BRENT J. ARNOLD Leader (Com Lit) Gowling WLG (Canada) LLP€¦ · According to a 2018 Scalar study...

Preparing the Organization for a Data Breach and AftermathBRENT J. ARNOLDPartner, and Technology Sub-Group Leader (Com Lit)Gowling WLG (Canada) LLP

TopicHow Prepared are Canadian Companies?Breach Preparedness BasicsRole of the Breach CoachFallout—Short Term and Long TermEvolving Expectations of Courts and RegulatorsQuestions

OVERVIEW

73

• According to a 2017 Canadian Chamber of Commerce study:

• Only 27% of survey respondents had identified their critical assets

• Only 61% knew “how to prioritize critical assets”

• Only 35% believed they had “sufficient technology to protect critical assets”

• Only 44% were aware of and compliant with schedule 1 of PIPEDA

• Only 44% had a compliance officer

• Only 41% were monitoring companies’ adherence to privacy policies

HOW PREPARED ARE CANADIAN COMPANIES?

74

Source: The Canadian Chamber of Commerce, Cyber Security in Canada: Practical Solutions to a Growing Problem (April 2017), http://www.chamber.ca/media/blog/170403-cyber-security-in-canada-practical-solutions-to-a-growing-problem/

• According to a 2018 Scalar study of Canadian organizations:

• Difficulty in assessing impacts means many organizations “may not understand what security solutions to deploy for the greatest return on their security investment”

• Organizations are “highly” underestimating exposure and vulnerabilities because their security planning doesn’t adequately account for vulnerabilities caused by partners / suppliers

• Security training for employees is “deficient”

• Organizations are too slow to install updates and patches

• Their response planning “lacks documentation and regular updating”

75Source: Scalar, The Cyber Security Readiness of Canadian Organizations (2018), https://www.scalar.ca/en/landing/2018-scalar-security-study/


• According to a 2018 Scalar study of Canadian organizations:

• Only 5% of respondents are “highly confident” in their organizations’ “overall ability to prevent cyber security breaches from happening” (51% are “confident”; 38% are “neutral”)

• 11% are “highly confident” in their “ability to detect and respond to cyber security breaches once they have happened” (53% are “confident”; 31% are “neutral”)

76 Source: Scalar, The Cyber Security Readiness of Canadian Organizations (2018), https://www.scalar.ca/en/landing/2018-scalar-security-study/


• An appropriate, responsive governance structure

• Incident response plan

• Business continuity and disaster recovery plan

• Appropriate organizational alignments

• Employee education and breach response practice

• Threat information exchange

• Insurance

77

BREACH PREPAREDNESS BASICS

• Often put in place by insurance company—typically a lawyer

• First phone call outside of the organization

• Assists in assessing the threat

• Brings in and co-ordinates the cavalry (all under the umbrella of privilege, if the coach is a lawyer):1. Forensics experts to investigate, contain the breach

2. PR professionals to assist with crisis communications and protect the brand

• Advises on and assists with regulatory issues (e.g. mandatory breach reporting)

78

ROLE OF THE BREACH COACH

• Identify and contain the breach

• Engage external professionals as required

• Preserve the evidence

• Assess impact—type and extent of data compromised

• Crisis communications with stakeholders

79

FALLOUT—SHORT TERM

• Breach reporting to regulators (if required)

• Preservation and retention of breach data (e.g. per PIPEDA regs)

• Remediation and improvement1. Close the gaps

2. Assess performance of security measures—update and improve as needed

3. Assess performance of your response plan / plans—revise plans if needed; improve employee education / readiness if required

• Long-term monitoring for damage

• Anticipate, plan for litigation

80

FALLOUT—LONG TERM

Avid Life (Ashley Madison)

• Avid Life Media ran adult dating websites with users in over 50 countries

• July 2015 hack by “The Impact Team”

• 36 million Ashley Madison user accounts compromised

• Class actions commenced in Canada and the U.S.

81

EVOLVING EXPECTATIONS OF COURTS AND REGULATORS


• Due to “the scale of the data breach, the sensitivity of the information involved, the impact on affected individuals, and the international nature of ALM’s business,”* the Office of the Australian Information Commissioner and the Office of the Privacy Commissioner of Canada conducted a joint investigation

• Published:1. Joint Report

2. “Takeways” document for Canadian / Australian businesses

82

Source: OPC, Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2016/pipeda-2016-005/



• Commissioners published a standalone “Takeaways” document* that emphasizes, among other things, the necessity of:1. A coherent and adequate governance framework

2. Proper documentation of privacy and security practices

3. Regular, documented risk assessments

4. Serious attention to data retention policies—make sure you’re not collecting more than you need and not keeping it for longer than you have to

83

Source: OPC, Ashley Madison Investigation — Takeaways for all Organizations, https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/issue-specific-guidance-for-businesses/2016_005_ta/


Target Derivative Action

• Target shareholders brought a derivative action in Minnesota

• Derivative action is a type of action sometimes launched in tandem with class action for procedural reasons (less vulnerable to motions to dismiss)

• Target case was dismissed pursuant to recommendations made by a Special Litigation Committee (“SLC”)

• SLC’s task was to recommend to Target whether or not to pursue the plaintiff’s action

• SLC recommended against pursuing action; court dismissed pursuant to motions based on the SLC recommendations

84



• SLC considered several revealing factors:*1. management's reports to the Board's Audit and Corporate Responsibility Committees covering

Target's data security program, including compliance efforts and assessments of Target's data security and privacy programs;

2. the competence and engagement of Target data security management and employees pre-and post-breach;

85 Source: Target Corporation: Report of the Special Litigation Committee, March 30, 2016, http://www.dandodiary.com/wp-content/uploads/sites/265/2016/07/Target-SLC-Report.pdf



• SLC considered several revealing factors:*1. Target's post-breach efforts to mitigate the cost and inconvenience of the breach to its customers;

2. Target's post-breach remediation of data security vulnerabilities exposed by the breach;

3. the resignations of the CEO and CIO in the months following the breach and other personnel changes;

86Source: Target Corporation: Report of the Special Litigation Committee, March 30, 2016, http://www.dandodiary.com/wp-content/uploads/sites/265/2016/07/Target-SLC-Report.pdf



• Courts may now expect:1. post-breach remediation of security problems, and mitigation of impacts on customers, and

2. Board-level awareness and active involvement in data security issues on an ongoing basis, including the appointment of officers specifically tasked with dealing with data security and cyber breach planning and response.

87Source: Target Corporation: Report of the Special Litigation Committee, March 30, 2016, http://www.dandodiary.com/wp-content/uploads/sites/265/2016/07/Target-SLC-Report.pdf


Lozanski v The Home Depot, Inc., 2016 ONSC 5447 (CanLII)

• Data breach compromising PII for an estimated 500,000 Home Depot customers

• Breach was an “outside job,” not due to employee error / malfeasance

• Lawsuits commenced in U.S. and Canada and both moved toward settlement

• Ontario lawsuit settled in September 2016 with the court’s approval of a negotiated settlement

88 Source: http://canlii.ca/t/gt65j Lozanski v The Home Depot, Inc., 2016 ONSC 5447 (CanLII),



• Settlement actually approved by court:1. $250,000 in compensation for documented losses

2. $250,000 in free credit monitoring for affected customers

3. (but Court estimated the $250 K in compensation wouldn’t likely be used up, and estimated the settlement’s actual value at $400 K)

4. Only $120,000 in legal fees

5. No honoraria for the plaintiffs

• Why approved?




• Post-breach: Home Depot 1. notified customers, apologized,

2. confirmed it had eliminated the malware,

3. offered to cancel fraudulent charges and

4. offered free credit monitoring and ID theft insurance

90



• Judge found he would’ve approved a discontinuance with no costs or benefits to class members, if asked, because:

“(a) Home Depot apparently did nothing wrong; (b) it responded in a responsible, prompt, generous, and exemplary fashion to the criminal acts perpetrated on it by the computer hackers; (c) Home Depot needed no behaviour management; (d) the Class Members’ likelihood of success against Home Depot both on liability and on proof of any consequent damages was in the range of negligible to remote; and (e) the risk and expense of failure in the litigation were correspondingly substantial and proximate”



In re the Home Depot Inc. Shareholder Derivative Litigation, (N.D. GA Nov. 30, 2016)

• Massive breach of consumer information in 2014 affecting over 50 million payment card holders.

• Class action lawsuit followed, resulting in a 2016 settlement with consumer class members for more than $19.5 million USD.

• Numerous shareholders’ derivative actions were commenced, consolidated, and dismissed; case settled as appeal was pending

• Settled for up to $1.125 million USD for attorneys’ fees, and various corporate governance reforms for future management of cyber risk

92



• Proper oversight of and transparency regarding the role of the Chief Information Security Officer, including proper documentation of the CISO’s duties and responsibilities

• Periodic “table top cyber exercises” (which, as the Memorandum explains, “are used to validate the Company’s processes and procedures, test the readiness of its response capabilities, raise organizational awareness and train its personnel, and create remediation plans for issues and problem areas”)

93Source: Plaintiffs’ Unopposed Motion for Preliminary Approval of Shareholder Derivative Settlement and Memorandum of Law in Support, online: http://www.dandodiary.com/wp-content/uploads/sites/265/2017/05/home-depot-settlement.pdf, at pp.2 and 7-8.



• Monitoring and periodic assessment of “key indicators of compromise on computer network endpoints”

• Partnering with a dark web mining service to search for confidential information about the company

• Formation of an executive-level committee focused on data security




• Periodic management reports on the company’s IT budget, and the percentage of that budget spent on cyber security in particular

• Formation of an Incident Response Team and an Incident Response Plan

• Retention, by the company, of its own IT, data and security experts and consultants, as the company “deems necessary”

95

Source: Plaintiffs’ Unopposed Motion for Preliminary Approval of Shareholder Derivative Settlement and Memorandum of Law in Support, online: http://www.dandodiary.com/wp-content/uploads/sites/265/2017/05/home-depot-settlement.pdf, at pp.2 and 7-8.



• Membership in “at least one Information Sharing and Analysis Center (ISAC) or Information Sharing and Analysis Organization (ISAO)”

• (Note that Canada now has its own such exchange—the Canadian Cyber Threat Exchange: https://cctx.ca/)



• Canadian organizations aren’t prepared enough

• Courts understand breaches will still happen

• The range of proactive and reactive measures you should take is growing

• The quality of your preparation for and response to a breach will (to some extent) determine the extent of your liability

97

CONCLUSIONS

QUESTIONS?

98

gowlingwlg.com Gowling WLG (Canada) LLP is a member of Gowling WLG, an international law firm which consists of independent and autonomous entities providing services around the world. Our structure is explained in more detail at gowlingwlg.com/legal

CONTACT

Brent J. ArnoldPartnerTechnology Sub-Group Leader (Com Lit)

[email protected]

+1 416 369 4662

Date post:	14-Aug-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

BRENT J. ARNOLD Leader (Com Lit) Gowling WLG (Canada) LLP€¦ · According to a 2018 Scalar study...

Documents