cyber exposures & liability: what agrologists & consultants need … … · cyber exposures...
TRANSCRIPT
Cyber Exposures & Liability: What Agrologists & Consultants
Need to Know
Conference for the Alberta Institute of Agrologists
Mouna Hanna and Serena Lam
March 27, 2019
Our Firm
Offices in:
• Vancouver
• Kelowna
• Calgary
• Toronto
Dedicated exclusively to insurance law
2
3
Overview
1. Privacy and Security in the Context of a Breach
2. Privacy Laws in Alberta
3. Types of Threats and Case Examples
4. Benefits of Legal Counsel as Breach Coach
5. Questions
Privacy and Securityin the Context of a Breach
4
Privacy vs. Security
Personal Information Confidential
Corporate Information
Computer Systems
Privacy Breach Coverage
Network Security Breach Coverage
5
What is a security breach?
6
• Undefined in law; defined in insurance
• Unauthorized access to insured’s computer systems
• Alteration or corruption of data
• Denial of access or functionality
• Theft of hardware or data
• Identity theft and phishing
Personal Information Privacy Obligations
Intentional violation of privacy is
actionable at law
Companies require
authorization to collect, use
or disclose personal
information
Companies that collect and store personal
information have a duty to protect it
Privacy Law in Alberta
8
Personal Information collected by Agrologists & Consultants
• “Personal information” (PI) is information about an identifiable individual
– eg: clients who are individuals and employee information in HR files
• Contracts with clients may require compliance with PI protection legislation
FEDERALFEDERAL
• PIPEDA• Digital Privacy Act
• Coming into force Nov. 1, 2018
• Regulations
• Amends PIPEDA
PROVINCIAL
• Substantially similar legislation - BC, Alberta and Quebec have own Acts
• Health Acts: Ontario, Newfoundland and Labrador, New Brunswick and Nova Scotia
10
Personal Information Protectionin the Private Sector
Privacy Breach Notice Requirements under Alberta PIPA
When? • Mandatory where there is a “real risk of significant harm”
Why? • Inform affected individuals• Enable individuals to protect themselves
How? • Direct notification – email, phone, letter• If direct not possible, indirect may be acceptable –
newspaper, website, social media
To whom? • Privacy Commissioner(s)• Any individual who is at “real risk of significant harm”• Third parties who can mitigate risk of harm (e.g., police)
How soon? • “without unreasonable delay” (Alberta PIPA)
11
Real Risk
12
Depends upon:
• Sensitivity of information
• Probability information might be misused to inflict harm
• Circumstances (loss v. theft)
• Encrypted?
• Type of data
https://cdn.pixabay.com/photo/2016/0/17/03/21/sign-1462551__480.jpg
Significant Harm
13
• Bodily harm
• Humiliation, damage to reputation or relationships
• Employment, business, or professional loss
• Financial loss and property damage
• Risk of identity theft or damage to credit
• A low hurdle
Offences and Penalties
Fines up to $100,000 for failure to notify
14
https://www.maxpixel.net/Court-Dollar-Justice-Dollar-Sign-Fine-Hammer-1537123
Types of Threatsand Case Examples
15
Cyber Extortion
http://insuremekevin.com/wp-content/uploads/2011/07/extortion.jpg
Ransomware(Petya, WannaCry)
Threat to expose (Ashley Madison)
Ransomware:
• Entry/intrusion – usually by phishing email
• Intruder encrypts all data
• Unable to access/open
• Typically has a ransom note
• Currency of choice: bitcoins(neutral facilitator and untraceable)
Ransomware at Manufacturing Plant
• Ransomware attack on Friday of long weekend
• Ransomware encrypted operations and backups
– 70 servers and 800 computers
– 30 plant locations in Canada & USA
• Some sites able to work out existing orders manually for 24-48 hours before incurring BI loss
• Retained specialist ransomware forensics firm – discovered double encryption (on servers and virtual machines)
• Paid ransomware demand 17 bitcoins (approx. $200,000)
• Retained PR firm to assist with internal/external messaging
• Decryption successful and able to restart operations with minimal loss & no privacy breach
http://maxpixel.freegreatpicture.com/Steel-Inside-Hot-Interior-Manufacturing-Molten-1968194
Ransomware at Manufacturing Plant
Costs:
• Legal - $11,000
• No PI/no notification required
• Forensics for decryption, remediation, vulnerability assessments - $60,000
• PR Firm who assisted with internal and external messaging - $9,000
• Ransomware demand 17 bitcoins (approx. $200,000)
http://maxpixel.freegreatpicture.com/Steel-Inside-Hot-Interior-Manufacturing-Molten-1968194
• Local hackers manipulated weak code in website
– Accessed 100+ rental applications (sensitive PI of applicants and cosigners)
– Posted table of 170 applicants’ info on public website
– Emailed applicants and company asking for bitcoins
• Retained forensic experts to investigate and facilitate ransom payment
• Notified 170 applicants by mail/email, Privacy Commissioner and provided credit monitoring to all
• Retained PR firm to assist with notification, messaging and media statement
http://www.computersciencelabs.com/PageImages/56_1.jpg
Ransomware at a Property Management Company
Costs:
• Legal - $31,000 – coordination with experts and RCMP, jurisdictional analysis, Privacy Commissioner negotiation
• Computer forensics experts - $30,000
• PR firm - $10,000
• Notification and call centre services - $2,000
– Some notifications handled internally
• Ransom - $20,000
http://www.computersciencelabs.com/PageImages/56_1.jpg
Ransomware at a Property Management Company
Tricking people to disclose confidential information or perform acts for a fraudulent purpose
• email and telephone scams
• using information obtained through social media or purchased
Social Engineering FraudType Explanation
Phishing Criminals persuade victims to hand over personal details or transfer money by sending spoof emails
Spear phishing Targeted phishing email aimed at a specific person
Vishing Criminals persuade victims to hand over personal details or transfer money, over the telephone
SMiShing Criminals persuade victims to hand over personal details or transfer money, by way of spoof SMS text messages
• Many corporate clients but some individuals
• Accounting clerk at law firm receives phishing email
• Clerk is induced to enter Outlook login credentials
• 1500 emails sent from clerk’s email to the firm’s clients containing malware
• Forensics to determine what was accessed in the clerk’s email– 36,000 items in the clerk’s inbox
– Banking info, credit cards, scanned cheques, and solicitor-client privileged information
Phishing at a Law Firm
• Forensics firm applied surgical precision approach using bespoke software and manual review:– All items containing credit card and banking information
– All items containing invoice
– All items containing personal email addresses
– Manual review all non-readable images
– Final catch-all search for items containing sensitive personal information (health, employee, birthday)
• Notification required for only 210 individuals
• Notified Privacy Commissioner only where required
Phishing at a Law Firm
Costs:
• Forensics - $62,000
• Legal - $50,000
• Credit monitoring - $1,650
• All notifications and responses to inquiries were handled in-house
Phishing at a Law Firm
• Phishing attack targeted CFO
– Office 365 settings changed to divert all incoming email
– 790 emails over 3 weeks – responded to inquiries
• IT Provider failed to promptly inform Health Centre
• Of 790 emails diverted, 30 had personal information (residents, employees, job applicants, directors)
• Contract with hospital – no access to database causing BI loss
• Reported to Privacy Commissioner, notified 130 people
• Database access restored
http://www.computersciencelabs.com/PageImages/56_1.jpg
Spear Phishing at Health Centre
Benefits of Legal Counsel as Breach Coach
28
Urgent Decisions –Initial Call with the Breach Coach
• Who is organization’s contact person
• Dispatch computer forensics or data restoration experts?
• What data/PI is affected?
• Has data/PI been accessed, copied or exfiltrated?
• What needs to be done to avoid/reduce business interruption losses?
https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcQH0P4oMWADSEXBaBP-Bx-2sYuBA4OrOLUBouRnei06S8qfzNPx
Risk Assessment
Type of Data
Who is Affected
How many affected
Where did info go
Type of Loss
CONTEXT MATTERS!
• Physical harm?
• Systems functional?
• Loss of confidential info?
• Financial loss?
• Identity theft?
• Loss of business or employment?
• Reputational harm?
• Humiliation or loss of relationships?
• Public safety or health?
Benefits of using a Breach Coach
• Claims frequency and costs drop with involvement of a Breach Coach
• Solicitor client/litigation privilege
• Coordinate response to breach –vendor list for computer forensics, PR firms
• Minimize chance of regulatory investigation or lawsuit
• Collect and preserve evidence with a view to:
– providing legal defence
– establishing due diligence
– recouping damages from third parties
https://pixabay.com/en/firefighters-fire-flames-outside-115800/
• Conduct legal analysis to determine:
– Jurisdiction
– Notification obligations and notice content
– Contractual obligations
• Negotiate with Privacy Commissioners
– notification and content
– investigations and audits – avoiding an Order!
– voluntary Compliance Agreements
• Coordinate with third party clients/stakeholders
• Breach Legal Counsel can become Defense Counsel
http://foreclosureshelper.com/when-to-hire-a-foreclosure-attorney/
Benefits of using a Breach Coach
Questions?
DOLDEN WALLACE FOLICK LLP
Insurance Lawyers
Mouna Hanna (Associate, Toronto): [email protected]
Serena Lam (Associate, Vancouver): [email protected]