Developing practical and comprehensive solutions for creating, managing and maintaining a secure cyber environment in your business. Colin Rooke and Paul Martin are joined by Dave Krebs from Miller Thomson LLP, to discuss cyber attacks and taking proactive risk management.
Listen to the full episode here, or read the full transcript below
Paul Martin: Welcome to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin, your host for this program, and you hear me as a business commentator here on CKOM. Joining me in studio, as always, our expert, the man who knows all there is to know about commercial insurance, Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. Colin, welcome, as always.
Paul Martin: You know, in the last little while we've been talking a lot about reputation and that it's always... We seem to get dragged into these days, cyber, as those two seem to go hand in hand because there's an awful lot of activity going on. Cyber attacks, hacking, all that kind of stuff, and it's not going away and in fact it's not getting less, it's getting more prevalent.
Paul Martin: So, we've talked about what can a business owner do to protect themselves? What are the sort of steps they need to do? We talked about managing your reputation, crisis communications, but we're going to take it to a completely different level today. We're going to look at another angle on this.
Colin Rooke: Yeah. So, fair warning. This is another cyber show, but I just feel like we can't get away from it. I mean, it could be a daily thing and the nature of claims and the magnitude and the frequency and severity just keeps growing all the time. And we have talked a lot about proactive risk management. We've talked a lot about the coverages and when to get a PR specialist involved, and changes to the Digital Privacy Act. But for this show, I wanted to bring in, I guess, another expert to the show David Krebs from Miller Thomson and just dive into...
Colin Rooke: Okay, so I've had this happen. I'm working, you know, I worked the plan. I'm working with my broker, I have the coverage in place, but bad things happen and now we have a breach. And so I want to hear just... And educate the audience a little more from the legal perspective. So, when do you need someone like David to partner with your organization? Is it long before? Is it during the breach? Is it after the breach? Is it all three? And really educate, again, the audience more on, okay, knowing the legal risks associated with cyber crime.
Well, I think it's a very good point because we've talked about cyber crime from a whole lot of angles, but we haven't talked about it from the legal... What do you need to be talking to your legal counsel about?
Paul Martin: Well, I think it's a very good point because we've talked about cyber crime from a whole lot of angles, but we haven't talked about it from the legal and I don't mean the legal in the sense of the police department, but the legal in the sense of how can you... What do you need to be talking to your legal counsel about? What are the topics that you need to be addressing and where do they fit into this conversation?
Paul Martin: So let's bring David into the... Get him up to the mic here, and David, welcome to the program. You heard the preamble, you heard Colin set this up. When you're talking with business owners and managers of enterprises, you're talking about these topics, things like hacking, and cybersecurity, and data protection, and breaches. What are the nature of the questions that are being put to you, and what are the topics you are discussing with your clients on this subject?
David Krebs: Thanks, Paul. It really depends on the situation. I mean, a lot of times if you have a client that has experienced a breach before, unfortunately, and who's had some experience, they might jump right into a question of, "What law applies to me? What are my legal obligations to report, for example, to the privacy commissioner?"
Paul Martin: So, what are your legal requirements? I mean, you know, privacy commissioner, that's probably something that you don't... It's probably the name of that individual's likely not on the tip of everyone's tongue and we all know cruisers. So yeah, when do you get ahold of them?
David Krebs: So, it's sort of, again, it's a typical lawyer answer it. It sort of depends on your organization and what kind of law that might apply to you. But in Saskatchewan, in other provinces in Canada, you might have the federal privacy commissioner to contend with and Colin before was mentioning the Digital Privacy Act. So a major change that happened actually at the end of last year in November 2018 was that it was from that point on, it was mandatory to report "data breaches" that cause, again, "a real risk of significant harm" to individuals, to both individuals impacted and the federal privacy commissioner. Alberta's had similar rules in place for about eight or nine years now, but at a federal level, this was a big change. And that's under the PIPEDA regime or PIPEDA as some people call it and that law applies to many organizations in Saskatchewan.
Paul Martin: And that PIPEDA or PIPEDA, what does that stand? That's an acronym, right?
David Krebs: Yeah. That's the-
Paul Martin: The personal property-
David Krebs: Yeah, Protection of Personal Information and Electronic Documents Act. That's a mouthful.
Paul Martin: Yeah. PIPEDA sounds easier.
David Krebs: Yeah.
Paul Martin: But for a lot of people, this probably sounds a lot like Latin. I mean, it's kind of out there, but it is something we, business owners in particular, need to be sort of bringing themselves up to speed on.
David Krebs: Yeah, I think that's right. And to be honest with you, it's not... Whenever there's a cyber incident, I think one of the first things that you need to assess is, what data was actually impacted? What information was accessed, could have been accessed, was accessible or was lost during the attack? And I think from then on you'll sort of be able to look at your legal obligations as well, and Paul, when you mentioned your legal obligations, I think that includes your contractual obligations to suppliers, to customers. You might have something in a contract that says, "You need to tell us about a data breach that you've had or a cybersecurity incident that you've had."
David Krebs: So, I think people need to be aware of their contractual obligations as well as potentially their obligations to the regulator in Canada. And depending on, again, the nature of your business, you may have to report to foreign regulators. It happens many times that we've got... We're talking to clients with operations in the US, and out of those 50 States, I think there's 30 or 40 or perhaps more that have data breach notification regimes that are all a little bit different. The Europeans have it, and so many times you are faced with a situation where you're having to deal with multiple regulators with multiple kind of different obligations to report.
People need to be aware of their contractual obligations as well as potentially their obligations to the regulator in Canada.
David Krebs: That's one side. The other side is your contractual obligations and to be honest with you, a lot of times, and I know you've talked about this in past shows, your reputational obligations to customers, employees, whatever it might be.
Paul Martin: Yeah. The reputational stuff's more about your ability to just maintain good standing in the community in terms of the way the public views you or your customers view you. What we're talking about today is more about the legal side of, it's not just, it's nice to have your reputation. This is actually stuff that you're required to do.
David Krebs: Correct. Correct.
Paul Martin: It takes it to a whole different level. Here's more just a curiosity question and anything. Most firms have a corporate lawyer. Is that corporate lawyer the kind of person that does this kind of stuff, or is this becoming a specialty within the legal profession?
David Krebs: Yeah, so I would say the answer to that question is it's definitely becoming a specialty. I think it's a very new area of the law. I mean there's a lot of overlap with technology law, with privacy law, but these regimes are relatively new in many countries, or many jurisdictions, and it's changing all the time. There's a lot of, "It depends. We'll have to see." There's a lot of monitoring that you have to do of the... Even, again, foreign jurisdictions, how regulators are looking at these situations. I think you really have to keep your finger on the pulse in order to give good advice to your clients.
Paul Martin: So if nothing else, that you get nothing else from today's program. If you're a business owner or you're running a business, you might want to talk to your legal advisors and say, "Is this an area that you have competency in or do you need to bring somebody in?" Or just make sure you're asking the question about, "Do we have all of the basis covered on the cyber front?"
David Krebs: Yeah, I think that'd be a good idea. Generally. Yep.
Paul Martin: Yeah, and it's probably something new that they need to be talking about. As you say, it's a relatively recent development to create a specialty in.
David Krebs: In Canada, it's as recent as, at a federal level, anyway, as you know, 2018. And again, we still run into organizations and business owners, other professionals that aren't fully appreciative of the risks involved.
Paul Martin: Good. Just hold that thought for a minute. We got to take a little break. We're going to just be back in a couple of minutes. You're listening to Risky Business Commercial Insurance with Butler Byers and my guest today is David Krebs, a lawyer with Miller Thomson. We're talking about the legal side of cyber activity and potential cyber attacks against a business. We're going to pick it up after this.
Paul Martin: Welcome back to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin and joining me in studio, as always, Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers, and our special guest today is David Krebs with Miller Thomson. He is a lawyer who specializes in this whole new emerging field of the legal ramifications of cyber breaches, data breaches, and all of these new-fangled things that business owners are having to deal with that...
Paul Martin: You know, this is something that has come up really become more chronic in the last probably three or four years, I would think, David is likely true. But I mean, these attacks are coming from all over the world. They're getting much more sophisticated. We're a long ways from the Nigerian letter coming over the fax machine, aren't we?
David Krebs: Yeah. Yeah, I think it's evolved a lot since then, and as you can see from... You know, there's a variety of reports that you can find online. The Verizon report, IBM does one, and you really see the changing nature, really from year to year, over where these attacks were coming from. I think as a general statement, as certain companies are becoming a little bit more sophisticated in terms of their technical safeguards, criminals find a way.
David Krebs: So they're going after the weakest link, which unfortunately is still us as human beings. So, with that you're seeing a lot of, and I forget what the actual number is, but I think it's over a third of attacks that are phishing or spear phishing attacks aimed at exploiting our need to click on a link that's sent to us in an email, as an example.
Paul Martin: This really has evolved. I mean, I think back to this used to be something the business owner would say, "Well, that's IT, we'll handle that." Then it became IT and PR, and now it's become... And then HR, and now the legal department's definitely involved in it. I mean, this covers a pretty wide swath of a business operation.
David Krebs: You know what? I think that's absolutely true and it's very cross functional. I think that's why, just from a professional perspective, it's quite enjoyable. It's a lot of fun to work in this area because you are having to work cross-functionally on a cyber... Or an incident response team should have all those people that you mentioned. PR, IT, external legal counsel or internal legal counsel if you have, and to be honest with you, upper management, senior management. They need to be involved early. We see it now and again where that does not happen and it can be a risk to the company, it can delay things. So, I think that's another key ingredient to keep everybody on the same page.
Paul Martin: You know, you just used a really interesting word... Excuse me, word there that kind of piqued my interest because you said it is a risk factor, and it's getting to be a bigger risk factor, and I just... Like, how big? Can you define that? I know I'm asking you how long is a piece of string here, but is it dangerous enough it could take down a company?
David Krebs: So, I think unfortunately it has the ability to cause some really significant harm. I mean, if it takes a company all the way down to the ground, that might depend, but generally speaking, especially if data is your livelihood, it has the potential to really cause some harm if you don't take that seriously.
Paul Martin: Well, we've seen some big ones, haven't we? I mean, financial institutions with breaches that we're talking tens of thousands, 100,000 clients. Customers daily-
David Krebs: Millions.
Paul Martin: ... that's been breached, right? I mean, clearly there's, you got to talk to the IT department about that. You've got to talk to the PR department about it, but there's legal implications too.
David Krebs: No, that's right. I think... And obviously the bigger the breach, the higher the number of impacted individuals. You get into... Another thing that we haven't talked about, the notifications that, let's say you have a cyber incident, which involves a notification requirement to a regulator and to individuals. Those notifications have to be drafted in a certain way that not only sort of satisfies from a reputational perspective, the person receiving that notification, they also have to satisfy legal requirements, which are actually spelled out in legislation.
David Krebs: So certain information has to be contained in that notification. Not to say that you can't issue a press release that gives some additional basics, or if you want to get ahead of the story, that's fine, but your legal notifications have to satisfy certain requirements.
Paul Martin: You know, where do you like to enter the conversation? Do I as a business owner, or the manager of an enterprise on behalf of someone else, like a professional manager, do I talk to you early in the process before anything happens, during it or after? Or all of the above?
David Krebs: You know, ideally, I would... And I'm a business lawyer. I'm not a litigator. So if I can, I like to prevent things from happening. So, there's a lot of preventative work that you can do. Now, you won't be able to exclude the possibility of an attack. That's just not in the cards, but you can do a lot to get prepared. You've got a breach plan in place. You have a team assembled. You know who to call, and having a breach coach, for example, if you have insurance, your insurer might recommend a breach coach, which is usually a lawyer to help you get prepared.
You can do a lot to get prepared. You've got a breach plan in place. You have a team assembled. You know who to call, and having a breach coach, for example, if you have insurance, your insurer might recommend a breach coach, which is usually a lawyer to help you get prepared.
David Krebs: But if you don't have that in place during an incident, I think right when you find out, I think one of your first calls should be to your breach coach or to the team that you've assembled to handle an incident. Then you figure out what you need to do, right? You start from the beginning, you say, "What are my legal obligations? What are I contractual obligations? What should we do? What do our employees expect us to do?" And you go from there.
Paul Martin: Interesting you used the term team, and it really is about a team isn't it in this particular field because you need the business side of it, you need the communication side of it, you need the legal side of it, and you need the people side of it.
David Krebs: That's absolutely right, and I think from a... What I've experienced many, many times, organizations sort of look to their lawyer to do some quarterbacking. It doesn't necessarily have to be the lawyer that does that, but many times we do fall into that sort of position where we're kind of stick handling other team members. And like I said, I think it comes down to communication. Again, I think all team members have to have the same level of information in order to advise.
Paul Martin: Well, if I've learned anything today it's that this is a very complex area that business owners are sometimes probably find themselves that feel like they're walking in a minefield because they don't really know when this thing's going to blow up, but they need to be prepared for it. And prepared is your best friend. Getting prepared in advance. Yeah.
Paul Martin: David, thank you for taking the time to come in and provide us with some really interesting insights about how you need a team to be able to deal with these kinds of things, and that business owners are increasingly going to find themselves dealing with topics such as cyber breaches and data breaches and people generally attacking the inner data and information that is proprietary to any company.
Paul Martin: So thanks for joining us.
David Krebs: Thank you.
Paul Martin: David Krebs with Miller Thomson, law firm here in Saskatchewan, thank you for joining us. And Colin, as always, thank you for coming in. You've been listening to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin. Talk to you again next time.