Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/1045898
LEXPERT MAGAZINE | NOVEMBER/DECEMBER 2018 71 | DATA PRIVACY | notifying victims, investigating the breach, loss of goodwill, and customer loss — the country's cost of $116 per record was sec- ond only to the US. Combined, the direct and indirect costs are $197. With the average number of records compromised when a breach occurred in Canada at 22,275, the average cost per breach computes at about $4.5 million. But even that may be an understatement: in the case of Air Canada, the company must have incurred further costs in noti- fying and dealing with all the remaining customers who were required to change their password. e Ponemon study also found that 50% of Canadian breaches were caused by intruders, 25% by system errors and 25% by human error. e most effective steps in decreasing costs, according to the study, were having an incident response team (decreased costs by $14 per record); using extensive encryption ($13.1); continuous management involve- So what role do lawyers play in all this? How are they relevant and what can they do to help their clients take a proactive ap- proach in avoiding data breaches and main- taining the privacy of their customers? "What we strive to have our clients ap- preciate is that data protection and breach response is an enterprise-wide risk manage- ment issue," Nishisato says. "ey need to engage broadly internally and externally, which includes not just legal and technical assistance, but public relations, communi- cations and forensic specialists." In simple terms, law firms must provide advice on the parameters of due diligence. What the law requires here is that organi- zations have safeguards that are appropri- ate to the level of risk, something that is measured by the sensitivity of the informa- tion involved and the likelihood of attack. "e test for compliance with the rules is one of due diligence, not absolute preven- tion," Bernier said. Because cyberattacks are inevitable, counsel's role is to help their clients design and implement programs that prepare the organization for a breach, recover from the breach, and minimize the damage that flows from a breach including critical data loss, reputational damage and regula- tory sanctions. "Organizations need to put themselves in a position to respond quickly because there's not time for planning while the cyberattack is happening," said Franc- esca Gaudino in Baker& McKenzie LLP's Milan office. According to Bernier, the obligation to safeguard data has three components: physical security, technical security and or- ganizational security. "Where the lawyers come in is on the organizational security side," she explained. Here, a look back at the factors that increase and decrease cost is instructive. What's clear is that costs increase and de- crease in proportion to the strength of in- ternal organizational security. So, having an incident response team, management involvement, training, and communica- tion all decrease costs. On the other hand, third-party involvement increases costs. As it turns out, Canadian law requires that someone within the organization must be clearly responsible for compliance with privacy laws. But that's not enough. "A governance framework must ensure the ment ($9.3); training employees ($9.3); and sharing threat information ($8.7). In other words, by taking these five steps, Canadian companies could cut $54.4 from the finan- cial damage done by breaches, a reduction of some 22% of the total direct and indirect costs of $197 per record. RISK-MANAGEMENT ISSUE Also studied were factors that increased costs in data breaches. e top five were third-party involvement ($13.4); extensive cloud migration ($11.9); compliance failure ($11.9); extensive use of mobile platforms ($10); and lost or stolen devices ($6.5). IRA NISHISATO BORDEN LADNER GERVAIS LLP "What we strive to have our clients appreciate is that data protection and breach response isan enterprise-wide risk management issue."