Cybersecurity is the set of systems, policies and procedures that an organization has in place to address cyber risk. Cyber risk can be defined as the potential exposure to harm, loss or damage associated with online activity, use of electronic systems, and the storage of personal and confidential data electronically. Cyber risks could include, for example, organization specific malware, manipulated hardware or firmware, use of stolen security certificates to infiltrate corporate systems, or the use of denial of service attacks on an organization's or a third party service provider's networks or systems.
Cyber risks are a source of potential liability and harm to corporations and individuals alike. As a result, corporations, legislatures and governmental organizations worldwide are becoming more attuned to issues relating to cybersecurity, with the ultimate goal of mitigating or minimizing potential or actual harm caused by cyber risks.
The 2016 and 2017 global cybersecurity reports published by Pricewaterhouse Coopers ("PwC") indicate that (1) cybersecurity incidents detected by organizations are on the rise, and (2) low-tech scams, such as phishing scams, are the most frequently detected cybersecurity incidents by organizations. Additionally, Canadian case law and legislation is evolving in a manner that provides the potential for increased liability associated with cybersecurity incidents.
Organizations should have appropriate technological safeguards and cybersecurity policies in place to prevent and respond to cybersecurity incidents in order to mitigate or minimize cyber risk and any potential liability relating to a cybersecurity incident.
Changing Landscape – Increased Risk Exposure and Evolving Case Law
Trends in Cyber Risk
PwC's global 2016 cybersecurity report1 found that the number of respondents who reported cybersecurity incidents relating to the exploitation of operational, embedded and consumer systems increased by 152% as compared to the previous year. This trend of an increasing frequency of cybersecurity events is expected to continue.
Cybersecurity incidents do not necessarily involve sophisticated malware used to infiltrate corporate systems. In fact, in its global 2017 cybersecurity report,2 PwC found that phishing scams are the most frequently detected cybersecurity incidents reported by organizations. Specifically, 38% of respondents reported attempts by third parties to obtain credentials or access to their systems using phishing scams. Phishing scams involve contacting a person or organization in an attempt to have the recipient disclose confidential or personal information, such as account numbers, passwords, or credit card numbers. Scam artists have become increasingly more effective at making scam emails or telephone calls appear and sound legitimate.
While various technological developments for authentication protocols, such as the use of biometrics and smartphone tokens, can curb the risks associated with phishing scams and other cyber risks, employee training and awareness relating to these risks should remain a top priority for organizations.
Developments in Canadian Case Law
Cybersecurity incidents often involve data breaches that result in organizations leaking or inadvertently disclosing personal information about their users. This can cause reputational harm to both the organization and the data subject. The media frenzy surrounding the Ashley Madison leak in 2015 is a sobering example of the reputational harm that can be caused by a cybersecurity incident. Developments in Canadian case law recognizing the harm arising from privacy breaches have resulted in increased exposure to liability for organizations associated with these types of leaks.
In the landmark decision in Jones v Tsige,3 the Ontario Court of Appeal recognized a new tort of intrusion upon seclusion. This decision has potential implications for increased liability for organizations associated with cybersecurity breaches, even if the data subjects have suffered no pecuniary loss or damage.
In Jones, although no pecuniary loss had been suffered by the plaintiff, the court held that the defendant's actions gave rise to a civil cause of action and awarded the plaintiff $10,000 in damages. In this case, the defendant, a bank employee, had entered into a romantic relationship with the plaintiff's ex-husband. The defendant had ongoing financial disputes with the plaintiff's ex-husband that were associated with the ex-husband's child support payments to the plaintiff. Over a period of four years, the defendant accessed the plaintiff's banking records more than 174 times to confirm the amounts and timing of the child support payments by the plaintiff's ex-husband. The court held that these actions by the defendant resulted in the commission of the new tort of intrusion upon seclusion.
The potential financial liability for organizations arising from cybersecurity incidents may become significant if the incident gives rise to an issue that affects many individuals and forms the basis for a class action proceeding. In Condon v Canada,4 for example, a lost hard drive containing personal information of approximately 583,000 individuals resulted in a class action being certified on the basis of breach of contract, intrusion upon seclusion, negligence and breach of confidence claims. Although the proceedings in Condon are ongoing in the Federal Court, if the plaintiffs are successful, the damages awarded could be significant based on the number of individuals affected, even if the plaintiffs have no pecuniary loss.
The result of these Canadian case law developments is that organizations may face significant liability associated with privacy breaches or cybersecurity incidents. While Condon was the first class action to be certified partly on the basis of intrusion upon seclusion, several other class actions have since been certified, and many more are likely in the future.
Privacy and Liability for Organizations
Organizations should be aware of their statutory obligations and potential liability under Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), as well as the various province-specific statutes governing the protection of privacy.
Although not yet in force, recent amendments to PIPEDA set out in the Digital Privacy Act provide for new record keeping requirements and data breach notification obligations. The new record keeping provisions include a requirement for organizations to keep and maintain records of every breach of security safeguards involving personal information under the organization's control. The data breach notification provisions require organizations to notify individuals in cases of privacy breaches involving the individual's personal information where it is reasonable to believe that the breach creates a real risk of significant harm to the individual, and also require organizations to report such breaches to the Office of the Privacy Commissioner of Canada.
The new amendments to PIPEDA include the potential for significant financial penalties for a failure to adhere to the new provisions. Specifically, the Digital Privacy Act amends PIPEDA to provide for a potential fine of $100,000 for organizations that contravene the new data breach notification and record keeping obligations.
The regulations that will govern the data breach notification and record keeping obligations have not yet been enacted. Consequently, the amendments to PIPEDA setting out the data breach notification and record keeping obligations have not yet been brought into force under PIPEDA (though a data breach notification obligation is currently in force under Alberta's Personal Information Protection Act in respect of personal information in the control of organizations in the province of Alberta). Nevertheless, organizations handling Canadian personal information may wish to begin considering what changes, if any, to their cybersecurity protocols and their record keeping procedures will be required in order to ensure compliance with the new requirements coming into force under PIPEDA.
Guidance for Organizations
Organizations should ensure that adequate technological safeguards are in place to protect unauthorized access to or accidental disclosure of confidential or personal information. Based on recent threat surveys, it may be most effective to implement safeguards focused on ensuring that user authentication systems cannot be easily circumvented. These safeguards might include:
- using two-factor authentication password protection systems, which may use smartphone tokens or other software tokens, for accessing electronic databases and systems; and/or
- implementing adaptive authentication systems, which make use of additional data points, such as the user's pattern of login time and location, and require additional factors of authentication if a potential threat is identified.
Additionally, organizations should have cybersecurity policies in place that consist of proactive and reactive policies and procedures to prevent cybersecurity incidents and respond to such incidents when they occur.
An effective cybersecurity policy will include guidance relating to:
- the intrusion-detection or other monitoring tools currently used in an organization's systems;
- methods for identifying, assessing and prioritizing cyber risks, taking into consideration the confidentiality, integrity and availability of data on an organization's systems;
- the treatments for identified and known cyber threats;
- a written incident response plan, including communication guidelines, record keeping and recovery guidelines, evidence collection strategies and priorities, and notification and information sharing policies;
- employee education or training with respect to cyber threats;
- policies for monitoring the cybersecurity and technology industries for developments relating to cyber risks;
- the frequency of testing or auditing IT systems, including the frequency of conducting threat assessments and penetration tests; and
- any insurance or contractual-based policies used to minimize liability associated with cyber risks, such as requiring third party service providers to provide cybersecurity indemnities and proof of adequate cybersecurity insurance.
Organizations should review their cybersecurity policies on a periodic basis. The parties responsible for the creation of cyber risks are continually developing and acquiring new strategies and technological means to invade data systems. Organizations must be prepared to address potential cyber risks and stay at the forefront of the cybersecurity industry to mitigate the risks and concomitant liabilities associated with potential inadvertent data loss or cybersecurity incidents.
- PwC, “Key findings from the Global State of Information Security® Survey 2016, online: <http://www.pwc.com/sg/en/publications/assets/pwc-global-state-of-information-security-survey-2016.pdf>.
- PwC, “Key findings from the Global State of Information Security® Survey 2017, online: <http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/assets/gsiss-report-cybersecurity-privacy-possibilities.pdf>.
- Jones v Tsige, 2012 ONCA 32 [Jones].
- Condon v Canada, 2014 FC 250, rev’d in part 2015 FCA 159 [Condon].