Live note taking at the 2016 MRIA annual conference in Montreal. Any errors or bad jokes are my own. If you think any of this is legal advice, turn off your internet right now and grab a colouring book and crayons instead.
Panelists: Patrick Cruikshank, Eric Dolden, Derrick Leue, Serge Solski
- What is cyberrisk – extortion, online wire fraud, identity theft
- Legal trends – 3 claims per month for this legal speaker, Canada protects all aspects about a person including which brand of pop they like and what TV shows they watch not just their financial or medical records; doesn’t matter if it’s knowing or careless or preventable you are liable; if you give away confidential information even when you know it’s confidential, you are liable for the costs and profits
- Business don’t report every issue becaus it could put their reputation at risk
- Are market research companies too small for hackers to come after them? Absolutely not. Geography doesn’t matter. You are just a number on the Internet, crimes of opportunity. 80% of attacks are from external parties [yikes 20% are YOUR employees!]; They just need a door to get in and then they can figure out how to get $ from you.
- Newest legislation moved us closer to the American model. Snooping or taking of data without consent, there is an obligation ot report to privacy commissioner whether provincial or federal. If there is a possibility of harm, you are obligated to notify the persons that their information was compromised. Not every unauthorized access requires notification becuase there may be no risk of harm, whether physical, emotional, identify theft, financial loss, loss of business, reputational harm, risk of humiliations, loss of relationship, public safety or health. Snooping without taking also counts.
- PIPDEA protects only PII.
- Breach of confidence is different – giving away information knowingly, trying to get paid twice for the same thing, maybe it’s careless such as an email with an unintended recipient and that would be negligence
- [listening to these speakers makes me really wonder about what I have in my emails, how much PII or confidential information is in there? How many unintended people have I emailed?]
- [really glad MRIA included this session right after the main keynote. This is massively important and business threatening information that we all must know]
- Someone could easily lock us out of our own systems unless we pay them 500 000. Would we tell the right people because this would threaten your current and future business. It can make more sense to pay up rather than report it.
- In every case, even when there was zero harm, judges has said consumers are owed damages because their privacy was compromised, awards are around $5000 up to a high of $20000 in cases of deliberate negligence
- Look at known vulnerabilities like firewalls and failing to updates systems, employees need to know hot to avoid creating holes in the firewall, need to constantly update systems, make sure team doesn’t destroy evidence or you can’t prove that YOU didn’t do it
- Most canadians don’t have adequate insurance for cyberrisk, we’re covered for fire and injury and financial loss and liability but these don’t cover information loss, denial of service attack
- Better to have one insurance companies that covers all the issues as opposed to one covering physical loss, one covering information loss
- Human error is one of the best arguments for buying cyberrisk insurance
- Directors and officers have been named in claims for not being efficient in dealing with issues or not ensuring they stay up to date with issues – e.g., not responding after two reminders, not heeding recommendations
- Small companies probably won’t survive cybercrime while big companies might make it through
- EXPECT to be attacked, this is a hard fact. Be prepared because people and technology have weaknesses. Someone WILL click on that link and download that virus.