Cyber Exposures & Liability: What Agrologists & Consultants

Need to Know

Conference for the Alberta Institute of Agrologists

Mouna Hanna and Serena Lam

March 27, 2019

Our Firm

Offices in:

• Vancouver

• Kelowna

• Calgary

• Toronto

Dedicated exclusively to insurance law

2

3

Overview

1. Privacy and Security in the Context of a Breach

2. Privacy Laws in Alberta

3. Types of Threats and Case Examples

4. Benefits of Legal Counsel as Breach Coach

5. Questions

Privacy and Securityin the Context of a Breach

4

Privacy vs. Security

Personal Information Confidential

Corporate Information

Computer Systems

Privacy Breach Coverage

Network Security Breach Coverage

5

What is a security breach?

6

• Undefined in law; defined in insurance

• Unauthorized access to insured’s computer systems

• Alteration or corruption of data

• Denial of access or functionality

• Theft of hardware or data

• Identity theft and phishing

Personal Information Privacy Obligations

Intentional violation of privacy is

actionable at law

Companies require

authorization to collect, use

or disclose personal

information

Companies that collect and store personal

information have a duty to protect it

Privacy Law in Alberta

8

Personal Information collected by Agrologists & Consultants

• “Personal information” (PI) is information about an identifiable individual

– eg: clients who are individuals and employee information in HR files

• Contracts with clients may require compliance with PI protection legislation

FEDERALFEDERAL

• PIPEDA• Digital Privacy Act

• Coming into force Nov. 1, 2018

• Regulations

• Amends PIPEDA

PROVINCIAL

• Substantially similar legislation - BC, Alberta and Quebec have own Acts

• Health Acts: Ontario, Newfoundland and Labrador, New Brunswick and Nova Scotia

10

Personal Information Protectionin the Private Sector

Privacy Breach Notice Requirements under Alberta PIPA

When? • Mandatory where there is a “real risk of significant harm”

Why? • Inform affected individuals• Enable individuals to protect themselves

How? • Direct notification – email, phone, letter• If direct not possible, indirect may be acceptable –

newspaper, website, social media

To whom? • Privacy Commissioner(s)• Any individual who is at “real risk of significant harm”• Third parties who can mitigate risk of harm (e.g., police)

How soon? • “without unreasonable delay” (Alberta PIPA)

11

Real Risk

12

Depends upon:

• Sensitivity of information

• Probability information might be misused to inflict harm

• Circumstances (loss v. theft)

• Encrypted?

• Type of data

https://cdn.pixabay.com/photo/2016/0/17/03/21/sign-1462551__480.jpg

Significant Harm

13

• Bodily harm

• Humiliation, damage to reputation or relationships

• Employment, business, or professional loss

• Financial loss and property damage

• Risk of identity theft or damage to credit

• A low hurdle

Offences and Penalties

Fines up to $100,000 for failure to notify

14

https://www.maxpixel.net/Court-Dollar-Justice-Dollar-Sign-Fine-Hammer-1537123

Types of Threatsand Case Examples

15

Cyber Extortion

http://insuremekevin.com/wp-content/uploads/2011/07/extortion.jpg

Ransomware(Petya, WannaCry)

Threat to expose (Ashley Madison)

Ransomware:

• Entry/intrusion – usually by phishing email

• Intruder encrypts all data

• Unable to access/open

• Typically has a ransom note

• Currency of choice: bitcoins(neutral facilitator and untraceable)

Ransomware at Manufacturing Plant

• Ransomware attack on Friday of long weekend

• Ransomware encrypted operations and backups

– 70 servers and 800 computers

– 30 plant locations in Canada & USA

• Some sites able to work out existing orders manually for 24-48 hours before incurring BI loss

• Retained specialist ransomware forensics firm – discovered double encryption (on servers and virtual machines)

• Paid ransomware demand 17 bitcoins (approx. $200,000)

• Retained PR firm to assist with internal/external messaging

• Decryption successful and able to restart operations with minimal loss & no privacy breach

http://maxpixel.freegreatpicture.com/Steel-Inside-Hot-Interior-Manufacturing-Molten-1968194

Ransomware at Manufacturing Plant

Costs:

• Legal - $11,000

• No PI/no notification required

• Forensics for decryption, remediation, vulnerability assessments - $60,000

• PR Firm who assisted with internal and external messaging - $9,000

• Ransomware demand 17 bitcoins (approx. $200,000)

http://maxpixel.freegreatpicture.com/Steel-Inside-Hot-Interior-Manufacturing-Molten-1968194

• Local hackers manipulated weak code in website

– Accessed 100+ rental applications (sensitive PI of applicants and cosigners)

– Posted table of 170 applicants’ info on public website

– Emailed applicants and company asking for bitcoins

• Retained forensic experts to investigate and facilitate ransom payment

• Notified 170 applicants by mail/email, Privacy Commissioner and provided credit monitoring to all

• Retained PR firm to assist with notification, messaging and media statement

http://www.computersciencelabs.com/PageImages/56_1.jpg

Ransomware at a Property Management Company

Costs:

• Legal - $31,000 – coordination with experts and RCMP, jurisdictional analysis, Privacy Commissioner negotiation

• Computer forensics experts - $30,000

• PR firm - $10,000

• Notification and call centre services - $2,000

– Some notifications handled internally

• Ransom - $20,000

http://www.computersciencelabs.com/PageImages/56_1.jpg

Ransomware at a Property Management Company

Tricking people to disclose confidential information or perform acts for a fraudulent purpose

• email and telephone scams

• using information obtained through social media or purchased

Social Engineering FraudType Explanation

Phishing Criminals persuade victims to hand over personal details or transfer money by sending spoof emails

Spear phishing Targeted phishing email aimed at a specific person

Vishing Criminals persuade victims to hand over personal details or transfer money, over the telephone

SMiShing Criminals persuade victims to hand over personal details or transfer money, by way of spoof SMS text messages

• Many corporate clients but some individuals

• Accounting clerk at law firm receives phishing email

• Clerk is induced to enter Outlook login credentials

• 1500 emails sent from clerk’s email to the firm’s clients containing malware

• Forensics to determine what was accessed in the clerk’s email– 36,000 items in the clerk’s inbox

– Banking info, credit cards, scanned cheques, and solicitor-client privileged information

Phishing at a Law Firm

• Forensics firm applied surgical precision approach using bespoke software and manual review:– All items containing credit card and banking information

– All items containing invoice

– All items containing personal email addresses

– Manual review all non-readable images

– Final catch-all search for items containing sensitive personal information (health, employee, birthday)

• Notification required for only 210 individuals

• Notified Privacy Commissioner only where required

Phishing at a Law Firm

Costs:

• Forensics - $62,000

• Legal - $50,000

• Credit monitoring - $1,650

• All notifications and responses to inquiries were handled in-house

Phishing at a Law Firm

• Phishing attack targeted CFO

– Office 365 settings changed to divert all incoming email

– 790 emails over 3 weeks – responded to inquiries

• IT Provider failed to promptly inform Health Centre

• Of 790 emails diverted, 30 had personal information (residents, employees, job applicants, directors)

• Contract with hospital – no access to database causing BI loss

• Reported to Privacy Commissioner, notified 130 people

• Database access restored

http://www.computersciencelabs.com/PageImages/56_1.jpg

Spear Phishing at Health Centre

Benefits of Legal Counsel as Breach Coach

28

Urgent Decisions –Initial Call with the Breach Coach

• Who is organization’s contact person

• Dispatch computer forensics or data restoration experts?

• What data/PI is affected?

• Has data/PI been accessed, copied or exfiltrated?

• What needs to be done to avoid/reduce business interruption losses?

https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcQH0P4oMWADSEXBaBP-Bx-2sYuBA4OrOLUBouRnei06S8qfzNPx

Risk Assessment

Type of Data

Who is Affected

How many affected

Where did info go

Type of Loss

CONTEXT MATTERS!

• Physical harm?

• Systems functional?

• Loss of confidential info?

• Financial loss?

• Identity theft?

• Loss of business or employment?

• Reputational harm?

• Humiliation or loss of relationships?

• Public safety or health?

Benefits of using a Breach Coach

• Claims frequency and costs drop with involvement of a Breach Coach

• Solicitor client/litigation privilege

• Coordinate response to breach –vendor list for computer forensics, PR firms

• Minimize chance of regulatory investigation or lawsuit

• Collect and preserve evidence with a view to:

– providing legal defence

– establishing due diligence

– recouping damages from third parties

https://pixabay.com/en/firefighters-fire-flames-outside-115800/

• Conduct legal analysis to determine:

– Jurisdiction

– Notification obligations and notice content

– Contractual obligations

• Negotiate with Privacy Commissioners

– notification and content

– investigations and audits – avoiding an Order!

– voluntary Compliance Agreements

• Coordinate with third party clients/stakeholders

• Breach Legal Counsel can become Defense Counsel

http://foreclosureshelper.com/when-to-hire-a-foreclosure-attorney/

Benefits of using a Breach Coach

Questions?

DOLDEN WALLACE FOLICK LLP

Insurance Lawyers

Mouna Hanna (Associate, Toronto): mhanna@dolden.com

Serena Lam (Associate, Vancouver): slam@dolden.com