Episode 3: Managing a breach

Disputed episodes

 

Data breaches in Canada hit a record high last year with an average cost of more than $6 million per incident. Data breaches are beginning to affect every sector and industry and regulation is beginning to increase to address these breaches. The second episode in our cybersecurity series, join hosts Ailsa Bloomer and Andrew McCoomb as they dig into how best to manage a data privacy breach. What constitutes a breach? What do you actually do when a breach happens? And how do you mitigate the impact and reduce the risk of a future incident? For the discussion, we welcome back Imran Ahmad, co-head of information governance, privacy and cybersecurity and head of Norton Rose Fulbright’s technology sector. Joining Imran is Miranda Sharpe, an associate from our Calgary office and a member of Norton Rose Fulbright’s national information governance, privacy and cybersecurity team.

CPD credits: This episode qualifies for 0.5 hours of Substantive credit in Ontario and 0.5 hours of Practice Management credit in British Columbia.

For more information, check out Imran’s book, Cybersecurity in Canada: A Guide to Best Practices, Planning, and Management.

Transcript

 

Listen and subscribe to the Disputed podcast on:

• Apple Podcasts
• Spotify
• Google Podcasts

 

Contact us

 

---

Transcript:

Ailsa Bloomer 00:11
Hello and welcome to Disputed, a Norton Rose Fulbright podcast that looks at the trends, issues and opportunities across Canada's legal landscape. We’re your hosts Ailsa Bloomer from Calgary, and Andrew McCoomb from Toronto. And this episode is all about managing a data privacy breach. Specifically, what constitutes a breach and is the definition expanding? What do you actually do when a breach happens? And how do you mitigate the impact and reduce the risk of a future incident. Data breaches in Canada hit a record high last year, the average cost of a breach in the country was over $6 million per incident. And by comparison, the 2021 global average was around $4 million. This is happening in industries across the country, most commonly those that hold personal information, such as the healthcare and financial sectors. But with the rise of cyberattacks, such as ransomware that we talked about in a previous episode, we're seeing an increasing number of instances in other industries, such as energy and infrastructure. This rise in data breaches is compounded by operational shifts resulting from the pandemic, such as remote working and a move to storing data in the cloud. At the same time, we are seeing a corresponding increase in regulation. Ontario has tabled new privacy legislation, and several other provinces are considering updates to their own regimes. So to talk us through these issues, we welcome back the co-head of our cybersecurity practice, and the head of Norton Rose Fulbright’s technology sector, Imran Ahmad. Imran literally wrote the book on this topic. It's called Cybersecurity in Canada: A Guide to Best Practices, Planning, and Management, and a link to where you can find this book is in this episode's description. Joining Imran was Miranda Sharpe, an associate from our Calgary office and a member of Norton Rose Fulbright’s national data protection and cybersecurity team. 

Imran, Miranda, welcome to the podcast. Thank you very much for joining us. 

Miranda Sharpe  02:20
Thanks for having us. 

Imran Ahmad  02:22
Thanks for having us. 

Ailsa Bloomer  02:23
Okay, so Imran, how about you set the scene for us? How would you describe Canada's privacy data breach landscape today, what kind of threats are Canadian entities facing? 

Imran Ahmad  02:32
So what's-- what's really interesting is when you look at cyber threats, and generally they evolve very, very quickly. And what we've seen over the last year, year and a half, especially during the pandemic, is an evolution among the cyberattacks that are happening, where historically you would have had a encryption event like a ransomware attack, or you'd have had the depth of data for the sale of it on the dark web, for example, you saw more and more attackers actually coupling them together. So they steal some data, and then they encrypt it with the hope that at the end day, one way or the other, you're going to pay them to either get the data back, or have a destroyed. So significant change in tactics, which is really, really interesting. But on the same discussion point is the fact that the regulators are really changing their approach and being much more active and wanting to know exactly in detail how an organization is responding.

Ailsa Bloomer  03:27
So the evolution of cyberattacks and the rise of ransomware is-- is pretty striking. Our previous episode covered the development of ransomware in more detail, but just to pick up on that last point, specifically, how is the regulatory landscape changing? 

Imran Ahmad  03:38
Yeah, you know, if you look at it from a regulatory standpoint, specifically, Quebec has Bill 64, which is now just completed its review in the Quebec National Assembly, which is going to probably be adopted at some point later this year, if not early next year, and then coming into force 12 months post. Ontario's looking at introducing new private sector privacy legislation. Our federal statute, is likely to be re-initiated in some shape, way or form as well. And then there's obviously British Columbia, which is looking at updating its own privacy laws. So certainly, from a privacy law standpoint, a lot of changes coming, but certainly much more likely in the space of other regulatory areas such as financial industry, as well as regulatory in the energy space, as well as healthcare. Those are the three areas which are a) as a general proposition highly regulated, but now have specific guidance that's being issued in terms of what to do in the event of a cyber-incident.

Andrew McCoomb  04:31
So guys, this episode is all about managing a breach. I mean, that seems like a relatively loaded term -breach and quite a broad one. So let's talk about first of all, what do we mean when we're talking about a breach? And what kinds of events could that include? 

Miranda Sharpe  04:46
So, a breach is basically just when confidential, sensitive or protective information is exposed to an unauthorized person. So it can be anything from a lost or stolen laptop, an accidental disclosure, such as like an email or mailing sensitive information. Email compromised or all the way up to a cybersecurity attack, like a ransomware attack that Imran was describing. And so, under privacy legislation, we look at a breach is-- is a breach of security safeguards that involve personal information under the organization's control.

Ailsa Bloomer  05:19
So there's basically lots of different things that can amount to a data breach. So if you're going to manage that, and the company has discovered that it's had a data breach, what are the first things, practically speaking, that it should do? Who should be doing what?

Miranda Sharpe  05:29
So, the first thing is, because there's so many types of things that can be data breaches, it’s to triage the event. Is it serious? Is it straightforward? Is it widespread? Because you're going to treat a lost or stolen laptop or-- or accidental email completely different than you'd treat a ransomware event. So you would step it up appropriately and consider whether or not you would need to bring in your-- your whole incident response. The other thing to consider as you're triaging this is what is the potential information at risk? Is there sensitive personal information at issue? How sensitive is it? Are we talking SIN numbers? Are we talking health information? Are we talking maybe just contact-- business contact information? What is the scope of that? What you're also looking at is-- is critical information or in-- critical infrastructure to your business at issue? Potentially some part of your business is encrypted, and you don't have access that you need to operate and run your business. How critical is the information? Is it patents, trade secrets, very confidential information? That-- that's going to dictate how you-- you approach your incident response. So those are kind of the things you consider… 

Imran Ahmad  06:37
Just to-- just to build on what Miranda mentioned, which are all excellent points. You know, in-- in some of the situations where you have a threat actor, which is the hacker essentially attacking an organization in whatever shape, way or form, there really are three broad steps that you want to implement. Number one, as Miranda mentioned, you want to contain it, you want to secure the perimeter. So the example I often give to clients is think of your house being broken into. If you see the door has been broken into, you want to make sure number one that you secure the place. You call the cops, you make sure that it's safe for you to go in, and then live there, obviously, or sleep overnight, or whatever it may be. Same thing here, if your system has been compromised, or you think it has been compromised, you want to get a clean bill of health before you continue doing operations. The second phase is if your operations were rendered inoperable for whatever period of time, let's say through a ransomware incident, you want to make sure that you restore system as safely as possible. So you certainly want to bring things back up. But you want to make sure that you're making that backup come up in the most secure way possible. So again, coming back to the example at the house, you know, when you may see the front door open, but you don't know if the burglar got in from the back window or the back door. So you want to make sure that when you restore it, or you're going back into the house, you've secured it in all shape, way or form. And then last but not least, and this part actually takes a little bit of time, because there's some investigating and some analysis that has to be done by the forensic investigators, is the forensic piece. And what forensic really stands for essentially is to work backwards, figure out when the bad guys got in, how they got in, and what they may have accessed. And what that allows you to do at the end of the day is to hopefully identify the patient zero or the root cause of the incident. And then afterwards, being able to address it so that it doesn't happen again.

Andrew McCoomb  08:20
So Miranda, you mentioned various suppliers, was it Imran, you mentioned forensic investigators. I mean, can you guys tell us a bit about the landscape of who's out there to help you deal with that list of things you got to do, Imran, because obviously for most organizations, some are going to be sophisticated enough to do some of those things, at least partly on their own. But-- but for the most part, I mean, this is extremely foreign and I have to imagine disorienting for anybody faced with this sort of challenge. So who's out there to help other than breach counsel like you guys, when these events arise? 

Imran Ahmad  08:58
Yeah, it's a good question, Andrew, there's at least the following four broad categories of vendors you want to work with. Firstly, you want to get legal counsel involved and not to be self-serving, there is good case law, both in the United States and in Canada, where you want to maintain privilege in an investigation, because you don't know how big or small it's going to be. And you want to make sure that the investigation is set up properly. The last thing you want is to go ahead and hire an IT firm, who you think are great, because you worked with them for many, many years, without having that-- that privilege piece considered into the documentation. So the starting point or the quarterback should be breach counsel being retained number one by the client. Number two, you want to think about the forensic firm and that's typically the bulk of the spend that the client’s going to have in terms of, you know, dealing with an incident. And that forensic firm is going to touch on those three things I mentioned, you know, containment, restoration and forensics. And what they're bringing to the table are some very specific tools and means that they have they have a particular methodology of how they're going to go about it. Because at the end day, a forensic report is going to be issued, and the premise of that forensic report is if it was ever to be produced in litigation, or in a regulatory investigation, can it be actually defended as being a proper approach that was taken so a clear methodology, and advanced tools that are sophisticated, to give that type of comfort, often, most organizations don't have that in-house necessarily. And it can be a bit challenging. Also, it also helps quite frankly, have a third party come and do that for you to give you a bit of arm's length, you know, visibility, and have some critical discussions in terms of what went well, what didn't go so well. So that's category number two. The third one, which quite frankly, in recent months and years, we've seen an increase, is the crisis communication part. I'm sure we're gonna get into this discussion as well. But not only is the B2C organization impacted, where you're putting out notices, and you may have a press release, or you may have some kind of communication with media, you're seeing a lot of B2B incidents occurring. And as a result, when you tell your key business partner, hey, I had an incident, and at the end day, your data was leaked, you gotta manage that relationship. And it's not as simple as just sending a notice over or having the CEO pick up the phone and just talk about the incident, you gotta know where the limits are, you gotta know how to approach it. There's, there's a bit of a sequencing, and quite frankly, a bit of an art that goes along with it. So a crisis communication firm is really critical. 

Ailsa Bloomer  11:19
B2B incidents that you mentioned briefly, can you explain what those are? What do you mean by that? 

Imran Ahmad  11:24
You know, I think of supply chain. Canada's economy is heavily integrated, maybe industry wide, or it may even be cross-border. So one example I can give to our audience would be, for example, the automotive space. Highly integrated, in Canada and the US. You can be a supplier of automotive parts that goes into some kind of a technology component, that comes out with a car off the final factory rollout that comes out of it. When one part of the supply chain goes down, they may be able to operate for about 72 hours or so on their own if systems go down, but they won't be able to do it beyond that. The other piece to keep in mind is they're heavily integrated for online billing, for example, inventory management. So if you're an OEM, for example, you're going to manage your suppliers downstream and upstream in a very particular way. So when a breach occurs, a) what can you tell them? Can you tell them you've had a cyberattack? Most companies will say, "Well, if you've had an incident and you can't tell me that your environment is secure, I'm going to cut you off. I'm gonna cut you off from our IT systems, so that you cannot infect us potentially." And then the company, the one that was targeted, can be offline for a prolonged period of time, up until such point that they can give those assurances that they're safe and secure. So the B2B component has become much more significant in my view, than what it used to be historically, where you may have heard, maybe even five or six years ago, the biggest breaches were the one that had credit card number thefts that were occurring.

Ailsa Bloomer  12:46
Well, and presumably as well, if it's not you, but it's another vendor in the supply chain that’s had the breach, you presumably can't exercise much control over their Incident Response Plan. So what do you do in that situation? 

Imran Ahmad  13:01
Well our hope is that before the breach occurred, the client had taken some time and looked at their contracts very carefully. You know, on our pre-breach practice side, a lot of the work we do is on the contracting piece. So to the extent that there's going to be data exchange or access by other supply chain members, upstream or downstream, depending, you want to have three key provisions at a bare minimum in that contract. Clause number one is you gotta get notice right away or give notice potentially if you're the one who has been impacted, usually no later than 24 hours, so at least you have visibility, what's going on and you can prepare to whether you've gotta notify individuals or other folks within the supply chain. Second piece is you want to have visibility throughout. So it's a cooperation clause as we call it, you want to make sure you understand what they're doing, how they're doing, it if it meets your standard of acceptable norms, in how to manage a breach. And the third one, quite frankly, probably the most contentious one, is what who's going to pick up the bill at the end date. So if something goes wrong, and you got to notify people who's going to pay for the call centre, the mailings, the credit monitoring, any other cost that may be affiliated with it. So the language you have to have in the contract has to be very, very specific. And again, those are very case specific, you know, depending on your buy sell side, or you know what the leverage you may have in terms of negotiations, but we're seeing a lot of those being built into the contracts. One last point and I'll hand it back over to you that comes up a lot is, you know, that first clause I mentioned the 24-hour notice, for example, a lot of clients are locked up, it's all encrypted, so they don't even know who to call and they quite frankly may not have identified their most critical contracts, okay, I know these are the 20 contracts, I need to be able to go and notify 20 key clients. And so often, notice being given past the 24-hour period, which never is a good thing to deal with, when you're trying to tell a business partner something bad has happened. So the advice we have is make sure you sort out those contract pieces, identify the key vendors or business partners you need to notify in the event of a breach and have that at the ready. 

Ailsa Bloomer  14:59
Yeah, so I mean, and the broad takeaway point is when you're dealing with procurement business to business contracts with vendors or their stuff, there are some really important clauses you need to make sure that you have in your contract. 

Imran Ahmad  15:10
You know, I'll just add one quick point to build on that. Just generally speaking, in recent years, you've seen organizations really focus on digital transformation, the whole premise on digital transformation is to be more efficient and to use other applications. And the challenge there is, you know, somebody needs to sort of navigate through a lot of that. So you typically find a lot of what we call integrators, which are third party service providers that will not just host your data, once you manage your entire IT environment. And when they get compromised, there's several cases where this the-- the MSP, or the Managed Service Provider, was the one that was impacted. You know, they give you the notice, but you're really either their mercy in terms of timing for them to get back up and running. And you don't get much information unless your contract can be pointed to and say, yo, you have to give us the following information. The other thing to keep in mind is sometimes if you are impacted, and you do bring those to the forensic firms that we just talked about earlier, those forensic firms can’t just go do their work, they actually need access to your environment, they actually need access to certain logs and records that quite frankly, your ISP or your-- your MSP rather, is the one that's going to be holding on to. To be able to do that you need to have very specific clauses that you can point to and say, look, we need your cooperation on the following and we expect it to be done within this timeframe. 

Ailsa Bloomer  16:26
So from a regulatory perspective, what are the key points to be aware of in the aftermath of a data breach, I'm thinking specifically of the certain provincial or federal statutes and regulatory regimes that might be engaged. 

Imran Ahmad  16:39
As I mentioned earlier, there's-- there's a complexity around regulatory regimes now, depending on the industry that you're operating in. So we talked a little bit about energy, there's financial services, there's also transportation in many cases that comes into play, and certainly healthcare. The interesting part is, depending on where the organization, public or private sector situates itself in the ecosystem, or in the supply chain, they're gonna have different obligations. So either you're dealing with B2B, B2C, that's one thing, but there's regulatory oversight throughout the process. I'll give you an example of something we came across recently. We had a-- a client who was in the logistical transportation space, and they actually ship very sensitive goods across the Canadian border to the US. And you would think, you know, a trucking company, how much regulation could there be? But there are hazardous bits that came into play, that you have to be very mindful of. You have to notify the entity that's receiving and that actually send the goods. But more importantly, the customs authorities that are impacted more on the Canadian and on the US front, need to know that there's a backlog because a lot of this is done by eManifest now for the transportation fees and border crossings. So just a simple company that you would think in the transportation area that should not be heavily regulated, had significant regulatory components. Now, couple that with the law enforcement piece, where a lot of those regulators will ask you the specific question, "Hey, can you confirm to me this has been reported to law enforcement?" And if you have, you know, multiple locations, not just in Canada, but in the United States as well, often you'll have to report in multiple jurisdictions at the same time. Certainly, that's one example. The same can be applied for financial institutions. I think, when it comes to the FI space, in particular, it's even more complex, because depending on who you are, credit union, insurance company, a large bank, it's not one regulator that you have to deal with. There’re multiple that you may have to or a very niche one that you have to notify and understand what the requirements are. So some of the times what we end up doing are, there's some critical absolute notifications that have to be made under statute. And then their relationship notifications, we also gave for regulators with more courtesy notifications. You have to understand that there's an interplay between the different regulators. You can't tell, for example, one regulator in the financial sector what's going on and, you know, not do the same at some level with another one who will hear about the incident and wonder why I was not told about it, even if, technically, I didn't have a jurisdiction to look at it from an enforcement standpoint.

Ailsa Bloomer  19:04
Does it matter how big the entity is that suffered the breach here? Are there any minimum size thresholds that they have to be in order for those reporting requirements to be triggered? 

Imran Ahmad  19:12
No, it's all based on the data. So to the extent the data triggers it, you're-- actually, there's two components. So certainly, the data and the sensitivity of the data is probably the key thing, you know, from a privacy law standpoint, that comes in, but for the ones that are heavily regulated, you know, again, FI, transportation, energy and healthcare, a lot of the regulator, their obligation or their jurisdiction stems from the fact that they have an obligation to ensure that the stability of their industry is maintained. So for example, OSFI, when you look at the reporting guidelines that they have, what they want to make sure is if this was a major incident at this organization, could it have an impact on other organizations, or the financial sector more broadly, hence, the heavy regulation around it. So they're really, you know, it's not just a scope, issue or size of the organization issue. It's a jurisdiction issue for the stability of the industry that they're typically looking at-- at regulating.

Ailsa Bloomer  20:04
So perhaps less obvious in the regulatory side, what are the contractual issues that can arise from a data breach that might-- people might not think of in the immediate aftermath? 

Miranda Sharpe  20:14
Yeah, so one of the key questions to ask early in the breach is, how this might affect other stakeholders, we talked a bit about business to business relationships and reviewing those contracts, that it's important to have those contracts identified early so that you aren't reviewing hundreds of contracts when the breach happens to figure out what your notification obligations are, because some of them can be very quick, it can be 72-hour notification, some don't have any notification requirements. It's also important to consider when you notify your business partners and those relationships, because you want to notify when you have enough information that you can kind of calm them down that you have it under control where data has been taken or accessed, you don't necessarily know if your suppliers or business relationships or other stakeholders have been impacted. So you don't want to falsely alarm them. So sometimes I've had clients want to notify business relationship, business partners, early in the process, because of their relationship and because of how they--they interact with that partner. And so it was more important for them to notify before they really had a sense of what information was accessed or-- or exfiltrated. But it is important when you're providing that information that you're also not waiving privilege, you don't want to be giving privileged information to those business relationships, or business partners, because you could waive privilege. If you do have a business partner, who's a stakeholder, who also potentially has joint control or custody of that personal information, they potentially also have regulatory obligations associated with that. So, in that case, you do want to be sharing that information in order for them to be able to make informed decisions from their own regulatory perspective. So you might want to consider doing a common interest privilege agreement so that you're covered in that perspective. 

Andrew McCoomb  21:59
Miranda, you know, as the litigator, I'm interested to hear you talking about privilege. And I take it, one of the key reasons why you want to be managing privilege so carefully, is that because while you have to do all this initial damage control and-- and isolation and containment, and message management up front, there's still the downstream question of how is this breach going to come back and visit us in litigation, in regulatory enforcement, etc? And that's why, or at least one of the primary reasons why we're so concerned about privilege, is that fair?

Miranda Sharpe  22:38
Yeah, and you hit it exactly on, you’re, when managing a breach and even planning for breach management, you need to have that open, honest conversation with a lawyer, and to be able to walk down through the different scenarios and make good decisions. And there's just so many sensitive documents and discussions that happen in that time period so it's really important that that's covered by privilege. One thing that's-- it's really important for in-house counsel to consider is, privilege only applies to legal advice, and not to non-legal business advice, if there's a potential that their input or just having them on the document might be challenged, that they are actually providing legal advice, you may want to consider bringing in outside counsel for that purpose. 

Imran Ahmad  23:23
And just to build on what Miranda mentioned, and she makes an excellent point, often folks are gonna assume, hey, I'm just going to mark it provision confidential between two non-lawyers in the IT team, for example, and it's privileged. Or, if I just copy a lawyer in house, or external, automatically is going to be privileged. And that's just not correct. So one of the things on the-- on the planning side that we recommend is, in addition to cyber response plan in the annex or schedule, make sure to have a very short do's and don'ts one pager. How do you organize yourself? How do you control the flow of information? And where is privilege? You know, there's a big difference, as everybody knows, between legal privilege, and, you know, privilege and confidential prepared at the request of external counsel or in-house counsel. You know, there's-- there's certain labeling that has to happen and has very specific meaning. So immediately, when an incident occurs, we can educate the team who's going to be responding to it, if they're not aware of it, here's what you need to be aware of number one. And then number two, the other pieces, which are really relevant from a legal perspective is when you're looking at that incident response plan. Again, looking at the schedules, we recommend having two pieces that are added to it. Number one, a regulatory chart. So if you're an organization that operates, let's say, across all provinces in Canada, you're not only going to be subject potentially to one piece of privacy legislation or one piece of regulation, you may have multiple pieces of regulations. So it's great to have breach counsel, but it's great to also have a chart and literally have a roadmap of notification. And the last piece, is really understanding your data. Understanding what data you have and where it's kept and how it's kept is critical. In the event of an investigation, to be able to point an investigator and say, this is where our crown jewels are, this is where the trade secrets are. You know, I'm not fussed about this piece of information, but if this ever got out, this is our-- our bread and butter. You can focus on that piece quickly and intensely to get either assurances that it is secure or was not impacted or to the opposite, that it was indeed impacted and you need to take some specific steps to-- to mitigate that.

Ailsa Bloomer  25:27
And Miranda mentioned common interest privilege earlier, what is that and how do we make sure it's engaged?

Imran Ahmad  25:34
So from a common interest privilege is basically when two parties essentially have the same interest or they're aligned in their interest, but they need to share information that would otherwise be privileged. So for example, we talked a lot about insurance, your insurer has a common interest privilege in principle with the insured, and they need to make some financial reserves or pay out a claim, but they don't just make out a claim or pay it out without knowing what they're actually going to cover, whether it falls within the four corners of the policy. So they need to get some factual background and information. It is not uncommon to see a insurer, for example, request a copy of the forensic report or a version of the forensic report under that common interest privilege principle. 

Andrew McCoomb  26:17
So everything we've talked about so far has, to some extent, a Canadian or domestic focus. But Imran, your answer a moment ago, touching on sort of US cross-border issues, prompts us, I mean, how does this advice differ if we're talking about an international company or a multinational company?

Imran Ahmad  26:36
So I think, you know, from-- from a cross-border perspective, or multi-jurisdictional perspective, there's a lot of strategy that goes into it from a regulatory standpoint in particular. And quite frankly, even from a notification standpoint of individuals have to be notified. You, the last thing you want is to be giving different pieces of information to different countries or different regulators or different individuals. So for example, you know, in some cases, our privacy law in Canada is more permissible, it's a risk of harm analysis that we typically look at, in other jurisdictions. And there's some US states that may have very strict requirements and notify based on specific pieces of information, such as a credit card being compromised. And so you cannot have a situation where for the same breach, you're notifying one class of people in one state, for example, in the US, and omitting to do the same in Canada, or notifying maybe one group ahead of the other for convenience purposes. Same thing on the regulatory side, if you're speaking to the Office of the Privacy Commissioner, for example, here in Canada, you don't want to be in a situation where you're not sharing the same level, or you're tailoring the message to a different extent, for those who are the supervisory authority within Europe. So you really have to coordinate the different pieces much more carefully. And that's where having a team really helps. We regularly work with our US and EMEA and global partners at Norton Rose and their cyber group to make sure that at the end day, the messaging is coordinated, and that any strategy on roll up or notifications is coordinated as well.

Ailsa Bloomer  28:06
So consistency is the key. On that same point what about if it's not necessarily an international operation, but say it's a foreign subsidiary, and the parent entity is in Canada, and the foreign subsidiary is the one that has suffered the data breach. To what extent are the reporting obligations and implications triggered up the chain to the parent company? Or is that parent company insulated?

Imran Ahmad  28:29
So I think if you look at, for example, from the GDPR perspective. If somebody is offside GDPR, and let's say there's enforcement action that flows from it, and fines are issued, the fines are based on a global turnover percentage. So, you know, at the end day, the parent company could be in Canada, and the foreign entity or the affiliate may be relatively small. But if the impact is egregious, and meets the standards and requirements for non-compliance and enforcement action under GDPR, you could see a significant fine being issued at that point, there's several cases of that since GDPR came into force. So I think the approach we typically take and-- and frankly, the great thing is clients want to do the right thing. You know, when a parent company does become aware that something has occurred in another jurisdiction, they want to make sure that they deploy the right resources. I know earlier on we talked about insurance, Miranda made-- made a reference to it. Most insurance policies will actually consider the parent company along with the affiliates, so that the benefit of the vendors that they have on panel can actually be pushed down to a, for example, an affiliate in another jurisdiction if needed.

Ailsa Bloomer  29:32
So what role does the board of a company have in a breach situation? What should the board be made aware of specifically and why? 

Imran Ahmad  29:40
That's a really good question that comes up a lot in terms of the conversations we have with clients. There's often a concern that the board needs to be very technical, that they have to have some kind of an IT background because we're going to be managing the breach. That's not the case. The role of the board either before an incident occurs or even through the incident is one of oversight. And really, there are three key pillars that apply to their role. When you look at their fiduciary obligation to the organization, they want to make sure they meet the following three. One, situational awareness, that they have a pretty good idea what the risk exposure looks like from a cyber-security standpoint, and what the impact potentially could be in the event of a material incident happening, reputationally, operationally, financially, legal and regulatory, obviously, as well. The second portion of their oversight obligation should be the allocation of resources. And this is not just a question of writing a blank cheque and saying buy a lot of technology, but human resources, governance, retaining advisors, folks who can help them walk through that process and understanding what that risk may look like, and the steps that they can, quite frankly, take to mitigate that risk, really empowering the operational team, to bring to home the steps that need to be taken to mitigate the risk. And then lastly, as we alluded to earlier, cyber risks are evolving constantly, this is not a one-time seed investment. So they should be thinking, how can they constantly improve the protocols and policies within the organization, not writing them themselves, but having them reviewed at a regular cadence to make sure that they meet industry standards, or to the extent they have established best practices, from their standpoint, that they're being met on a on a regular and consistent basis. And I really tell clients, it's a bit of a circle. So you go from situational awareness to allocation of resources to sort of lessons learned and constant improvement, and it's a spiral. So really understanding at the board level that this is going to be an ongoing exercise, that's going to be key. And then lastly, structuring the board, there's specific terms of reference you want to have within the audit or risk committee, in terms of what they're looking at, and how they're looking at it. It is not a question of a security expert coming and think things are great or things are horrible, they're really having a dashboard of key metrics that they want to track, both on the technical side, but certainly on the governance and compliance side of things as well.

Ailsa Bloomer  32:04
And on that theme of awareness, name one trend or tip to do as we heard into 2022 in this space.

Imran Ahmad  32:11
I think certainly that meets what I've been hearing from various forensic firms and threat intelligence companies in terms of the type of attacks that are going to happen most likely in 2022. One of the things to keep in mind is now with the return to the office or some kind of a hybrid model, we have and we expect to see an increase in cyberattack numbers. Just to give you a couple of anecdotal data points. Back in April and March, when folks were actually migrating from the workplace to the home remote work environment, we saw a three to five times increase in net-- net incidents being reported. That number has been stable since then. So it wasn't a peak or a spike, it was a net new query now whether once people go back to the office and reconnect their laptops and find all kinds of things that may have been on their system, which hadn't been properly scan until they connected to the network more-- more completely, as opposed to a VPN or Citrix type of connection, where there's going to be more incidents that are reported, what the impact’s going to be, and how organizations are going to deal with it. 

Andrew McCoomb  33:13
Miranda, Imran, this has been extremely enlightening, terrifying at times, but very, very useful throughout. Thank you guys so much for being on the podcast today. 

Ailsa Bloomer  33:22
Thank you. 

Imran Ahmad  33:23
It was great. Thanks for having us. 

Miranda Sharpe  33:25
Yeah, it was a pleasure joining you today, thanks. 

Ailsa Bloomer  33:27
We hope you enjoyed this episode of Disputed. If you'd like to find out more about this topic, or how to contact our guests, please visit nortonrosefulbright.com/disputed. Also, if you have any questions, feedback, or topics that you'd like us to cover in a future episode, please do email us at disputed@nortonrosefulbright.com. And if you would like to hear more, please subscribe to Disputed on Apple Podcasts, Spotify or wherever you get your podcasts.

---

Norton Rose Fulbright Canada LLP is providing this podcast as a purely educational service. While it may contain legal information, it should not be construed as legal advice, a legal opinion or recommendation, or a statement of process or policy of Norton Rose Fulbright Canada LLP. The information, views and opinions expressed by guest speakers are entirely their own and their appearance on the podcast does not express or imply an endorsement by Norton Rose Fulbright Canada LLP of the information, views or opinions expressed by any guests, or of any entities they represent. Norton Rose Fulbright Canada LLP expressly disclaims any and all liability or responsibility for any direct, indirect, incidental or any other form of damages arising out of any individual’s or organization’s use of, reference to, reliance on, or inability to use this podcast or the information presented in this podcast.