Risks of cyber breaches stretch from employees all the way up to executive leaders
Already in 2022, big names such as Panasonic, Microsoft and the Red Cross have suffered major cyber attacks.
But any small or medium-sized organization that thinks it won’t be a target are mistaken, says Bradley Freedman, partner and national co-leader of the cybersecurity group at BLG in Vancouver.
“Believe me, that's totally wrong. I've seen all sorts of organizations — from a one-person service to professional services firms to very large organizations — suffer the consequences of a cyber or data security incident.”
In the same vein, there has also been a growth in legislation when it comes to privacy protection, as seen with the European Union’s General Data Protection Regulation (GDPR) in 2018 or more recent efforts in California and Quebec, with the Act to modernize legislative provisions relating to the protection of personal information.
“The expectation is that the federal law and the laws of Alberta and B.C. will all be modernized to present a risk of very significant fines and the millions of dollars for organizations that don't handle personal information properly, that do not report security breaches or violate other requirements,” he says.
And it’s not just the organizations that suffer: directors and officers (D&O) also face the risk of personal liability, says Julie Himo, partner at Torys in Montreal.
“With the shift to the cloud and the numerical world, and the dramatic increase in cyber attacks, cybersecurity and data protection has become an important area of governance for all organizations.”
Encouragingly, more organizations are taking these obligations seriously, she says.
“If you go back five years ago, when cybersecurity attacks had become a phenomenon… I think, organizations were afraid of the reputation if they went out and notified individuals that their personal information had been compromised, but this stigma has really faded. Now, organizations are more confident that if they do the right thing, they are mitigating their own liability by notifying the individuals or impacted parties. So, we're seeing more and more organizations who are willing to notify and disclose incidents.”
Reducing the risks
Fortunately, there are legal protections for directors and officers can limit their liability, such as a due diligence defence, says Himo.
“They could argue that they make reasonable decisions in the circumstances, prior to any data breach, or in the context of managing a data breach or a cybersecurity attack.”
However, they must be able to show that they were diligent in their role as directors, and make sure that the company was compliant and met its obligations under the relevant privacy legislation, she says.
Directors have a duty of care, says Freedman, and that means they must exercise reasonable judgment based on appropriate information with the proper expert advice.
“That doesn't mean their decisions have to be perfect, it doesn't mean that they have to be able to predict the future, they just have to use reasonable care,” he says. “[That] often involves making risk-based business decisions about very difficult issues. And as long as directors, in good faith, exercise reasonable care and make the best decisions they can, then they fulfill their duty and there should not be any liability.”
In 2019, the Alberta Court of Appeal confirmed that directors are potentially liable for injuries suffered on job sites.
In the U.S., D&O have faced penalties when it comes to a lack of board committee to address specific risks and threats, a lack of procedures for reporting from management to the board concerning the company's compliance practices, presentations to the board of positive events but not negative reports, and no real regular discussion at the board level meetings about the risks, says Himo.
“Over and above the fact that the directors and executives need to make sure that they have a program, they have to update their risk management frameworks regularly to identify and manage any emerging cyber data protection risks. They need to review their response plans and hold regular tabletop exercises to practice in the event of an attack or a major data breach with all the relevant team members and decision makers.”
Cyber risk management is like any other serious risk that a corporation has to deal with, and a corporate director’s duty is to supervise management and make sure that management is properly dealing with all the serious risks, says Freedman.
“In addition, if the company is a public company — technically it's called like a reporting issuer, which means it has shares that are publicly traded — then corporate directors have to file periodic reports containing information about risk generally, and about specific incidents,” he says.
“And securities regulators have said, ‘Look, those kinds of disclosures have to include meaningful disclosures about how the public company is managing cyber risk, and if there's any other material cyber incidents.’ So… those are directors’ obligations. And that's called the obligation of continuous disclosure.”
D&O also need to discuss whether additional policies and playbooks are required as cyber threat evolves, and this includes how the company will respond to a ransomware attack, says Himo.
Also, boards must consider cyber insurance adequately, particularly the intersection between cyber insurance and D&O liability policy policies, coverage limits, and whether the new regulatory penalties and fines would be covered by any such insurance coverage, because penalties are not necessarily always covered.
Canadian HR Reporter recently spoke with an expert for tips on how to boost cybersecurity.
Disclosure and investigation
Of course, it’s also about ensuring the public disclosure of cyber risks, she says.
“They've got to do it in a timely fashion, and that's something that I think directors have to be very mindful of.”
Investigating a cyber breach is another important step to consider, which can be time-consuming and burdensome, says Himo.
“If an investigation is triggered, then you've got to collaborate. And, as much as possible, that should lead to a result that is favourable, and eventually apply the corrective measures if possible.”
The investigation should identify the root cause of the incident, says Freedman, “which might be a technological problem, an innocent inadvertent mistake by some by an employee, or a malicious act by hacker nation state.”
“It's essential to understand the root cause in order to prevent similar incidents from occurring in the future, to the extent possible, and then also making sure that all lessons are learned.”
As more employers return to normal and workplaces are allowing more employees in, having proper insurance coverage is key for HR consultants to protect themselves if something goes wrong.
Employee considerations
As part of all this, corporate culture around data handling, data protection, and data record retention policies “is really a very hot topic right now,” says Himo.
“There’s got to be a corporate approach to that that is really diligent; it has to come at all levels of an organization, including at the board level. There's got to be a program to make sure that personal information and data, generally, sensitive data, is collected for the right reasons, in accordance with legislation and is kept for the right period of time.”
As we’ve heard with many surveys, employee training and education is another crucial piece to the puzzle.
“In many ways, it is one of the easiest and most beneficial things to do. Because, generally, it's a pretty low-cost thing, and the return can be significant,” says Freedman.
“An organization can have amazing technology, defensive technology, but if it's not understood and basic rules aren't followed, then it's not going to be effective. And so the training is important to create the right kind of culture, to help individuals understand what they can and shouldn't do, and to make them aware so that they can be thinking about these things when they get the strange emails or the phone calls and those sorts of things.”
Training for employees should be done on a regular basis, says Himo.
“Bring them to understand what kinds of risks are out there and make them mindful of that,” she says. “Many of these cyber attacks were facilitated by a phishing email where an employee has clicked on a link and has entered [their] credential, and then that gave way to open the door to deploying the malware and attacking the IT infrastructure — that happens on a day-to-day basis.”
Despite risks, fewer and fewer employers offer cybersecurity training.
In addition, employers should limit the access that employees have to personal information, says Himo.
“There should be an active management program within the organization to give access to a limited number of employees to this kind of personal information that could be compromised, used to cause harm. So really [it’s about] making sure that it's on a need-to-know basis and that access is limited. So that if you've got a rogue employee, maybe you could prevent unauthorized access.”
