Cybersecurity Law

In recent years, the pervasiveness of computers and the Internet have brought about what has come to be known as the « Digital Age », a new era characterized by unprecedented interconnectivity and interoperability between individuals, machines and networks around the world.

One of the most remarkable aspects of this technological revolution is the ability to convert any type of information (words, images, sounds, etc.) into a standard form, that is « data », and exchange same over the Internet with other entities anywhere in the world almost instantaneously.

In the span of 2-3 decades, this revolution has completely upended our society, in particular the way we interact, communicate and conduct business. This is why a growing majority of businesses have come to depend on computer networks and information systems connected to the Internet to run their operations. This data driven dependency is only the beginning as it is expected to increase further with artificial intelligence, automation (industry 4.0), the development of the Internet of things (IoT) devices, and the rolling out of 5G technology.

While these technological innovations provide significant advantages to their users, they also raise important legal issues pertaining to data security and privacy with far-reaching consequences. This is why cybersecurity plays such a determinant role in risk management strategies of modern organizations.

What is cybersecurity?

The most fundamental change that the Digital Age has brought about is our relationship to data. With its standardization through digitization, businesses and organizations have been processing, collecting and storing a growing volume of data in the normal course of their operations (whether for programs, applications, databases, trade secrets, privileged information, billing, HR, research and development, etc.). This trend (data dependency) is only the beginning as technological developments will continue to require an ever-growing volume of data to maintain or enhance interoperability and interconnectivity between people and systems.

While data has become associated with growth, progress and competitiveness, it also represents a liability as the breach thereof might be the source of significant harm and damages (loss of data, privacy, ID usurpation, fraud, data leak on the Internet, theft of IP, threat to human life, interruption of operations, financial losses, devaluation of shares, etc.). As a result, data constitutes and must be seen as a critical asset to organizations. This is why confidentiality, integrity and accessibility of data are key elements at the very core of cybersecurity.

What is cybersecurity? According to the National Institute of Science and Technology (NIST), cybersecurity can be defined as « the process of protecting information by preventing, detecting, and responding to attacks ». This includes prevention, protection and restoration of computers as well as various electronic communication systems, and, obviously, the protection of information.

However, this is easier said than done for three reasons.

First, cybersecurity is a complex, technical and intangible environment. Second, all Internet facing or connected organizations are exposed to the threats to data that swarm the web in one form or another. And third, given that the Internet and all the components of the computer industry (firmware, hardware, software, components, etc.) do not have built-in security by design, the responsibility of data protection, ultimately, rests in the hand of the end user (that is, individuals or and organizations) who often do not have the awareness, skills or resources to act accordingly. In addition, cybersecurity is often considered an IT problem and not an operational issue, which explains why cybercrime in recent years has become a growth industry that costs billions of dollars to organizations every year.

In light of the above, cybersecurity law is not so much a field of practice per se but rather a risk management approach from a legal perspective designed to minimize the potential liabilities to which are exposed Internet-connected organizations.

Why be concerned about cybersecurity?

It is generally a well accepted fact amongst IT and cybersecurity professionals that organizations and businesses which are connected to the Internet (that is most if not all) are regularly exposed to various types of threats which eventually will manage to compromise their information systems and networks. Therefore, the issue is not whether an organization is likely to suffer a cyberattack but rather when this will occur...  As a result, the question that ought to be on the mind of any operation-minded C-suite executive is the following:

Are we prepared to withstand a cyberattack?

Despite the occurrence of several spectacular cyberattacks and data breaches that made the news in recent months (Desjardins, Equifax, Maddison, Microsoft, Yahoo, LinkedIN, Target, etc.), and the likelihood that most organizations will suffer cyber incidents with potentially dramatic consequences in costs and reputation (as is often the case with ransomware attacks and massive theft of Personal Identifying Information), a majority of Canadian and Quebec businesses still neglect to address this clear and present danger with the gravity and urgency that it deserves. This is often due to a lack of awareness of the risks, lack of resources, and to the inherent technical and abstract nature of cybercriminality.

What are the risks pertaining to cybersecurity?

Cybersecurity is like an armour or last line of defense meant to protect an organization’s systems and data from intrusions. These intrusions can be perpetrated either by individuals (for profit, fame or a cause), organized crime, Nation States, or insiders (often an overlooked risk, as was the case with Desjardins). The means to execute these intrusions can take various forms : phishing, social engineering, theft of credentials, human error, system vulnerabilities, and unlawful/illegitimate access to data, to name a few.

If an organization’s cyberdefense fails, the consequences may translate into 4 categories :

1. Operational risk : given the relative ease with which threat actors may compromise networks or information systems and their data (cyber weapons are readily available on the Internet!), an organization may be compelled  to interrupt partially or completely its operations for some time in order to determine the source/cause of the breach, isolate and eradicate the threat, and ascertain what data has been compromised to take appropriate contingency measures (including notification to the victims and the authorities as the case may be). The ensuing downtime can be very costly and even fatal to an organization considering the loss of productivity and the negative impact on moral, reputation and business performance.
2. Liability risk : A cyber incident which hinders production and/or involves PII will likely expose the organization to lawsuits for the damages incurred by the victims (users, clients, employees, business partners, shareholders, etc.).
3. Reputational risk: Nowadays, cyberattacks have become a common nuisance and people are generally empathetic when an organization is so afflicted. However, given the growing public concern for privacy and data protection, a cyberattack can prove to be very damaging to the image and reputation of an organization if it is revealed that it has been negligent in that regard or does not adhere to best practices in matters of cybersecurity. The consequences can translate into significant loss of business as it will affect the trust of clients, employees, business partners, insurance providers and, necessarily, the value of the organization itself.
4. Compliance risk : Although there is no such thing as legal compliance standards in terms of cybersecurity, some laws require organizations to protect personally identifiable information (PII) with adequate security mechanisms. This implies that an organization must have cybersecurity measures that are in line with the best practices of the industry to be deemed compliant. If these security measures are not in place to protect PII, a breach of data may expose an organization to costly fines such as the ones contained in Quebec’s Bill 25. As a result, compliance with applicable laws (as the case may be) is an issue that organizations should address in their risk management strategy.

That being said, there are a number of strategies, techniques and measures that organizations ought to consider/introduce in the elaboration of their risk management strategy, such as:

• Awareness (through staff training)
• Preparation (identify the critical assets and likely risks (general security audit), how to detect and react to threats)
• Prevention (access control mechanisms, physical and logical security, governance)
• Transfer of risks (cyber insurance and contract clauses pertaining to third parties)
• Detection (intrusion and logging mechanisms)
• Reaction (Incident response plan, Incident response Team, Simulations)

Note of encouragement : Although the process of developing and integrating a risk management strategy pertaining to cybersecurity may seem tedious, time consuming and costly, any effort in that regard will help your organization develop its awareness and capacity to plan, fend off and/or recover from a cyber incident.