Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/864045
LEXPERT MAGAZINE | SEPTEMBER 2017 61 | IN-HOUSE ADVISOR: CYBERSECURITY | includes an incident response plan and a list of who to contact if a breach occurs, can be incredibly helpful, says Charlene Ripley, EVP and General Counsel at the promin- ent Vancouver-based mining company Goldcorp Inc., which experienced a data breach in 2016. "You don't have the luxury of time. If we had [our team of experts] ready to go, we would have saved precious time at the outset." Another way to establish effective pre- ventative methods is one that might not be apparent to most organizations: the exchange of information. One of the chal- lenges insurers and insureds face is that "there's not a ton of information-sharing yet," says Eskins. One organization that chose a differ- ent strategy is Goldcorp. When it was breached, its response was a model of what other victims might consider employing. "We had an attacker who basically sent us four extortion emails, each from a valid internal Goldcorp email," says Ripley. "We think [the hacker] first attacked and in- fected our systems in 2015 and hung out and waited, which is typical, for an oppor- tune time to attack." In a document that was posted to a public site, the hacker provided sample data and a link to a full torrent download, which measured 14.8 GB when uncom- pressed. e data included information such as employee performance and com- pensation rates, bank account details and employee passport scans. Goldcorp's management team decided it would not negotiate with the hackers and refused to pay any ransom (Goldcorp declined to comment on whether it had cy- ber insurance). Soon aer, a large amount of data was posted on a public website, but "we were able to get it down," says Ripley. "It took two weeks of effort, using all the experts we hired, and we basically got them excavated out of our system." What Goldcorp did next was extremely proactive. Motivated by the knowledge that others in the mining industry had been targeted by hackers, in June 2016, Goldcorp held a mining cybersecurity roundtable with about a hundred members of the mining industry and other related sectors in Vancouver. "It was a forum for us to share information to combat these types of crimes by sharing what you know," she says. A year later, six of Canada's 10 mining companies formed the Mining and Metals Information Sharing and Analysis Centre to further enhance the exchange of infor- mation on this rapidly evolving topic. Divulging information on attacks that expose a company's vulnerabilities is not al- ways appealing to many C-suite executives, but new legislation in Canada will likely force organizations to do just that. In June 2015, the federal government passed the Digital Privacy Act, which will require enti- ties that have experienced security breaches to notify anyone whose information has been compromised. By summer 2017, some of the specifics of the legislation had yet to be ironed out. "e devil will be in the de- tails," says Ahmad, "and we don't know yet exactly what all the requirements will be." Alberta, however, already has legislation in place governing disclosure. It seems certain a new era in reporting breaches will come to Canada, and orga- nizations will face hey fines if they fail to comply. "Small and medium-sized cor- porate clients are oen more influenced by legislative changes," says Eskins. "e large ones are typically not swayed by legislation. ey tend to do what makes business sense no matter what." With attacks a daily occurrence through- out the world, cyber insurance seems like an almost mandatory requirement for most firms and many government depart- ments. Anyone thinking the problem might go away should heed the words of Baker & McKenzie's Dean Dolan: "We're all screwed, I think, because it's going to be a really rough few years ahead. It's going to get worse before it gets better." CYBERSECURITY CHECK LIST Ransomware and denial-of-service attacks are on the rise. Here's how to prepare for the inevitable RANSOMWARE IS THE FASTEST GROWING malware threat, according to a recent report by the US Federal Bureau of Investigation. "On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015." Such daunting statistics indicate the need to do as much as possible to protect against such attacks. There are many important steps that in-house counsel can take to shore up their defences, including: "First of all, prepare a risk profile," says Vanessa Coiteux at Stikeman Elliott LLP. Doing so is important "to determine your weaknesses." In addition, the risk profile should include an incident response plan. Utilize dedicated cybersecurity resources, says Ira Nishisato of Borden Ladner Gervais. "Threats are constantly evolving and organizations of a certain size really need dedicated cybersecurity resources and not simply someone in the IT department who has a dozen other things to worry about every day." Establish a cybersecurity response team before an event happens, says Baker & McKenzie's Brian Hengesbaugh. "Have your forensic specialists and external counsel on board and [where applicable] call centres and credit monitoring [in place]. [The process] can also show where PR and legal, for example, might not see things the same way." Run tabletop exercises, says Miller Thomson's Imran Ahmad. "Those meetings help identify any issues and uncertainties in your organization." Know in advance where to obtain bitcoins, in case you decide to pay a ransom, says Marsh's Greg Eskins. "Do you have a bitcoin account? A bitcoin broker? Can we get, say, $50,000 of bitcoin in a relatively short time, usually 24 to 72 hours?" No matter how sophisticated your defences, it just takes one employee to click on a phishing email and the hackers can get in, says Danny Schwartz of Lax O'Sullivan Lisus Gottlieb. "Employee training is critical. Make sure to include phones when protecting your systems. Now there are lots of viruses on phones." IN HOUSE INSIGHT