Sigma Khan, Windsor Law Dual JD, 2022
While cybersecurity is a consistent concern in the digital era, unique conditions resulting from the COVID-19 pandemic amplify cybersecurity challenges. With business and employment models increasingly shifting to online work in an effort to promote social distancing for health safety reasons, data from personal computers are being generated in unprecedented amounts. Not surprisingly, several webinars and other resources are being offered to support individuals, small businesses and various organizations in that regard.
In an effort to provide insight to small and medium enterprises (SMEs), CERBA hosted a webinar on May 14, 2020 in partnership with speakers from Kaspersky Canada and the law firm Gowling WLG. The webinar aimed to underscore facts regarding cyber breaches, legal issues and resources for how to deal with cyber threats as well information about how to protect from online security risks. The aim of this blog post is to summarize the main elements to consider and highlights of this webinar (available online here).This may be a useful starting point for SMEs and other organizations for an overview of some strategic best practices from a legal perspective (while this is not legal advice).
The webinar was moderated by Alexey Mikhailov (Business Development Manager IT & Security Solutions, TerraLink) and featured presentations and a discussion between Alexander Novichikhin (General Manager of Kaspersky Canada, supplier of Internet security software) and Brent J. Arnold (Partner at Gowling WLG). Presenting first, Novichikhin introduces facts and statistics regarding the intersections between cyber breaches and working from home, the modern threat landscape and industry best practices. Novichikhin begins by presenting statistics including how, due to COVID-19, the percentage of organizations regularly allowing employees to work from locations outside of the office has risen from 40% to 100%, the percentage of employees using personal devices, including mobile phones for work has increased from 50% to 100% as well as how the percentage of organizations storing sensitive customer information on employees’ mobile devices has risen from the previous 64%, resulting in a majority of organizations’ employees being able to take corporate devices and data off the corporate network.
Furthermore, Novichikhin’s presentation identifies that most cyber incidents occur due to inappropriate use of IT resources by employees as well as sharing work PC login or password information. Specific to remote working, Novichikhin recognizes Wi-Fi networks as the source of ransomware, malware, corporate espionage, devices as the source of phishing scams as well and lack of user awareness for access to non-work-related web content while working on work data. Novichikhin mentions that in terms of COVID-19, phishing scams take the form of emailed letters appearing to come from Centers for Disease Control and Prevention (a real organization in the United States) encouraging users to click on links opening a convincing but fake Microsoft Outlook login page. It is important to note that these cyber breach emails come from “legitimate-looking” domains including “cdc-gov.org” whereas the CDC’s real domain is “cdc.gov”. Additionally, cyber breach malware also appears in the form of contact tracing apps.
Best industry practices recommended by Kaspersky include switching on Wi-Fi firewall, keeping web browsers up to date, updating router firmware, changing default passwords, installing anti-malware software, switching on password protection, making backups and controlling use of USB devices. Businesses are encouraged to train employees on social engineering, working remotely and configuring correct data access rights.
Switching gear from cybersecurity facts and best practices, the second half of the webinar presented by Arnold narrowed in on the legal facets and resources regarding cybersecurity. Arnold’s presentation began with a legal disclaimer that the information presented was not to be mistaken for legal advice, and businesses are encouraged to contact a lawyer if subject to a data breach that requires a legal remedy. Walking through the cycle of what happens when a company’s cyber data is breached, Arnold identifies four steps. First, the data bleeding must be stopped by identifying the nature of the breach and contacting insurance if a business has cyber coverage, or contacting breach coaches, a lawyer, data forensics and public relations professionals. Second, there must be further investigation to identify the source or cause of breach, preserve evidence, gather who is affected and determine potential exposures. Third, notifications and message management must be evaluated to determine risks of significant harm and notify affected parties or to report to privacy commissioners. Fourth and finally, remediation must be considered to look after the people affected and plug any holes in a business’s cybersecurity measures. Arnold mentions that when businesses seek legal remedies, “courts do not expect that [businesses] will never get hacked but they do expect to see that companies have reasonable steps in place and a plan of how to recover from a data breach”.
Some resources the webinar provides to help companies, especially during the COVID-19 work-from-home initiative include the Canadian Centre for Cyber Security (https://cyber.gc.ca/en/) and the Canadian Cyber Threat Exchange (https://cctx.ca/). Legal information presented by Arnold consisted of two lists of insurable cyber losses for SME’s in the event of a data breach. The first list incorporated first-party losses covered, such as data breach response, cyber-extortion and online defamation. The second list enumerated third-party losses of customer or client losses or invasion of privacy claims. Arnold’s presentation concluded with an overview of Gowling WLG’s Cybersecurity program, mentioning that cybersecurity law can be helpful for data safety coaching, regulatory advice, remediation assistance as well as regulatory or civil action defence.
In addition to providing an informative starting point for individuals, business owners and organizations wanting to know more about the legal implications of cybersecurity and breaches – webinars such as this one hosted by CERBA, Kaspersky and Gowling WLG also aid law students like myself to better understand the type of legal services and support that may be provided regarding cybersecurity. This is particularly relevant at a time where social distancing and working from home initiatives are creating a larger possibility for cyber/data breaches to occur.