclosed to or accessed by an unauthorized person., unless the theft, loss, disposition, disclosure or access will not have an adverse impact on provision of health care, well-being of the individual, or is not identifiable.

Northwest Territories

Health Information Act

Mandatory notification to individual if information about the individual is used or disclosed other than as permitted by the Act, lost or stolen, or altered, destroyed or otherwise disposed of without authorization. Mandatory notification to the Commissioner if

Nova Scotia Personal Health Information Act

Mandatory notification to individual where personal health information has been stolen, lost or subject to unauthorized access, use, disclosure, copying or modification, and as a result, there is potential for harm or embarrassment to the individual.

Ontario Personal Health Information Protection Act

Mandatory notification to individual if personal health information is stolen or lost or is used or disclosed without authority. Mandatory notification to Commissioner if breach meets prescribed requirements set out in s. 6.3 of Regulation 329/04.

Yukon Health Information Privacy and Management Act

Mandatory notification to individual and Commissioner where a security breach occurs in relation to an individual’s PHI and there are reasonable grounds to believe the individual is at risk of significant harm as a result.


4. Notification• Consider manner of notification – written, verbal, in

person– Consider: sensitivity of information; potential detrimental effects

to patient; best way to communicate information• Is public notification advisable?• Combination of approaches?• Internal and external stakeholder communications


Anatomy of the Target Breach




Anatomy of the Target Breach30 Days of the Target Breach

45

Dec 18th Jan 10th Jan 15th Jan 17th




Anatomy of the Target BreachCost

– CEO resigned

– Reputation damaged

– Costs to December 31, 2014 exceeded $162 million

– Only $63 million insurance coverage (25% of cost)

– Class action against Target


Anatomy of the Anthem Breach

http://www.google.ca/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiX79OD5cDLAhVINz4KHejaC-cQjRwIBw&url=http://www.theindychannel.com/news/u-s-world/millions-likely-affected-by-anthem-data-breach&bvm=bv.116636494,d.cWw&psig=AFQjCNGIsIqUjFV0H4Sc8O67mWkRaJZwIQ&ust=1458065917494130


Anatomy of the Anthem Breach 1. Hackers created bogus domain names based on the actual name of the company

and mimicking corporate servicesEg: We11point.com, based on WellPoint.com

2. Hackers targeted Anthem employees with phishing emails that lured them to fake sites, where they could collect logins and passwords to access the internal system.

3. Anthem was not required legally to encrypt its data and had not done so. 4. Once the hackers had system access, they could thus acquire and export

customer data such as social numbers, medical IDs, names, dates of birth etc.


Anatomy of the Anthem Breach

http://www.google.ca/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjnx-aZ88DLAhUHjz4KHX0wAt4QjRwIBw&url=http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/110/anatomy-of-a-data-breach&bvm=bv.116636494,d.cWw&psig=AFQjCNGJqNpydmfDQG9y9-_ZrzehqGk3OQ&ust=1458069735936350


Anatomy of the Anthem BreachCost:

– Pending class-action lawsuit from individuals who claim to be victims of fraud due to the breach.

– Anthem paid out ~$230 million in legal and consultant fees as of December 2015, partially covered by its cyber insurance policy, and now must pay a $25 million deductible for any future breaches.

5252

Questions?

52


Blake, Cassels & Graydon LLPThank You

Imran AhmadBlake, Cassels & Graydon [email protected]