Cyber Security: How can law firms and organizations prepare for data breaches?
By Warren Urquhart, ADB Insights
Earlier this month CANLIF, in association with Ricoh, held a webinar on cyber security. Specifically, how to prepare for, respond to and remediate data breaches.
Managing cyber security is a key challenge organizations face, with 2021 setting a record for significant data breaches. To dissect the topic, CANLIF assembled a panel of experts to discuss key drivers and trends related to cyber security and best practices in preparing for, managing and remediating breaches.
Click here to watch and learn from the insights of our panel, which include John Salloum (Partner, Privacy and Data Management, Osler), Christian Geyer (Chief Financial and Operations Officer, ActiveNav), Nasim Ghasemi (Associate Lawyer, Data Privacy at Deloitte Law), Sean Lynch (Director of Client Strategy and Outcomes, Ricoh) and our chair Tamara Porter (Senior Director of Enterprise Business Development, Ricoh).
Ransomware and how data breaches are only getting more complicated
We live in an increasingly complex world filled with smart objects that constantly process and exchange data. “A frequent type of data breach is ransomware, where hackers hold data hostage - under threat of leaking it - until they receive a payment,” noted Nasim Ghasemi of Deloitte.
An interesting point made during the discussion is that new sanction laws - responding to ongoing conflict in Ukraine - forbid organizations from paying hackers in Russia. And - increasingly - organizations are discovering that even if they do pay hackers after a breach, their data is still released publicly.
Speakers on the panel noted that a breach - and investigations after it - can uncover contraventions of privacy regulation such as GDPR and CCPA. Something for organizations to take note of during their assessment process.
Sean Lynch of Ricoh raised the point that “Canadian organizations have followed the trend in the US of being victim to more ransomware attacks.” And Christian Geyer of NaviStar told the audience how “hackers are using ransomware to be more targeted, going after specific files and keywords; with finance and accounting departments under particular threat.”
Whether you are prepared for it or not, if your organization has large stores of data, you are likely a potential target.
How to prepare for a data breach?
John Salloum from Osler, outlined an excellent framework for how organizations should prepare for a data breach.
Start from the standpoint: we will get breached eventually. Plan to prevent and deal with the reality of the likelihood of a breach occurring. And take the necessary measures to plan for a breach and how to respond to one.
Know your roles. Right after a breach, your organization should know who is doing what. During a breach, time is of the essence and a prepared team lowers overall tail risk.
Have a breach response plan. Beyond knowing your roles, know what to do and who to contact - both within and outside your organization. Pre-negotiate deals with your vendors or forensic investigators and keep them retained; so you can address a breach in real time.
The more you have planned - the less damage to you and your clients. Data breaches can happen on weekends, holidays, or during the summer when everyone is on vacation. Be prepared.
Prepare your policies; make them proactive.
Any data policy is a data breach policy. Lynch commented that to “minimize your risk, your organization must have strong data retention controls and information governance in place”. Yes, lawyers hate deleting things. However, if you know what is appropriate to delete: that information that is rarely needed. Then, you can reduce your risk because data you don’t have means data that can’t be exposed.
Geyer noted that “policies are only good if they are enforced, and data retention is something many organizations could improve on.” With many organizations often keeping terabytes of information they don’t need.
Audience Question: How different should an organization's response be if they experience a breach in isolation versus if a primary infrastructure provider (in AWS or GCP) experiences a breach that affects many companies?
A question from the audience brought several insightful answers from our panelists. Essentially, it comes down to information and controls. If your organization is breached directly - you have control. If a vendor is breached, you don’t, because it’s their infrastructure that’s compromised.
Such an event can shine light on the robustness of your vendor management programs. And regulatory authorities will see how diligent you have been in overseeing the safety of information with the data providers you do business with. As Lynch noted, “a breach from an infrastructure provider requires different framing to consumers, as because it is not you, your business suffers from less reputational risk.”
What to do during a breach?
Call in legal. Salloum expanded on this concept, noting that there are four key steps you should address in the process of a breach.
Containment. Don’t let your breach be a leaky faucet that keeps on flowing. Try to stop it in its tracks.
Re-evaluating risk. See what data was taken, how it was taken, and who was affected.
Notification. Find out who to notify and how. This is imperative for stakeholder trust (internal, external and regulators).
Prevention. Learn your lessons. Take any necessary actions to stop a breach from happening again.
While jurisdictions vary, Ghasemi said “that often the legal requirement is the moment of unauthorized access.” At this point you must notify impacted individuals, or third parties that you have data-sharing agreements with. “And while it can be expensive, breach insurance can be a useful tool,” noted panel chair, Tamara Porter from Ricoh.
What to do after a breach?
Right after a breach can be a challenging time, but is a critical one. As Salloum noted, “it also marks the time for an organizational change, perhaps the best time to add more controls and change how you manage and retain data.” Organizations are often even more vulnerable after the breach - so be on guard.
Adding to this, Lynch noted: “Auditing your policy is again important, to make sure you are following it. You do not want to go to a regulator, and explain that yes, you have a policy, you just don’t follow it.”
Controlling Data Breaches: Before, During and After
In summary, dealing with a data breach is about preparing for one before it happens, during a breach and after. You need strong controls, defined roles, and a team willing to adapt and change. Data breaches are a growing problem, but with the right legal team and vendors, your organization can emerge stronger.
Want to learn how to innovate beyond protecting your data? Visit our website which has our current series of webinars available on demand.