Cas cyber prez
-
Upload
dan-michaluk -
Category
Law
-
view
659 -
download
0
Transcript of Cas cyber prez
Data and Cyber Security Risks
Data and Cyber Security RisksBest Practices for Protection and Response
September 29, 2016
Dan Michaluk
Data and Cyber Security Risks
Dan Michaluk I Partner, Toronto
Data and Cyber Security Risks
The claims context
3
Data and Cyber Security Risks
The claims context
2012 •Lost HD with PI of student loan recipients (Condon)
2012 •Unauthorized access to medical records (Hopkins)
2014 •Medical marijuana mis-mailing (Doe)
2014 •Payment card theft (Home Depot)
2015 •Ashley Madison extortion affair (Avid Life)
4
Data and Cyber Security Risks
The claims context
5
BIG LEGAL ISSUESIs a victimized custodian liable when its loss of data has not caused “compensable damages”?
Creative counsel say “yes.” Courts say maybe. Intrusion upon seclusion and “recklessness” Contractual breach and nominal damages Waiver of tort
Is an organization vicariously liable for an employee’s (intentional) unauthorized use?
Creative counsel say “yes.” Courts say maybe. This is a policy issue that needs to be litigated on good
facts We have one preliminary court decision considering the
issue and one arbitrator who said “no” to vicarious liability
Data and Cyber Security Risks
The claims context
• PIPEDA breach notification a game changer• "Breach of security safeguards" – loss, unauthorized
access, disclosure • When there is a "real risk of significant harm"• Notification and reporting to individual, to the OPC and to
organizations in a position to mitigate• All "as soon as feasible"
6
Data and Cyber Security Risks
What’s really at stake?Potential liability? Other costs and losses
Not all damages are compensable Professional fees (PR, IT, Legal)
Moral damages are capped Notification costs (mailing, call centre)
Will class counsel be rewarded? Business interruption and lost productivity
Reputational harm, lost business and stakeholder management problems
7
Data and Cyber Security Risks
BIG corporate data risks (and top defences)
8
•Background screening, network monitoringRogues
•Employee awareness and training, intrusion detection
Phishing•Safe options, clear rules, clear enforcementGhost IT
•Balanced BYOD policyMobile
Data and Cyber Security Risks
The incident response process
Identify Contain Remedy Close
9
Data and Cyber Security Risks
Incident response best practices - timing
10
Initiate ASAP
Keep the ball in motion
Don't rush
Data and Cyber Security Risks
Incident response best practices - analysis
11
Assume only as necessary
Obtain objective input
Obtain technical input
Data and Cyber Security Risks
Incident response best practices - communication
12
Take a broad view of notification
Put yourself in their shoes
Demonstrate commitment to doing better
Data and Cyber Security Risks
Questions & Answers
Data and Cyber Security Risks
Data and Cyber Security RisksBest Practices for Protection and Response
September 29, 2016
Dan Michaluk