Across the world, the number of cybersecurity incidents continues to grow at an alarming pace. The potential impact for businesses goes well beyond the reputational harm associated with privacy breaches commonly reported on by the press. Cyber attacks can result in financial loss, operational disruption, contractual disputes, and the threat of regulatory intervention. Familiarizing oneself with the types of cybersecurity threats organizations commonly face is a key factor in being prepared for a cybersecurity incident.
Unfortunately, there are few reliable and consistent Canada-specific statistics on cybersecurity incidents. This article aims to assist readers who are trying to navigate these issues by identifying key trends emerging in the Canadian market.
Targeted industries and best practices
Attackers continue to target industries that have access to large amounts of personal or sensitive data, such as finance, health and professional services. These industries are highly regulated, and a major cybersecurity incident can trigger significant reporting obligations to affected individuals and regulatory bodies, not to mention class proceedings. Critical infrastructure is generally considered to be at higher risk since an attack of this nature could lead to a widespread shutdown of vital operations. It is also expected that fintech, mobile banking, and e-commerce will face increasingly frequent and intense attacks.
Additionally, organizations that are not currently highly regulated by data protection legislation, such as non-profit organizations and charities, are increasingly targeted given their reliance on sensitive personal information for fundraising efforts. Non-profits often rely on electronic service providers for cloud storage, financial transactions, analytics, and other solutions. If these service providers experience a cybersecurity incident, the downstream effects, especially with respect to reputational risk and business disruption, can be devastating for under-resourced non-profits.
These risks point to the value of good cybersecurity insurance as an emerging best practice that transcends industry: In a recent survey by Blake, Cassels and Graydon LLP, just over 10% of publicly listed companies indicated that they have standalone cyber insurance in place. Cyber insurance is not only important for the organization itself, but also for its third-party vendors. Organizations should consider whether to require third-party providers to purchase sufficient levels of cyber liability insurance based on the type of service provided and data involved. Many insurance policies limit or exclude cyber risk coverage, so it is prudent to speak with a broker to ensure coverage is in place in the event of a data breach.
Continuing threat of ransomware and business email compromise
Ransomware and business email compromise continue to be the leading cybersecurity threats to organizations. The ongoing challenge with cyber incidents is that the technology and techniques employed by cyber criminals continue to evolve. Regardless of ongoing efforts to be proactive and prevent or minimize cyber incidents, the stark reality is that cyber criminals continue to innovate.
In the last year, according to Microsoft, there was a 70 per cent increase in phishing as a means of harvesting user credentials. Obtaining these credentials allows attackers to gain access to and compromise networks, resulting in data breaches, identity theft and ransomware attacks. Attackers continue to draw from public sources, such as business profile pages, social media pages and others, to build profiles that appear legitimate, which increases the likelihood victims will be deceived. Also, while there has been little change in the overall volume of malware, there is evidence that adversaries are using worldwide attention on COVID-19 to socially engineer lures around our collective anxiety and the flood of information associated with the pandemic.
These continuing risks underscore the value of strong and consistent employee training. Helping staff identify common phishing methods and encouraging the use of two-factor authentication are low cost, high reward options for businesses.
Increased risk of litigation
Though slow moving, cyber-related litigation is ramping up. Since 2012, there have been several privacy class actions certified in Canada, particularly in Ontario, British Columbia, Alberta and Quebec. Between 2017 and 2019, at least three class proceedings arising out of cybersecurity incidents were certified.1 Additionally, class actions involving theft or unauthorized use of data by employees were also certified in Grossman v Nissan Canada and Stewart v. Demme. However, in that same period, courts refused to certify four proposed class actions arising out of cybersecurity incidents.2 These denials of certification suggest that courts are increasingly willing to scrutinize plaintiffs’ claims to assess whether they are viable. It is expected that claims against both organizations and their representatives, potentially including directors and officers, will continue to increase.
Businesses can mitigate losses from cyberattacks through cyber insurance, contractual language around cybersecurity obligations and indemnification clauses. A prompt and effective response to a cybersecurity incident can preserve reputation and goodwill. It may also mitigate litigation risk, including by preventing losses to affected individuals. Judges have commented favourably on the quality of a defendant’s response to cybersecurity incidents in decisions not to certify a proposed class proceeding and approving early settlements.
Developing regulatory frameworks
Federal and provincial privacy commissioners are taking an increasingly active role in investigating cybersecurity incidents. Additionally, legislators across Canada and the rest of the world are attempting to modernize legislation to keep up with these advances. The European Union bolstered its privacy laws in 2018, enacting the General Data Protection Regulation (GDPR). Legislatures in other jurisdictions followed, including in California, Japan, Korea and Brazil. In Canada, the federal government and several provincial governments have signalled their intention to modernize their privacy legislation.
In February 2020, the B.C. government began its statutory review of the Personal Information Protection Act. In connection with that review, the Office of the Information and Privacy Commissioner for British Columbia, along with other stakeholders, has put forth recommendations for reform of that statute which include mandatory reporting requirements in the event of a cybersecurity breach.
In June 2020, the Quebec National Assembly tabled Bill 64 to modernize its privacy legislation. If Bill 64 is enacted as currently drafted, it would create a private-sector privacy statute in that province that is substantially similar to the GDPR.
In August 2020, the Ontario government launched a consultation on privacy law reform, with a view to implementing a provincial act regulating privacy in the private sector (and possibly other sectors like non-profits and charities). Currently Ontario only has privacy laws that regulate the public and health sectors, though private-sector organizations in Ontario remain subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).
In November 2020, the federal government introduced the Digital Charter Implementation Act, 2020, which would overhaul the federal government’s approach to regulating privacy in the private sector by repealing the parts of the PIPEDA that regulate the processing of personal information and enacting a new Consumer Privacy Protection Act. This new Act would, among other things, obligate service providers to notify the organization that controls the personal information it uses about a breach of security safeguards as soon “as feasible.”
Although each government’s proposed intervention is different, common themes among these efforts include a commitment to mandatory breach reporting requirements, increased enforcement powers, new obligations for third-party service providers, meaningful consent requirements, and new rights for individuals to access, correct and delete personal information about them held by data custodians. Additionally, there is an increased emphasis on privacy commissioner oversight over data handling standards and practices. Given these anticipated changes, Canadian organizations should be prepared to spend 2021 reviewing new regulatory requirement and updating their cybersecurity incident response plan accordingly.
Imran Ahmad is a Partner at Blake, Cassels & Graydon LLP, Ellie Marshall is an Associate at Blake, Cassels & Graydon LLP, John Lenz is an Articling Student at Blake Cassels & Graydon LLP, Natalie LaMarche is an Articling Student at Blake Cassels & Graydon LLP, Haley Puah is an Articling Student at Blake Cassels & Graydon LLP
End Notes
1 Agnew-Americano v Equifax Canada Co, 2019 ONSC 7110; Tucci v Peoples Trust Company, 2017 BCSC 1525 (certification upheld in Tucci v. Peoples Trust Co., 2020 BCCA 246); Levy v. Nissan Canada Inc., 2019 QCCS 3957.
2 Kaplan v. Casino Rama, 2019 ONSC 2025; Broutzas v Rouge Valley Health System, 2018 ONSC 6315; Bourbonnière c. Yahoo! Inc., 2019 QCCS 2624; Li c. Equifax Inc., 2019 QCCS 4340