‘Once your secret information is out there, you could be more of a target than you were before’
For many employers struggling to endure the COVID-19 pandemic, a privacy breach is the last thing they need. But there are a number of steps that can be taken to help prevent and manage them, says Toronto lawyer Daniel Michaluk, partner at Borden Ladner Gervais in Toronto, speaking to Canadian HR Reporter.
Q: How should an organization prepare for a privacy breach?
A: “They should have something called an incident response plan. The idea is that everybody’s going to have a security incident at one point: it’s not a question of if, it’s a question of when. It’s clearly a best practice to have an incident response plan.
“It sets out who is accountable for the response and how and what authorities they can exercise in the heat of crisis. You’re supposed to test it often too, which basically means doing scenario-based exercises with the people who have responsibilities under the plan so they can anticipate issues and deal with them quickly. Because time is of the essence ̶ you don’t really have a lot of time to be learning when you’re in the heat of crisis.
“Most plans will say call your incident response lawyer first. They will tell you that your IT team is OK to disconnect services from the internet if it’s a cyber attack or take other immediate containment steps.
“If it is a cyber event, for example, they’ll immediately line up an incident response vendor and it becomes the source of expertise to guide the team through the response process.
“A good response means taking ownership of the incident, being transparent and not making mistakes. That’s really what you’re striving for.”
Q: What are some ways companies can try to prevent breaches?
A: “There’s two ways to do it. One of them relates to remote desktop protocol (RDP), which is a protocol for communicating between devices but it creates great problems when you use it for communicating over the open internet. It’s one of the top two causes of cyber-intrusions at most organizations.
“The simple prescription is not to use RDP or not to communicate with it over the open internet. That’s something that is really well-known yet still gets many organizations.
“Number two is phishing. Typically [it means] getting an employee to click on something that installs malware on a local device.
“The right answer is that you need to employ what’s called defence in depth. You have all the right layers of controls in place and you even anticipate that certain layers will fail, others will protect you if the first layers fail.
“You’ve got your user training and phishing awareness layer in place but you’ve also got up-to-date antivirus and anti-malware on all user devices because that’s the next layer. If that fails, you’ve got something called endpoint detection running on all the devices so you can pretty quickly figure out if someone’s actually gotten through to your network.
“There’s layers on layers, and then you could go beyond that and implement good access control and network segmentation so that one user that’s been compromised doesn’t connect to everything else.
“It’s expensive. It takes resources and the focus of many companies is to have an IT department whose job is to keep services running to meet user demands. Threats change, technologies change and that’s a lot of work.”
Q: What are the biggest risks in protecting privacy data?
A: “The risk to individuals is identity fraud. Employers in particular, there’s a lot of blood sweat and tears given to consumer privacy but in a lot of organizations the employee data is far more sensitive.
“If you’re hosting, for example, tax-related information, SIN numbers and the like on your system, it can be some of the most sensitive information in any organization that if compromised, can lead to a real risk of identity fraud.
“Medical information could be stolen because an employer has an occupational health department and it stores information on premise and if information about one’s mental disability or another invisible disability gets out, there’s certainly the risk of embarrassment which is a different type of risk.
“There is a legal risk of liability. If you’re storing someone’s personal information, you have a legal duty to secure it.
“Reputational risk is a big one and it links pretty quickly to the bottom line. It is a huge risk for corporations.
“[There is also the] the continuing risk of insecurity: once your secret information is out there, you could be more of a target than you were before because that information can be used to perpetrate further attacks. That creates an operational cost because you probably, coming out of a security incident, should double down on your protection.”
Canadian HR Reporter has also talked about to experts about five key questions on mental health claims and how much monitoring at home can legally be done by employers.