As cyber criminals step up their game, it’s increasingly a matter of when, and not if, businesses will be faced with a data breach.
Blakes is constantly innovating to ensure clients fulfil their legal obligations and protect their reputations in the most efficient and cost-effective way possible. This gives us an advantage to better-customize our solutions when a document-review product designed for litigation comes up short on cyber files.
Challenge
From the moment a breach occurs, the clock begins ticking. Companies must act immediately on their duty to report disclosures of personally identifiable information to privacy commissioners and affected individuals — often across provincial and international borders.
Unfortunately, notifiable individuals and their personal information are tiny needles in the vast haystack of potentially compromised documents and data turned over by forensic auditors following a cyberattack.
Solution
Our holistic approach to incident response brings order to the chaos of a cyberattack’s immediate aftermath. In turn, our alternative service delivery model maximizes efficiency and secrecy by reducing the need for third-party involvement.
From the outset, a breach counsel such as Blakes Partner Catherine Beagan Flood coordinates a multidisciplinary team of lawyers based on the unique technological, geographic and legal needs of our clients. This ensures we draw on national talent from the Firm’s Cybersecurity group to guide clients through the crisis.
The breach counsel is also responsible for external advisers involved in the matter. They deploy expert negotiators to handle ransom demands from cyber criminals and integrate input from providers of forensic, public-relation and other services into our legal advice.
Meanwhile, cyber experts within inSource ― our fully integrated in-house alternative service delivery provider — get straight to work on an initial assessment of the compromised dataset. This allows them to swiftly gauge the magnitude and scope of the breach.
The inSource team uses a document-review product with machine learning and advanced analytics capabilities to identify impacted files. Our lawyers are then able to hone in on documents most likely to contain personal information that may create a real risk of significant harm if disclosed, such as social insurance numbers and other government-issued identification.
To facilitate the deeper dive, we built our own solution, allowing users to tag documents containing personal information. Each piece of sensitive data can also be permanently linked to the names of individuals who may need to be notified.
Results
Our solution automatically generates a user-friendly report showing clients precisely what information was found relating to identifiable individuals and what must be disclosed to the appropriate privacy commissioners. For example, Blakes worked with U.S. counsel on a recent case to quickly identify around 900 Canadians whose personal information may have been compromised in a multinational breach involving around 800,000 documents.
If a cyberattack later results in class-action litigation or a privacy commissioner investigation, the Firm’s direct involvement in the breach assessment leaves our lawyers perfectly placed to respond on a client’s behalf. This is because we will have intimate knowledge of the facts of the case and the documents at issue.
Lessons from each data breach file are also leveraged to boost our cyberattack preparation offering to clients. For example, our analysis of breached data informs data-mapping and information security policies and employee training.