With businesses and public institutions more reliant on technology than ever, the pandemic has highlighted the importance of good cyber security, which will be the focus of an upcoming panel providing advice to prevent breaches.
Paul Armitage, a partner at Gowling WLG’s Vancouver office whose practice includes cyber security and privacy law, will be speaking about cyber security during the pandemic at the Cyber Security panel presented by Business In Vancouver available on its website on October 22, 2020.
Armitage and Gowling WLG help organizations prepare their cyber security policies and implement measures to prevent a breach from occurring.
They guide organizations through their responsibilities around notifying stakeholders affected by a breach, and help with legal questions and responses to lawsuits.
Armitage says organizations need to keep three things top of mind when putting their cyber-security plans in place.
Know your obligations
A security breach could result in a class-action lawsuit against an organization or an investigation by a privacy commissioner.
An organization will then be judged, from a legal perspective, by how its cyber security policies and measures compare to industry standards. Fortunately, there are ways an organization can proactively shield itself from liability.
Mainly, an organization needs to understand the framework in which it operates and what standards it must meet, including privacy laws, any regulations and guidelines specific to its industry, and common law obligations to protect corporate assets. Has the organization taken appropriate steps to meet those standards, such as installing firewalls, security patches and user authentication to safeguard people’s personal information?
“Generally speaking, an organization is going to be judged according to the legal standard of reasonableness,” Armitage says.
“Does the organization have a reasonable cyber security program in place, in light of the various sources of those standards?”
Once an organization knows its obligations, it needs to implement policy and measures to meet them.
Making cyber security a priority for the organization on a governance and management level is key, Armitage says.
For larger companies, it’s best to have cyber security built into the organization with a chief information-security officer and privacy officer, who are responsible for oversight and for reporting to upper management and the board when an incident occurs.
Employees need training and policies which guide their actions. They might need a refresher course on phishing scams or acceptable use of IT systems, for example.
Then there are technical measures such as firewalls, anti-virus software, and intrusion-detection system.
Organizations should also do due diligence with external service providers of data storage and IT systems. They, too, have security vulnerabilities, and it’s important to ensure they have proper controls and certifications in place.
Finally, cyber security insurance protects an organization against the costs of a cyber incident. Such policies are becoming more common these days, Armitage says.
Know how to respond
Even if an organization knows its obligations and has safeguarded itself, it may still suffer a security breach. The basic expectation and requirement for organizations is to have a cyber-incident response plan.
If an incident does occur, how does the organization deal with it? A well-planned response will likely include stopping the breach, investigating what happened, assessing what harm has been done to people’s personal information, and then determining whether any notifications need to be provided to affected people and a privacy commissioner.
Cyber security in the pandemic
Armitage notes some organizations weren’t fully set up before the pandemic with network security and security on devices, and the move to remote work revealed cyber security vulnerabilities.
“It’s really all the same issues but they became much more heightened, in a sense, because there was this immediate rush for people to start working from home, remotely, and doing more things online,” he says.
As well, having more people work from home has meant an increased risk they’ll fall prey to cyber scams, such as someone claiming to be a colleague and requesting a money transfer, Armitage adds.
“If you’re sitting in the same office, there’s an easy way to check out and see if that’s a real request,” he says.