The times they are changin’…
The times they are changin…
The legal implication of a cybersecurity attack on your business
Corporate and securities lawyer, Joseph Chiummiento, of Core Lawyers, describes what legal consequences you could face in the case of a cybersecurity attack and current best practices to limit liability.
What is a cyber attack?
A cyber attack is an offensive action against an organization’s computer information systems, infrastructures, computer networks, and/or personal computer devices to steal, alter, or destroy data. Cybersecurity now ranks among the top 3 risks affecting your business, and, according to PwC Canada’s 2016 Global State of Information Security Survey, cybersecurity incidents in Canada have increased by 160% year over year.
How can it affect your business?
You do not have to be Yahoo to become a victim of a cybersecurity attack. Even if you don’t store user information that could be stolen and used for illegal purposes, an attack could also target employee data, confidential financial information, business secrets and so on. The increased use of cloud-based technology further elevates exposure, and data leaks are only one aspect. An attack could also temporarily disable your systems, or a hacker could hold your data hostage making it impossible for you to carry on with your business and leading to jeopardized profits and loss of confidence and trust from customers.
An attack could be the result of something as simple as an employee connecting a personal device to your company network, or hackers from overseas trying to access your confidential data. With the rise of the Internet of Things (IoT), for example, fitness trackers, self-piloting drones, Wifi printers or other internet-connected devices, access can be gained to your connected devices or systems.
When the unthinkable happens what measures can you put in place to keep the exposure to a minimum and bounce back as quick as possible?
What can you do to mitigate your risk?
- Understand your industry and your rights under the Personal Information Protection and Electronic Documents Act.
- Minimize negligence from employees by having proper agreements governing these issues and provide them with policies and procedures for “passwords” and “browsing habits”.
- Research and understand what standard cybersecurity defenses organizations such as yours are required to adhere to or know the best practices to follow for your industry.
- Understand how and when you have to disclose breaches – ie. if you are public company or a self-regulated industry you will be required to disclose an attack or advise your insurance provider.
While the challenge can be overbearing to keep up with the latest security measures to protect your business, there are legal steps you can undertake (and insurance you can buy) to keep your exposure to a minimum and have peace of mind that while the times are changin’ they don’t change for the worst for your business.
Having an insurance broker discuss cybersecurity insurance or a lawyer conduct an audit/risk assessment could help you better understand any exposure. Please feel free to contact me directly should you have any questions about your business.