Teona: Hi, I’m Teona Climie, and welcome to this episode of the Blakes Sound Business podcast.
Today, we’ll be exploring the ever-evolving landscape of cybersecurity — from the increasingly targeted small and mid-size businesses to regulatory developments, advancements in cybersecurity litigation and the use of artificial intelligence in cybercrimes, we have a lot to cover.
Joining us to discuss these topics are Blakes lawyers Sunny Handa, Liliane Langevin, Christopher DiMatteo and Cathy Beagan Flood from our Cybersecurity group.
Let’s get started.
[music]
Teona: Sunny, we’re in our fifth year of the Blakes Canadian Cybersecurity Trends Study. Can you share some of the more significant changes you’ve seen in 2020?
Sunny: Sure. So, a couple of notable points. The first thing I would say is that we’re seeing more small companies, more mid-size companies get hit. And I think that larger companies have woken up to the risk of cyberattacks, and they have empowered their organizations to prepare against those attacks. With smaller to mid-size companies, that awareness also has to be backed up with budgetary spend, and that can be a little more challenging with a smaller company. And the threat actors have a fishing trawler mentality. They put the net in the water and then they trawl. And so, it’s harder now to scoop up the larger organizations, easier to scoop up the small to mid-size organizations, which is why we’re seeing more successful attacks happen at that level.
Other things that we’ve noticed are legislators, regulators and industry associations have all, again, woken up to cyberattacks. They are imposing guidelines or, in some cases, requirements and obligations on companies that are governed either by the laws, the regulations or are a member of an industry association.
And the final point that I would say that we’ve started to see is, as more companies are experiencing cyberattacks during a sale process to another company or another organization, they’re having to reveal that they were hit with a cyberattack, and that sometimes causes a bit of issue in the deal itself. So, I think those are some of the changes that we’ve noticed over the past year.
Teona: Is anything different in terms of ransom payments?
Sunny: So, ransom payments still continue. You know, the big question I often get is how often does somebody pay. And those numbers, at least from a statistical point of view, haven’t changed that much. It still tends to sit around the 50% mark. It’s been dropping a little bit, but the number of folks who pay when ransomed is still, you know, plus or minus 50%. I think where the change has happened is in the quantum. Because smaller to mid-size organizations are being hit more often successfully, the quantum being, sort of, ransomed of them is lower, whereas several years ago, we were seeing big ransoms, frequently: US$10-million, US$15-million, US$35-million.
We’re now starting to see much smaller ransoms being asked because the companies simply don’t have the wherewithal to pay the larger ones, and the threat actors tend to ransom companies based on a percentage of their revenues. Often, a threat actor doesn’t have accurate information, but they use whatever they can, so they’ll go to Zoom Info or some other website where they purport to have accurate information. They’ll take a percentage of that, and that’ll be the ransom charge.
So, those numbers, I think, have dropped, but the amount of folks that pay still seems to be always at around 50%.
Teona: Liliane, I understand there have been new developments in mandatory breach reporting. Can you provide us with some insight, including other regulatory updates, if any?
Liliane: In the last few years, breach reporting requirements in privacy legislation governing both the public and private sectors have become more common. Alongside this expansion in the privacy context, new industry-specific obligations and standards related to data protection and cyber-preparedness are developing. This is particularly apparent in the financial services sector. Financial regulators, such as the Office of the Superintendent of Financial Institutions, require reports within 24 hours and regular updates. Similarly, dealers have to submit an initial report to the Canadian Investment Regulatory Organization within three days of the incident and a final report within 30 days.
Additionally, companies should be aware that the new Retail Payment Activities Act will require registered payment service providers to report incidents with a material impact to the Bank of Canada without delay. Recent guidelines have clarified that “without delay” means no later than 24 hours. This law will also impose an obligation on PSPs [payment service providers] to establish a risk management and incident response framework with detailed requirements for a PSP’s incident response plan set out in regulation. These requirements will come into force in September 2025.
This heightened supervisory role of regulators in the financial sector, such as the Bank of Canada, and expanded reporting requirements demonstrate the importance of cybersecurity for the stability of the financial system.
Teona: What measures are companies putting in place to protect themselves against cyber threats?
Liliane: At this point, most companies have technical safeguards in place to enhance their protection against cyber threats. However, companies need a broader scope of policies and procedures to enhance their cybersecurity posture. I’ll highlight three key measures we’ve observed in the last year.
First, companies are developing incident response plans to ensure they have a procedure in place for cybersecurity incidents. It’s important that these plans don’t only focus on the technical elements of incident response but also consider a broader scope of risk. For example, a comprehensive communication strategy for incident response is critical to mitigating reputational and legal risk. We also recommend putting in place measures early in an incident response process to protect legal privilege and training staff on appropriate retention procedures. Issues like a limited understanding of cybersecurity or board conflicts of interest can create roadblocks during an incident response process where time is limited.
Second, it is important that companies practise their incident response process. This is typically done through guided tabletop simulations to realistically assess their incident readiness, identify areas for improvement and break down communication silos.
Finally, we recommend that all agreements with third-party vendors have explicit breach notification obligations and data protection requirements related to encryption and document retention.
The breadth of these measures demonstrates that an enterprise-wide approach to cybersecurity is necessary to respond to the sophisticated nature of cyberattacks.
Teona: Chris, over to you. Are there any new trends in cybersecurity litigation?
Chris: As in previous years, plaintiffs are continuing to struggle with certifying privacy class actions, and we’re expecting that trend to continue as courts continue to clarify and narrow the scope of intrusion on seclusion, a privacy tort that plaintiffs tend to rely on.
So, Ontario courts have said that a company that suffers a data breach can’t be liable for the tort of intrusion on seclusion. The victim of a data breach just isn’t an intruder, and so, the tort just doesn’t fit that scenario. A company that suffers a data breach can be liable on other grounds, though. And so, in response to these developments about the scope of intrusion on seclusion, we see plaintiffs shifting their focus to, instead, make claims based on negligence or contractor breaches of fiduciary duty.
Courts are taking a different approach in B.C. B.C. courts haven’t yet recognized the tort of intrusion on seclusion, but B.C. does have a statutory tort for breach of privacy. And B.C. courts have left open the door to claims against companies that are the victims of a data breach, including under their statutory tort, even if there’s no intentional wrongdoing by the company.
In another B.C. decision this year, the court left open the question about whether the tort of intrusion upon seclusion also exists in B.C., in addition to the statutory tort. So, privacy law in B.C. is continuing to evolve.
Aside from data breach cases, we continue to see other types of privacy-based claims, including class actions in Ontario and across the country. So, for example, claims about the unauthorized collection or use of data are unaffected by these developments in data breach law. And these types of claims continue to be advanced and made across the country.
Teona: What about legal privilege? Have there been any changes following the decision in the Lifelabs case against Ontario’s Information and Privacy Commissioner? [LifeLabs LP v. Information and Privacy Commissioner of Ontario (IPC)]
Chris: Yeah, maintaining privilege over cyber-incident response is always a very significant concern for clients. Ultimately, I don’t think Lifelabs changed anything, but it’s a good reminder about what solicitor-client and litigation privilege do and don’t cover.
In the Lifelabs case, the company claimed privilege over different categories of information about its incident response, and the court ultimately rejected the privilege claim. So, the company claimed privilege over things like the lines of code that the cyberattackers used to get into the system or their emails with the hacker in ransom negotiations and their IT policies and information they got in an interview with an employee about data security measures. And the problem with the privilege claim is that the company was trying to claim privilege over facts that were available from non-privileged sources and then which were referred to in privileged reports. And in that scenario, what the court said is that, well, the facts themselves, of course, aren’t privileged. The extra report that discusses those facts or the counsel communication that discusses those facts might be privileged, or it is privileged, but the facts themselves are not.
So, ultimately, I don’t think Lifelabs says anything new, but it’s a useful reminder about how far privilege goes, and it’s a reminder that facts don’t become privileged just because they’re included in a privileged report or communication.
Teona: And finally, the topic everyone’s talking about — artificial intelligence. AI is no doubt having a negative impact on cybersecurity. Cathy, can you tell us more about what that means for organizations?
Cathy: Thanks, Teona. Unfortunately, the same AI tools that are increasing productivity for all of our clients are also increasing productivity for the cybercriminals. And, in particular, AI is making it easier for the cybercriminals to be convincing and persuading individuals to give them access to systems or in defrauding people.
It used to be the case that many phishing emails were obvious because they didn’t use the language or the tone that you would expect from the company or the individual who the cybercriminals were impersonating. Increasingly, that’s no longer the case. Instead, cybercriminals are using AI systems like ChatGPT to draft text that seems authentic, is more difficult to detect and is much more likely to fool the recipient into thinking that they’re dealing with the legitimate company or the legitimate individual that is asking them to click a link or to open an attachment that then gives the hackers access to their systems.
In addition, we are also seeing the use of deepfake technology for purposes of cybercrimes. One frightening, cautionary tale is the recent case of a Hong Kong multinational company that was fooled into sending a threat actor US$25-million. An employee in the finance department received instructions over several video conferences with a person he believed to be his company’s chief financial officer. In fact, the video calls were deepfake creations that were with the criminal and not with the CFO, but they were so persuasive that the employee believed that he was talking to his CFO and made the payment.
Teona: What’s the positive side of AI and cybersecurity?
Cathy: So, fortunately, the good guys also have access to new AI tools and, in particular, AI assists cybersecurity companies in being able to monitor the very high number of alerts that are received by companies as intruders attempt to access their systems.
Anyone who is in an information security role will know that the number of alerts can sometimes be overwhelming. And one of the great advantages of AI is that it’s able to monitor those alerts and systems for unusual behaviour that might have been missed by the information security department and the absence of that external tool.
[music]
Teona: Sunny, Liliane, Chris and Cathy, thank you for your insight into the world of cybersecurity challenges and best practices for businesses.
Listeners, for more information on this topic and our podcast, please visit blakes.com.
Until next time, take care.
