agenda - cpd live cyber...1 may 21, 2019 cybersecurity and data breaches imran ahmad, partner email:...
TRANSCRIPT
11
May 21, 2019 Cybersecurity and Data BreachesImran Ahmad, Partner
Email: [email protected]: 416.863.4329
Blake, Cassels & Graydon LLP
22
Agenda1. Canadian cyber landscape
2. Legal Overview
3. Pre-breach best practices
4. Post-breach best practices
On the
Blake, Cassels & Graydon LLP – Privileged and Confidential
33
1Canadian cyber landscape
4Blake, Cassels & Graydon LLP – Privileged and Confidential
Types of Bad Actors
4
5Blake, Cassels & Graydon LLP – Privileged and Confidential
Most Common Types of Cyber Threats
Theft of data Ransomware Insider threat DDoS Attack
Phishing Social engineering
5
666 | DM# Blake, Cassels & Graydon LLP – Privileged and Confidential
According to Stats Canada
7Blake, Cassels & Graydon LLP – Privileged and Confidential
Types of Personal Information
NamesDate of
birthSIN Passwords
Phone numbers
Account numbers
Home address
Credit card numbers
Email addresses
Financial Information
Behavioral information
7
8Blake, Cassels & Graydon LLP – Privileged and Confidential
Dark Net
8
99
2Legal Overview
10Blake, Cassels & Graydon LLP – Privileged and Confidential
Types of RisksLegal liability
(including litigation)
Regulatory enforcement & investigations
Failure to meet contract terms
Economic harm (e.g., loss of confidential
info/IP)
Reputational harm
Business interruption
Physical
Blake, Cassels & Graydon LLP – Privileged and Confidential 10
11Blake, Cassels & Graydon LLP – Privileged and Confidential
Risks to Organization• Director and Officer liability
• Legal liability including litigation• Regulator enforcement and
investigations• Failure to meet key contract terms
• Economic harm (e.g. loss of confidential information/IP)
• Reputational harm • Business interruption• Physical harm
12Blake, Cassels & Graydon LLP – Privileged and Confidential
Privacy & Regulatory
2013• OSFI
• Cyber Self-Assessment Guidance
2015• Digital Privacy Act (amends
PIPEDA)• Investment Industry
Regulatory Organization of Canada (IIROC) – Cybersecurity Guidance
2016• Canadian Securities
Administrators (CSA)• Staff Notice 11-332 –
Cybersecurity• Mutual Fund Dealers
Association of Canada – Bulletin on Cybersecurity
2017• Canadian Security
Administrators (CSA)
• Staff Notice 51-347 – Disclosure of cybersecurity risks and incidents
• Staff Notice 33-321 – Cybersecurity and Social Media
2018• Breach of Security
Safeguards Regulations• EU’s General Data
Protection Regulations (GDPR) comes into force
• All 50 US states have mandatory breach notification laws
2019• OSFI
Technology and Cyber Security Incident Reporting
• New York State Department of Financial Services – Cybersecurity Regulations (NYSDFS)
• California Consumer Privacy Act
12Blake, Cassels & Graydon LLP – Privileged and Confidential
13Blake, Cassels & Graydon LLP – Privileged and Confidential
Privacy and Cyber Laws Applicable Laws
– PIPEDA and other provincial private sector, public sector and health privacy legislation
• QC/AB/BC - private sector and ON/NS/NB/NL - health privacy laws substantially similar
– Canadian Criminal Code
– Vital Cyber System Legislation
• Consultation process to launch once draft legislation is released
– Quebec:• Civil code (sections 35-41)• Act to Establish Legal Framework for
Information Technology– US Defend Trade Secrets Act
– Global Data Protection Regulation (Europe)
14Blake, Cassels & Graydon LLP – Privileged and Confidential
Canadian Privacy Laws
15Blake, Cassels & Graydon LLP – Privileged and Confidential
PIPEDA and Digital Privacy Act• Applies to the collection, use or
disclosure of personal information by every organization in the course of a commercial activity.
• Digital Privacy Act amendments
require mandatory reporting of security breach by organizations– Fines of up to $100k for failure to
report breach or keep logs.
– Mandatory breach reporting regime came into force November 1, 2018
16Blake, Cassels & Graydon LLP – Privileged and Confidential
Third Party Exposure
Company
Vendor 1
Vendor 2
Vendor 3
• Source of breach– Internal
• within business– External
• from vendor
• Ensure:– Vendor selection,
management and rating program
– Contractual language for cyber response
16Blake, Cassels & Graydon LLP – Privileged and Confidential
17Blake, Cassels & Graydon LLP – Privileged and Confidential
Litigation Exposure❑ Litigation exposure from:
❑ Affected individuals (e.g., customers)❑ Affected partners/vendors (who were impacted due to incident)
❑ Risk of class actions❑ New privacy torts recognized ❑ Director liability❑ Need to ensure legal privilege when dealing with a
cybersecurity incident
17Blake, Cassels & Graydon LLP – Privileged and Confidential
1818
3Pre-Breach Practices
19Blake, Cassels & Graydon LLP – Privileged and Confidential
General – Managing Cyber Risk• Duty to exercise care,
diligence & skill• Use of “best judgement” rule
– Informed basis– Good faith– Best interest of corporation
• Focus on Board and SLT engagement in cybersecurity matters (being informed not sufficient)
Board Oversight
Situational Awareness
Assessing Cyber Risk & Preparedness
Role During Cyber
Incident
Post-Incident Assessment
Blake, Cassels & Graydon LLP – Privileged and Confidential 19
20Blake, Cassels & Graydon LLP – Privileged and Confidential
Situational AwarenessInformation to
Board/SLT
Digital Assets Held
Type of data
How its kept
Where its kept
Risk Level Matrix
Insignificant
Minor
Significant
Enterprise-wide (existential)
Cyber Threats
Theft of data
Ransomware
DDoS
Phishing
Third Party Assessment
Overall preparedness
level
Strength & Areas for
Improvement
Budgetary needs
Ongoing cyber preparedness
initiatives
Past Performance
Breaches in the past?
Response performance
Remedial steps taken
Blake, Cassels & Graydon LLP – Privileged and Confidential 20
21Blake, Cassels & Graydon LLP – Privileged and Confidential
Assessing Cyber Risk & ReadinessAssessing Readiness
Empowering management
Ongoing cyber monitoring
Response protocols and policies in place
Incident response plan in place
Testing (tabletop exercises and penetration testing)
Cybersecurity vendors identified
Interplay with other critical plans (business continuity, disaster recovery, BYOD)
Allocating Resources
Sufficient budget for technology, people and protocols?
Ongoing staff training
Resources to hire external vendors with expertise
Allocation appropriate to risk level and type of threat(s)
Benchmarking to industry norms
Cyber Insurance
Sufficient level of coverage
Coverage include key services (e.g., legal, forensics, public relations, credit monitoring)
Comparable to others in industry
Cover first party and third party litigation exposure
Any coverage restrictions
Reporting to Board
Board process of intake of information
Information to be provide to Board
Frequency of reporting
Need to retain cybersecurity experts to assist Board
Board process for responding to information provided
Blake, Cassels & Graydon LLP – Privileged and Confidential 21
22Blake, Cassels & Graydon LLP – Privileged and Confidential
Assessing Cyber Risk & Readiness
Blake, Cassels & Graydon LLP – Privileged and Confidential 22
Data Governance•Data mapping (incl. identifying “Crown
Jewels”)•Record retention policy •Privacy Impact Assessments
Build a Cyber Monitoring Team•Bring together the right people (IT, HR, Legal)•Have a clear mandate•Have the right resources•Understand deliverables
Audit & Test Security•Assess effectiveness of current security•Consider hiring cyber experts•Tabletop exercises•Penetration testing
Educate & Train Staff•Cyber hygiene•Develop and disseminate cyber policies•Refresh training
Supply Chain Management•Due diligence on vendors•Include contractual language around
cybersecurity obligations•Consider indemnification clauses
Cyber Incident Plan•Plan should map our what to do in case of an
attack•Key considerations: pubic relations, legal,
financial losses, etc.
Cyber Insurance•Not a perfect solution•Assess whether this is something that makes
sense for business•Make sure right coverage
23Blake, Cassels & Graydon LLP – Privileged and Confidential
Know Where You Stand• Important to have a clear understanding of what
data organizations holds, where it is kept and how it’s kept.
• Three key phases:
– Build a data inventory
– Classify the data
– Conduct periodic revisions
Key considerations• Which departments within your organization
are most likely to have data?• Who within each department would you need
to speak with to find out what data exists?• Is it more efficient to send the relevant people
a questionnaire or to speak with them directly?• What is the best way to receive information
from each person in the organization that collects data so that the information provided can be organized and sorted with information received from others?
• How much time will it take to complete the data map?
24Blake, Cassels & Graydon LLP – Privileged and Confidential
Data MapWhat you should have in your data map• The types of data collected.• Where the data is physically housed (e.g., the
building or location).• Where the data is logically housed (e.g., the
electronic location within a server).• Whether encryption is applied to the data in transit
(e.g., when it is moving). If it is, what encryption standard is being used?
• Whether encryption is applied to the data at rest (e.g., when it is being stored). If it is, what encryption standard is being used?
• The custodian of the data (e.g., who is responsible for it).
• Who has access within the organization to the data.• Who has access outside of the organization to the
data.• Whether the data crosses national boundaries.• The retention schedule (if any) applied to the data.
25Blake, Cassels & Graydon LLP – Privileged and Confidential
Supply Chain ManagementReps & Warranties
•No recent security incident, claims or regulatory action (threatened or pending) related to a security incident not disclosed to purchaser•No processing, storage or transmission of purchaser’s info by 3rd party no disclosed•Obtain/maintain sufficient cyber insurance coverage
Confidentiality
•Sharing of info with vendor’s affiliates and downstream vendors and subcontractors•Return/destruction of information•Incident management (e.g., definition of incident, notices, access to info about incident, remediation, costs)
Security Program
•Vendor should have and maintain security program•Monitoring and assessment of vendor’s performance (including audits)•Purchaser audit•Vendor self-assessment and certification•Third party audit
Remedies
•Elements of loss that will be compensable as damages•Liquidated damages•Specific performance•Limitations and disclaimers•Termination
26Blake, Cassels & Graydon LLP – Privileged and Confidential
Cyber Incident Plan• This will be your key document in the case of a breach• Elements your incident response plan should:
• Clearly delineate roles and responsibilities for all relevant stakeholders in the organization, such as IT, legal, communications, operations, and senior management
• Contain clearly-defined severity ratings and triggers for escalation to legal and senior management
• Require workforce members to report suspicious emails and other potential cybersecurity incidents
• Include a summary of the key cybersecurity regulatory requirements for each jurisdiction
• Provide guidance on how to interact with law enforcement and governmental authorities in the event of an incident
• Include information on key vendors of forensics, identity theft protection, and other technology services that can be immediately mobilized should they be needed
27Blake, Cassels & Graydon LLP – Privileged and Confidential
Not typically covered May be covered in some cases Typically covered
Note: All insurance coverage is subject to the terms, conditions, and exclusions in the applicable individual policies. Marsh cannot provide assurance that insurance can be obtained for any particular client or risk.
Cyber InsuranceCyber Threat
Traditional Insurance Policies Potential Cyber Insurance SolutionsProperty General Liability Crime Policy D&O
Corporate IP
Confidentiality of Corporate IP Specialty IP Infringement
PoliciesIntegrity & Availability of Corporate IP Data Restoration CoverageThird-Party DataConfidentiality, Integrity, and Availability of Third-Party Data
Comprehensive
Cyber PolicyTechnology Infrastructure
Availability of Operational Technology, Core and General Information Systems
Network Business
Interruption / Extra Expense Coverage
Availability of Outsourced Information Systems
Dependent Business
InterruptionCoverage
Relationship CapitalIntegrity (Value) of Relationship Capital (B2B & B2C)
Specialty
Reputational Risk PoliciesFinancial Assets
Availability (Theft) of Financial Assets Cyber Crime Policiesand Endorsements
Cyber-exposed Physical AssetsIntegrity (Physical Damage) of Cyber-exposed Physical Assets
Specialty Cyber Property Damage Policies
28Blake, Cassels & Graydon LLP – Privileged and Confidential
Cyber Insurance CoverageCoverage Description Covered Costs
First Party Cover
1st Party Insurance coverage: direct loss and out of pocket expense incurred by insured
Business Income/Extra Expense
Interruption or suspension of computer systems due to a network security breach. Coverage may be added to include system failure.
• Loss of Income• Costs in excess of normal operating expenses required to restore
systems• Dependent business interruption• Forensic expenses
Data Asset Protection Costs to restore, recreate, or recollect your data and other intangible assets that are corrupted or destroyed.
• Restoration of corrupted data• Vendor costs to recreate lost data
Event Management Costs resulting from a network security or privacy breach:
• Forensics• Notification• Credit Monitoring• Call Center• Public Relations• Sales Discounts
Cyber Extortion Network or data compromised if ransom not paid • Forensics• Investigation• Negotiations and payments of ransoms demanded
Third Party Cover
3rd Party insurance coverage: defense and liability incurred due to caused to others by the insured.
Privacy Liability Failure to prevent unauthorized access, disclosure or collection, or failure of others to whom you have entrusted such information, for not properly notifying of a privacy breach.
• Liability and defense• Third party trade secrets• Notification to individuals• Investigation costs• Costs related to public relations efforts• Sales Discounts
Network Security Liability Failure of system security to prevent or mitigate a computer attack. Failure of system security includes failure of written policies and procedures addressing technology use.
• Liability and defense• Bank lawsuits• Consumer Lawsuits• Sales Discounts
Privacy Regulatory Defense Costs
Privacy breach and related fines or penalties assessed by Regulators.
• Investigation by a Regulator• Liability and Defense costs• PCI / PHI fines and penalties• Prep costs to testify before regulators• Consumer / Bank lawsuits
29Blake, Cassels & Graydon LLP – Privileged and Confidential
Practical Strategies
Information Managers
Help IT to develop and disseminate
security protocols
Regular staff training
Close accounts of former employees
Stress disciplinary consequences for non-compliance
Confirming with IT level of access
required for post
Looking for triggers for
malicious conduct (e.g., demotion, transfers, etc.)
Clear policies on BYOD, remote
work and use of Wi-Fi
30Blake, Cassels & Graydon LLP – Privileged and Confidential
Practical StrategiesFive Quick Wins
Cyber Protocols
and Policies
• Do you have them?
• When were they last updated?
Training
• How often?• What does it
cover?• What are the
results?
Compliance
• What happens if employees ignore cybersecurity protocols?
Limit former staff access to PII
• Do you have a process in place?
Reporting
• How often do you report to management on cyber?
3131
4Cyber Incident Response
32Blake, Cassels & Graydon LLP – Privileged and Confidential
Best Practices - During/Post-Breach•Notify all relevant staff (Privacy Officer, IT, SLT, Security)•Team should diligently record all steps taken•Include external legal counsel for privilege reasons
Implement Breach Protocol
•Block unauthorized access to network•Implement steps to recover and/or restore lost PII•Determine whether there are ongoing vulnerabilities
Containment
•Identify affected individuals•Review circumstances surrounding the breach•Review adequacy of existing policies/procedures/training/systems
Investigation and Assessment
•Determine whether mandatory notification requirements•Consider relevant factors to determine best method of notification•Develop internal/external communication planNotification
•Consider retaining a public relations firm for external messaging•Determine what information needs to be communicated to whom internallyRemediation
33Blake, Cassels & Graydon LLP – Privileged and Confidential
1. Initiate Internal Breach Protocol• Initiate as soon as potential breach is
identified: – Mobilize response team and resources – Initiate internal investigation process– Follow organizational policies and procedures
34Blake, Cassels & Graydon LLP – Privileged and Confidential
1.Initiate Internal Breach Protocol– Record all steps – due diligence– Early involvement of legal counsel
• Establish solicitor/client or litigation privilege to protect investigation / reports
• Breach coach – Consider obligation to report to insurer
35Blake, Cassels & Graydon LLP – Privileged and Confidential
2.Containment• Identify scope of potential breach and take steps to
contain it: – Determine whether isolated incident or ongoing– Retrieve and secure PII – Identify if copies of PII were made/retained– Engage IT/security/forensic experts– Contact police – May need to contact system partners (shared systems, third
party vendors)
36Blake, Cassels & Graydon LLP – Privileged and Confidential
2. Containment • Determine whether breach would allow
unauthorized access to other PII and take appropriate steps– Suspend access– Change passwords/identification numbers – Temporarily shut down system– Immediate steps to reduce risk of identity theft
37Blake, Cassels & Graydon LLP – Privileged and Confidential
3. Investigation Conduct internal investigation - objectives1. Ensure immediate requirements of containment and
notification have been addressed2. Review circumstances around breach3. Review adequacy of policies, procedures and security
safeguards in protecting PII
38Blake, Cassels & Graydon LLP – Privileged and Confidential
3. Investigation• Gather and assess all information – audits, technical reports,
interviews, policies and processes• May need to initiate lookback program to identify affected
individuals or categories of individuals• Use a systematic process
– Audit/tracking tool – Identification and follow up
• Risk Assessment – Breach or no breach?– Risk of harm and implications?
39Blake, Cassels & Graydon LLP – Privileged and Confidential
4. Notification• Notification to individuals and regulators
– Mandatory or voluntary? – Harm threshold?– Are there prescribed requirements?– If voluntary, when is notification advisable?
40Blake, Cassels & Graydon LLP – Privileged and Confidential
Mandatory Notification Jurisdiction Legislation Test for Mandatory Notification
Federal Personal Information Protection and Electronic Documents Act
Effective November 1, 2018. Mandatory reporting to individual and Commissioner where it is reasonable to believe the breach creates a “real risk of significant harm to the individual”. Significant harm includes, among other things, bodily harm, humiliation, damage to reputation or relationships, financial loss and identity theft. “Real risk” requires consideration of the sensitivity of the information, the probability of misuse, and any other prescribed factor.
Alberta Personal Information Protection Act
Mandatory notification to Commissioner of any incident involving loss or unauthorized access to or disclosure of personal information where a reasonable person would consider there exists a “real risk of significant harm to an individual” as a result.
Alberta Health Information Act Effective August 31, 2018. Mandatory notification to Commissioner, Minister and individual of any loss of or unauthorized access to individually identifying health information if there is a risk of harm to the individual.
Newfoundland and Labrador
Personal Health Information Act
Mandatory notification to Commissioner where a custodian reasonably believes there has been a material breach involving unauthorized collection, use or disclosure of PHI. Factors to assess material breach set out in s. 5 of Regulation 38/11.
41Blake, Cassels & Graydon LLP – Privileged and Confidential
Mandatory Notification Jurisdiction Legislation Test for Mandatory Notification
New Brunswick Personal Health Information Privacy and Access Act
Mandatory notification to Commissioner where personal health information has been stolen, lost, disposed of in a manner not permitted by the Act, or disclosed to or accessed by an unauthorized person., unless the theft, loss, disposition, disclosure or access will not have an adverse impact on provision of health care, well-being of the individual, or is not identifiable.
Northwest Territories
Health Information Act
Mandatory notification to individual if information about the individual is used or disclosed other than as permitted by the Act, lost or stolen, or altered, destroyed or otherwise disposed of without authorization. Mandatory notification to the Commissioner if
Nova Scotia Personal Health Information Act
Mandatory notification to individual where personal health information has been stolen, lost or subject to unauthorized access, use, disclosure, copying or modification, and as a result, there is potential for harm or embarrassment to the individual.
Ontario Personal Health Information Protection Act
Mandatory notification to individual if personal health information is stolen or lost or is used or disclosed without authority. Mandatory notification to Commissioner if breach meets prescribed requirements set out in s. 6.3 of Regulation 329/04.
Yukon Health Information Privacy and Management Act
Mandatory notification to individual and Commissioner where a security breach occurs in relation to an individual’s PHI and there are reasonable grounds to believe the individual is at risk of significant harm as a result.
42Blake, Cassels & Graydon LLP – Privileged and Confidential
4. Notification• Consider manner of notification – written, verbal, in
person– Consider: sensitivity of information; potential detrimental effects
to patient; best way to communicate information• Is public notification advisable?• Combination of approaches?• Internal and external stakeholder communications
43Blake, Cassels & Graydon LLP – Privileged and Confidential
Anatomy of the Target Breach
44Blake, Cassels & Graydon LLP – Privileged and Confidential
Anatomy of the Target Breach
45Blake, Cassels & Graydon LLP – Privileged and Confidential
Anatomy of the Target Breach30 Days of the Target Breach
45
Dec 18th Jan 10th Jan 15th Jan 17th
46Blake, Cassels & Graydon LLP – Privileged and Confidential
Anatomy of the Target Breach
47Blake, Cassels & Graydon LLP – Privileged and Confidential
Anatomy of the Target BreachCost
– CEO resigned
– Reputation damaged
– Costs to December 31, 2014 exceeded $162 million
– Only $63 million insurance coverage (25% of cost)
– Class action against Target
48Blake, Cassels & Graydon LLP – Privileged and Confidential
Anatomy of the Anthem Breach
49Blake, Cassels & Graydon LLP – Privileged and Confidential
Anatomy of the Anthem Breach 1. Hackers created bogus domain names based on the actual name of the company
and mimicking corporate servicesEg: We11point.com, based on WellPoint.com
2. Hackers targeted Anthem employees with phishing emails that lured them to fake sites, where they could collect logins and passwords to access the internal system.
3. Anthem was not required legally to encrypt its data and had not done so. 4. Once the hackers had system access, they could thus acquire and export
customer data such as social numbers, medical IDs, names, dates of birth etc.
50Blake, Cassels & Graydon LLP – Privileged and Confidential
Anatomy of the Anthem Breach
51Blake, Cassels & Graydon LLP – Privileged and Confidential
Anatomy of the Anthem BreachCost:
– Pending class-action lawsuit from individuals who claim to be victims of fraud due to the breach.
– Anthem paid out ~$230 million in legal and consultant fees as of December 2015, partially covered by its cyber insurance policy, and now must pay a $25 million deductible for any future breaches.
5252
Questions?
52
53Blake, Cassels & Graydon LLP – Privileged and Confidential
Blake, Cassels & Graydon LLPThank You
Imran AhmadBlake, Cassels & Graydon [email protected]