Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
CBO’s Recent Appeals for New Research on Health-Related Topics
How your nonprofit can avoid data breaches and ensure privacy
1. V A N C O U V E R C A L G A R Y E D MO N T O N S A S K A T O O N R E G I N A L O N D O N K I T C H E N E R - W A T E R L O O G U E L P H T O R O N T O V A U G H A N MA R K H A M MO N T R É A L
How Your Nonprofit Can Avoid Data
Breaches and Ensure Privacy
Imran Ahmad
April 19, 2018
2. 2
• Imran Ahmad is a partner at Miller
Thomson LLP and specializes in the
areas of cybersecurity, technology
and privacy law.
• Works closely with clients to
develop and implement practical
and informed strategies related to
cyber threats and data breaches.
• Adjunct Professor of Cybersecurity
Law at University of Toronto
• Author of Canada’s first legal
incident preparation and response
handbook titled A Handbook to
Cyber Law in Canada (published in
August 2017 by LexisNexis).
Imran Ahmad
3. 3
1. What is Cybersecurity
2. Types of information clients have
3. Common types of cyber threats
4. Recent cyber attacks in the news
5. Legal landscape
6. Best practices before, during and after a breach
Agenda
4. 4
What is Cybersecurity?
The process of protecting information by preventing, detecting, and responding
to attacks.
Source: National Institute of Standards and Technology. US Department of Homeland Security
Cybersecurity is the collection of tools, policies, security concepts, security
safeguards, guidelines, risk management approaches, actions, training, best
practices, assurance and technologies that can be used to protect the cyber
environment and organization and user's assets.
Source: International Telecommunication Union
Cybersecurity is a state of being protected against the criminal or unauthorized
use of electronic data, or the measures taken to achieve this.
Source: Oxford Dictionary
5. 5
• Customer information
• Financial and health info is
deemed to be “sensitive” under
privacy laws
• Company’s confidential &
proprietary information
• Intellectual property
• Internal investigations
• Business plans
• Supplier or Purchaser’s
confidential & proprietary
information
Types of information clients have
Source: Tales
6. 6
• What is “Personal Information”?
• Subsection 2(1) of PIPEDA provides the
following definition:
• “information about an identifiable
individual”
• According to the OPC*, personal
information includes any factual or
subjective information, recorded or not,
about an identifiable individual.
• Examples:
• age, name, ID numbers, income,
ethnic origin, or blood type;
• opinions, evaluations, comments,
social status, or disciplinary actions;
and
• employee files, credit records, loan
records, medical records, existence of
a dispute between a consumer and a
merchant, intentions (for example, to
acquire goods or services, or change
jobs)
Personal Information
The Office of the Privacy Commissioner (“OPC”) is responsible for the administration
of PIPEDA.
7. 7
Advanced
Persistent Threats
(i.e., breaking into
the network)
Cybercriminals,
Exploits and
Malware
Denial of Service
Attacks (“DDoS”)
Corporate
impersonation and
phishing
Employee mobility
and disgruntled
employees
Lost or stolen
laptops and mobile
devices
Inadequate security
and systems; third
party vendors
Common Types of Cyber Threats
8. 8
• Classic cyber-attack: Breaking
into a network
• DDoS attack: Directing junk traffic
to a site and bringing it down
• Phishing attack: Email with
malware
• Whalling attack: Targeting senior
management + fraud
• Social Engineering: Targeting
specific individuals based on
publicly available info.
Types of breaches
9. 9
• Cyber crime damages costs to
reach $6 trillion annually by 2021.
• Cybersecurity spending to exceed
$1 trillion from 2017 – 2021.
• Cyber crime will result in more than
tripling the number of unfilled
cybersecurity jobs, which is
predicted to hit 3.5 million by 2021.
• Human attack surface to reach 4
billion people by 2020.
• Global ransomware damage costs
are predicted to exceed $5 billion in
2017
Some Statistics
11. 11
Areas of Risk and Sources of Attack:
Main Cyber Adversaries
Source: PricewaterhouseCoopers. Jason Green, Best Practices for
Data Security and Data Breach Protocol, ed (2015).
12. 12
• Director and Officer liability
• Legal liability including litigation
• Regulator enforcement and
investigations
• Failure to meet key contract terms
• Economic harm (e.g. loss of
confidential information/IP)
• Reputational harm
• Business interruption
• Physical harm
Risk to Business
13. 13
• Prime Minister mandated Minister of Public Safety:
Lead a review of existing measures to protect Canadians and our critical
infrastructure from cyber-threats, in collaboration with the Minister of National
Defence, the Minister of Innovation, Science and Economic Development, the
Minister of Infrastructure and Communities, the Minister of Public Services and
Procurement, and the President of the Treasury Board.
• Public Safety launched public
consultation in August 2016
On the Government’s Radar
Objectives
• tighten security
• introduce new laws
• improve coordination
• economic opportunities
14. 14
• Minister of Public Safety launched
public consultation process in
August 2016
• Consultation will feed into new
legislation and national
cybersecurity strategy
• Likely to mirror what is required in
the US and in consistent with G7
principles on cybersecurity
On the Government’s Radar
15. 15
CANADA
• Public sector privacy laws
• PIPEDA and other provincial and
sectoral privacy legislation
• Qc/AB/BC have privacy laws that
are substantially similar
• Health privacy laws
• Canadian Criminal Code
• Vital Cyber System Legislation
• Consultation process to launch
once draft legislation is released
• Quebec:
• Civil code (sections 35-41)
• Act to Establish Legal
Framework for Information
Technology
Legal Landscape
UNITED STATES
• Federal law
• Cybersecurity Information Sharing
Act
• Cybersecurity Enhancement Act of
2014
• Federal Exchange Data Breach
Notification Act of 2015
• National Cybersecurity Protection
Advancement Act of 2015
• State law
• Cybersecurity laws of New York
17. 17
• Digital Privacy Act, came into force on June 18,
2015 and amends PIPEDA in important ways
• Requires mandatory reporting of security breach
by organizations
• Notification to Privacy Commissioner
• All affected individuals who may suffer “significant
harm”
• Any Third Party who can mitigate losses
• Requires keeping security breach log of any data
breach involving personal information
• Fines of up to $100k for failure to report breach or
keep logs.
• While not currently in force, anticipated to come
into effect this year*
Digital Privacy Act
* Draft of Breach of Security Safeguard Regulations circulated in October 2017 for
public consultation.
18. 18
• EUROPE
• Global Data Protection Regulation (GDPR)
• data breaches must be reported as soon as possible and, where feasible, no later than 72
hours after discovery of a breach.
• personal data now extending to location, IP address, RFID identifiers, as well as whole new
swathes of medical data, including genetic information.
• the “right to be forgotten” being enshrined in law, allowing people to request of search
engines to delete links to the data in question.
• regulation will apply to companies headquartered outside of Europe as long as they have
operations in Europe.
• greater rigour around consent to use personal data
• new requirements to carry out Privacy Impact Assessments (PIAs) to ensure that personal
data is sufficiently protected and privacy of the individual maintained.
• Network and Information Security Directive (NISD)
• complementary to GDPR, designed to create a focus on the protection of IT systems in
European critical national infrastructure
Legal Landscape
20. 20
Facts
• Sandra Jones and Winnie Tsige
worked @ different branches of
same bank
• Over 4 years, Tsige used her
workplace computer to access
Jones’ personal bank accounts at
least 174 times
• Jones sued for invasion of privacy
Findings
• Tort of intrusion upon seclusion
recognized by Ontario Court of
Appeal
• Plaintiff awarded $20k in damages
without demonstrating any
pecuniary loss occurred
• Liability arises where the invasion of
privacy is:
• Intentional or reckless
• Lacks legal justification
• Considered offensive to
reasonable person
Jones v. Tsige, 2012 ONCA 32
21. 21
Facts
• Plaintiff and defendant were in
romantic relationship and made
video of a sexual nature
• They eventually broke up and
defendant posted video online
• Plaintiff could not sleep, focus on
school and eventually checked into
crisis center
• Plaintiff sued for disclosure of
private facts
Findings
• Court recognized the tort of public
disclosure
• Court found that:
• defendant made public an
aspect of the plaintiff's private
life
• reasonable person would find
the act of publication to be highly
offensive; and
• there was no legitimate public
concern justifying publication of
the matter
• Plaintiff awarded $100K due to
uniqueness of case
Jane Doe 464533 v. ND, 2016 ONSC 541
22. 22
• We are also seeing claims arising
from:
• Breach of contract
• Negligence
• Breach of confidence
• Breach of fiduciary duty
• Breach of trust on part of the
holder of the data
• Claims have also been advanced
under tort of conversion and
breach of bailment law
• If data breach was result of
employee’s wrongful act, plaintiff
may be able to hold employer
organization vicariously liable
• Key takeaways
• Constant evolution
• Litigation bar is advancing
creative claims
• Courts are listening
• However, Courts recognize that
the standard is not perfection
but one of reasonableness
• Accordingly, Courts will look at
what steps the organization took
to mitigate the risks before a
breach occurs
Claims evolving...Courts listening
23. 23
Governance
Source: NIST - National Institute Of Standards And Technology. Framework
for Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014.
24. 24
• Application whitelisting
• Assess risk profile
• Identify “Crown Jewels”
Know where you stand
• Bring together right people (IT, HR, Legal)
• Have a clear mandate
Build a Cyber Monitoring
Team
• Assess effectiveness of current security
• Consider whether to hire experts
Audit & Test Security
• Cyber hygiene
• Develop and disseminate cyber policies
• Refresh training
Educate and Train Staff
• Ensure your vendors have necessary security protocols in place
• Consider including language that requires them to tell you about a breach
• Consider indemnification clauses
Supply Chain Risk
• Plan should map out what to do in case of an attack
• Key considerations: public relations, legal, internal communication, etc.
Cyber incident plan
• Not a perfect solution
• Assess whether this is something that makes sense for business
• Make sure you have the right coverage
Cyber Insurance
• Target may not know that it has been compromised
• Requires forensic analysis
• Feeds into negotiations (reps/warranties/indemnities etc.)
M&A Cyber Due Diligence
Best Practices Pre-Attack
25. 25
• Team should diligently record all steps taken
• Include external legal counsel for privilege reasons
Activate the Response
Team
• Block unauthorized access to network
• Implement steps to recover and/or restore lost information/data
• Address weaknesses of the network
Containment &
Assessment
• Consider transferring information/data to sanitized systems
• Establish clear chain of custody of data
Preservation of
Evidence
• Consider whether to notify individuals whose information has been
compromised
• Notification requirements to regulators/privacy agency
Notification
• Consider retaining a public relations firm for external messaging
• Determine what information needs to be communicated to whom
internally
Communication
Best Practices – During / Post-Breach