Allocating Risk and Preparing For a Data Breach

Overview

The high cost of data breaches and the heavy legal burden imposed on organizations necessitates the use of a comprehensive legal strategy, which includes:

1. using traditional legal risk allocation strategies like proper contract drafting, and cyber-risk insurance to allocate  legal risk between various parties to reduce  liability,
2. the implementation of an established cyber-security framework, and
3. utilizing privacy-by-design concepts to create or alter existing organizational processes.

The High Costs of a Data  Breach

Canada is not immune to the realities and the costly nature of cyber-security incidents. For example, incidents like the 2015 Ashley Madison security breach highlight that Canadian businesses and government institutions are vulnerable. On July 2015, a hacker group (The Impact Team) gained access to the user data of Ashley Madison, a website that helped enable extramarital affairs. This resulted in personal information stored on the website becoming compromised. The Impact Team threatened Avid Life Media that it would release personally identifying information if Ashley Madison was not immediately shut down. On August 18, 2015, between 30 and 40 million Ashley Madison user profiles were publicly released by the hacker group.1

With over 30 million records exposed from the dating site, a $578 million class-action suit filed against parent Avid Life Media, the CEO resigning after his emails were published, the attack is easily one of the largest reported in Canadian  history.2

These kinds of attacks are no longer isolated incidents. Unfortunately, few organizations (i.e. profit corporations and profit entities) are prepared for such attacks. A study conducted by the Ponemon Institute stated that 68% of companies do not believe their organizations have the ability to remain resilient in the wake of a cyberattack.3 Therefore, every organization must take steps to combat the inevitability of such attacks through a thorough and structured approach. According to a Canada-specific study in which 24 companies participated, the average cost of a data breach in 2015 was $6.03 million.4 The average cost per lost or stolen record   was $278. The average total cost of a data breach increased by 12.5% from the previous year and the cost per lost or stolen record increased by 10.6% over the previous year. These numbers highlight a significant concern that the cost of a data breach is significant and increasing on a year-over-year basis. Therefore, implementing strategies to reduce the number of data breaches can have an enormous impact on the profitability of an organization. A study of the costs of data breaches revealed the following seven trends: 5

1. The general costs of data breaches are permanent costs and organizations need to be prepared to deal with it and incorporate it into their data  protection strategies.
2. The largest financial consequences to organizations that ex- perience a breach is lost business due to damage to reputation or system downtime.
3. Most data breaches continue to be caused by criminal and malicious acts.
4. Organizations have recognized that the longer it takes to detect and contain a data breach, the costlier it will be to resolve.
5. Industries that are highly regulated such as healthcare and financial services have the costliest data breaches because of fines and the higher than average rate of lost business and customers.
6. Data governance programs will reduce the cost of a data breach including initiatives like incident response plans, appointment of a CISO (chief information security officer), employee training and awareness, and a business card continuity management strategy which would all result  in cost savings.
7. And, of course, investments in data loss prevention controls and activities such as encryption and endpoint security solutions are important in preventing data breaches.6

In other words, the cost of data breaches will not go away and a permanent and structured approach is required to deal with these incidents. Ultimately, organizations must incorporate these costs into their data protection strategies and seek out the relevant expertise.

A loss of business can take on many forms. Primarily, organizations need to take steps to retain customers after a perceived breach of trust in order to reduce the long-term financial impact of an adverse event. Criminal and malicious attacks take a great deal of time to detect and contain. Incidents of this type have the highest cost per record.7 Much of the cost of a data breach will depend on the level of responsibility of the parties involved.

Legal Burden

The Vigilante article highlights many of the concerns with the admissibility of evidence obtained through a data breach.8

As per the Wray case,9 the Supreme Court of Canada ruled that relevant evidence, no matter how it is obtained, is presumptively admissible. This naturally would allow the use of evidence obtained illegally through a data breach to be presumptively admissible, subject to the common law discretion of a trier of fact to exclude evidence as per Wray. Thus unfortunately, organizations cannot strictly rely on the courts to disallow the admission of “stolen” digital evidence.

In Osiris Inc. v. 1444707 Ontario Ltd.10 (Osiris), an employee of the defendant accessed his employer’s data server and took more than 2,000 documents in an effort to protect himself after refusing to participate in unethical conduct with his employer. The employee then provided another plaintiff of a civil suit commenced against the same employer with 31 of the documents relevant to the litigation and would be damaging to the defendants. The court allowed the plaintiffs to use the stolen records.

Further, in Autosurvey Inc. v. Prevost11 (Autosurvey), the plaintiff employer accessed the defendant employee’s private server and copied the contents of the database to preserve potential evidence, including the private communications exchanged between the defendant and his solicitor. The court did not admit the stolen evidence and stayed the proceeding entirely, negatively commenting on the plaintiff’s “brute force entry” into the defendant’s computer server. The resulting decision created an interesting compromise in Canadian juris- prudence. Canadian courts are likely to allow the use of illegally obtained digital evidence; however, the acceptability of this evidence depends on whether: 1) the plaintiff took it upon themselves to deliberately breach the defendant’s information systems; 2) the plaintiff received the information in some kind of indirect manner; and 3) the breach was so egregious in nature that admission of the evidence obtained would lead to an unjust result. It is worth noting that nearly all the blanket prohibitions on using or disclosing “stolen” data arise in the criminal context in connection with data improperly obtained by the police and the protection of Charter rights.12 There is room for the jurisprudence to evolve in the civil area, but no organization, of course, wishes to be the test case. The avoidance of negative reputational impact and substantial costs of litigation should be of paramount importance in these circum- stances.

Also, it is abundantly clear that organizations will bear the brunt of the legal responsibility for ensuring that private information is protected from would-be hackers. On August 20, 2015, Charney Lawyers and Sutts, Strosberg LLP launched a class action lawsuit against the owners and operators of AshleyMadison.com. The plaintiffs sought $760 million in damages.13 A report published after a joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner (Report) revealed that although Ashley Madison had a range of personal information security protections in place, it did not have an acceptable over- arching information security framework. Certain security safeguards in some areas were insufficient or absent at the time of the data breach.14 The finding also notes that: “Ashley Madison is a website designed for people who are seeking to engage in an affair, an activity where discretion is expected and paramount.” It is probable that Ashley Madison’s plaintiffs would rely on the argument that they were owed a high standard of care as privacy was central to Ashley Madison’s business offering. Essentially the plaintiffs would not have utilized this service if their anonymity could be easily compromised. Not surprisingly, Ashley Madison’s terms of service did “warn users that security or privacy information could not be guaranteed, and if they accessed or transmitted any content through the use of the Ashley Madison service, they did so at their own discretion and at their sole risk”. The Report considered the nature of the personal information collected and indicated that security safeguards should have been high in accordance with PIPEDA Principle 4.7 (Safeguards). Specifically, representations through trust-marks (icons placed on a website endorsing its security) about the high level of privacy protection contradict the premise of the terms of service. On one hand, a user is told that security of their personal data is not guaranteed, and on the other hand, the same user is assured of Ashley Madison’s high level of privacy and security.15 It is clear (as Ashley Madison has illustrated) that an organization can be held responsible for its inability to prevent a breach. Simply relying on a terms of service agreement to protect your organization from liability is not a prudent strategy. An organization must show an adequate good faith effort to safeguard a client’s personal information  and  this  must  be  consistently  applied.  This  puts  a tremendous responsibility on organizations to have a proper cybersecurity framework, preparedness, and response strategy in order to illustrate that all reasonable steps were taken to protect their customer’s personal information.