Best Practices for Cyber Incident Preparation and Response

Best Practices for Cyber Incident Preparation and Response

Best Practices for Cyber Incident Preparation and Response Imran Ahmad March 29, 2018 VA N C O U V E R CALGARY EDMONTON S A S K AT O O N REGINA LONDON

K I T C H E N E R - WAT E R L O O GUELPH TORONTO VA U G H A N MARKHAM MONTRAL Imran Ahmad Imran Ahmad is a partner at Miller Thomson LLP and specializes in the areas of cybersecurity, technology and privacy law.

Works closely with clients to develop and implement practical and informed strategies related to cyber threats and data breaches. Adjunct Professor of Cybersecurity Law at University of Toronto Author of Canadas first legal incident preparation and response handbook titled A Handbook to Cyber Law in Canada (published in August 2017 by LexisNexis). 2 What is Cybersecurity? The process of protecting information by preventing, detecting, and responding to attacks. Source: National Institute of Standards and Technology. US Department of Homeland Security

Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user's assets. Source: International Telecommunication Union Cybersecurity is a state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this. Source: Oxford Dictionary 3 Personal Information What is Personal Information? Subsection 2(1) of PIPEDA provides the following definition:

information about an identifiable individual According to the OPC*, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. Examples: age, name, ID numbers, income, ethnic origin, or blood type; opinions, evaluations, comments, social status, or disciplinary actions; and employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs) The Office of the Privacy Commissioner (OPC) is responsible for the administration

of PIPEDA. 4 Types of information clients have Customer information Financial and health info is deemed to be sensitive under privacy laws Companys confidential & proprietary information Intellectual property Internal investigations Business plans Supplier or Purchasers confidential & proprietary information

Source: Tales 5 Common Types of Cyber Threats 6 Types of breaches Classic cyber-attack: Breaking into a network DDoS attack: Directing junk traffic to a site and bringing it down Phishing attack: Email with malware Whalling attack: Targeting senior management + fraud

Social Engineering: Targeting specific individuals based on publicly available info. 7 Some Statistics Cyber crime damages costs to reach $6 trillion annually by 2021. Cybersecurity spending to exceed $1 trillion from 2017 2021. Cyber crime will result in more than tripling the number of unfilled cybersecurity jobs, which is predicted to hit 3.5 million by 2021. Human attack surface to reach 4 billion people by 2020.

Global ransomware damage costs are predicted to exceed $5 billion in 2017 8 Recent Cyber Attacks in the News 9 Recent Cyber Attacks in Canada 10 What to Expect in Cyber in 2018? Top 5 Trends to look out for: 1. Mandatory data breach is coming

2. Continued growth in cybersecurity and privacy litigation 3. Board oversight Business Judgment Rule should prevail 4. Vendor Management Beware of the weakest link 5. Accelerated adoption of cyber insurance 11 Areas of Risk and Sources of Attack: Main Cyber Adversaries Source: PricewaterhouseCoopers. Jason Green, Best Practices for Data Security and Data Breach Protocol, ed (2015). 12

Risk to Business Director and Officer liability Legal liability including litigation Regulator enforcement and investigations

Failure to meet key contract terms Economic harm (e.g. loss of confidential information/IP) Reputational harm Business interruption

Physical harm 13 Focus of Board and Management 14 On the Governments Radar Prime Minister mandated Minister of Public Safety: Lead a review of existing measures to protect Canadians and our critical infrastructure from cyber-threats, in collaboration with the Minister of National Defence, the Minister of Innovation, Science and Economic Development, the Minister of Infrastructure and Communities, the Minister of Public Services and Procurement, and the President of the

Treasury Board. Public Safety launched public consultation in August Objectives tighten security introduce new laws improve coordination

economic opportunities 15 On the Governments Radar Minister of Public Safety launched public consultation process in August 2016 Consultation will feed into new legislation and national cybersecurity strategy Likely to mirror what is required in the US and in consistent with G7 principles on cybersecurity

16 Legal Landscape CANADA Public sector privacy laws PIPEDA and other provincial and sectoral privacy legislation Qc/AB/BC have privacy laws that are substantially similar Health privacy laws Canadian Criminal Code Vital Cyber System Legislation Consultation process to launch once draft legislation is released Quebec: Civil code (sections 35-41) Act to Establish Legal Framework for

Information Technology UNITED STATES Federal law Cybersecurity Information Sharing Act Cybersecurity Enhancement Act of 2014 Federal Exchange Data Breach Notification Act of 2015 National Cybersecurity Protection Advancement Act of 2015 State law Cybersecurity laws of New York 17

Canadian Privacy Landscape 18 Canadian Privacy Landscape Note: Manitoba enacted the Personal Information Protection and Identity Theft Protection Act. However, it is not currently in force. 19 Legal Landscape EUROPE Global Data Protection Regulation (GDPR) data breaches must be reported as soon as possible and, where feasible, no later than 72 hours after discovery of a breach. personal data now extending to location, IP address, RFID identifiers, as well as whole new

swathes of medical data, including genetic information. the right to be forgotten being enshrined in law, allowing people to request of search engines to delete links to the data in question. regulation will apply to companies headquartered outside of Europe as long as they have operations in Europe. greater rigour around consent to use personal data new requirements to carry out Privacy Impact Assessments (PIAs) to ensure that personal data is sufficiently protected and privacy of the individual maintained. Network and Information Security Directive (NISD) complementary to GDPR, designed to create a focus on the protection of IT systems in European critical national infrastructure 20 Digital Privacy Act Digital Privacy Act, came into force on June 18, 2015 and amends PIPEDA in important ways Requires mandatory reporting of security

breach by organizations Notification to Privacy Commissioner All affected individuals who may suffer significant harm Any Third Party who can mitigate losses Requires keeping security breach log of any data breach involving personal information Fines of up to $100k for failure to report breach or keep logs. Mandatory breach reporting regime is not yet in force 21 Litigation Exposure 22

Jones v. Tsige, 2012 ONCA 32 Facts Sandra Jones and Winnie Tsige worked @ different branches of same bank Over 4 years, Tsige used her workplace computer to access Jones personal bank accounts at least 174 times Jones sued for invasion of privacy Findings Tort of intrusion upon seclusion recognized by Ontario Court of Appeal Plaintiff awarded $20k in damages

without demonstrating any pecuniary loss occurred Liability arises where the invasion of privacy is: Intentional or reckless Lacks legal justification Considered offensive to reasonable person 23 Jane Doe 464533 v. ND, 2016 ONSC 541 Facts Plaintiff and defendant were in romantic relationship and made video of a sexual nature They eventually broke up and

defendant posted video online Plaintiff could not sleep, focus on school and eventually checked into crisis center Plaintiff sued for disclosure of private facts Findings Court recognized the tort of public disclosure Court found that: defendant made public an aspect of the plaintiff's private life reasonable person would find the act of publication to be highly offensive; and

there was no legitimate public concern justifying publication of the matter Plaintiff awarded $100K due to uniqueness of case 24 Claims evolving...Courts listening We are also seeing claims arising from: Breach of contract Negligence Breach of confidence Breach of fiduciary duty Breach of trust on part of the holder of the data Claims have also been advanced

under tort of conversion and breach of bailment law If data breach was result of employees wrongful act, plaintiff may be able to hold employer organization vicariously liable Key takeaways Constant evolution Litigation bar is advancing creative claims Courts are listening However, Courts recognize that the standard is not perfection but one of reasonableness Accordingly, Courts will look at what steps the organization took

to mitigate the risks before a breach occurs 25 Governance Source: NIST - National Institute Of Standards And Technology. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014. 26 Best Practices Pre-Attack 27 Best Practices During / Post-Breach

28 MILLERTHOMSON.COM 2016 Miller Thomson LLP. All Rights Reserved. All Intellectual Property Rights including copyright in this presentation are owned by Miller Thomson LLP. This presentation may be reproduced and distributed in its entirety provided no alterations are made to the form or content. Any other form of reproduction or distribution requires the prior written consent of Miller Thomson LLP which may be requested from the presenter(s). This presentation is provided as an information service and is a summary of current legal issues. This information is not meant as legal opinion and viewers are cautioned not to act on information provided in this publication without seeking specific legal advice with respect to their unique circumstances. VA N C O U V E R



Recently Viewed Presentations

  • Other Magnetic Nuclei than 1H H (Deuterium): I

    Other Magnetic Nuclei than 1H H (Deuterium): I

    Arial Times New Roman Symbol Default Design CS ChemDraw Drawing Other Magnetic Nuclei than 1H Fluoroacetone, CH3COCH2F 13C-NMR Spectroscopy Double Resonance: Spin-Spin Decoupling 13C-NMR of diethylphthalate 13C{1H} NMR of diethylphthalate 13C{1H}-NMR of diethylphthalate Peak Intensities in 13C-NMR Chemical Shifts in...
  • Needs Analysis Tools - M.Pd. Pendidikan Bahasa Inggris

    Needs Analysis Tools - M.Pd. Pendidikan Bahasa Inggris

    The Various Focuses of Needs Analysis. Hutchinson and Waters (1987) divide needs into target needs(i.e. what the learner needs to do in the target situation) and learning needs(i.e. what the learner needs to do in order to learn).The analysis of...
  • Avdelning för Ellära och Åskforskning

    Avdelning för Ellära och Åskforskning

    Research Areas Water Current Energy Bio-fuelled plants Wave Energy Wind Energy Hydro Power Pulsed power ? ... Avdelning för Ellära och Åskforskning Author: Erik Segergren ... Other titles: Times New Roman Gill Sans Arial UU_mall_tryck CorelDRAW 12.0 Graphic Microsoft Equation...
  • Plant Cells: Comparing Plant Cells with Animal Cells

    Plant Cells: Comparing Plant Cells with Animal Cells

    GOAL To learn the structure of cells and functions of organelles within a plant cell To distinguish between plant and animal cells Plant Cell ONLY Cell Wall 1. Stiff for protection and support 2. Acts as a doorway Animal and...
  • ASTR 1120 General Astronomy: Stars and Galaxies

    ASTR 1120 General Astronomy: Stars and Galaxies

    ASTR 1200 Announcements.. Meet in Planetarium next Tuesday First Problem Set Assigned. Due next Tuesday in class. Observatory Sessions all now at 8:30pm Lecture Notes going up on the website Schedule has been updated. Exam dates set. Text Chapters now...
  • Later Islamic Empires - Coach Kitchens' Weebly Page

    Later Islamic Empires - Coach Kitchens' Weebly Page

    Bantu Migration. Bantu Migration Map. Slash and burn method of farming forced them to move every few years. When they moved, they shared agricultural & ironworking skills with the new people they encountered. Migrate across central Africa & eventually make...
  • NCBI Literature Databases

    NCBI Literature Databases

    E.g. cell will be mapped to a MeSH heading first; therefore PubMed will cease to map it to other (author or journals) indexes. If PubMed cannot match the term in either the MeSH or Journals Tables it will then try...
  • Adaptive Book: A Platform for teaching, learning and

    Adaptive Book: A Platform for teaching, learning and

    Current Collaborators: Andrew Owens (Cornell) Jay Heo, Dan Horbatt & Chantelle Humphreys(CMU) Research Partially supported by: Qatar Foundation, Microsoft, HP,CMU Ananda Gunawardena, Carnegie Mellon University, CS Department John Barr , CMU-Qatar & Ithaca College Results * The Process requires the...