What is a lawyer’s role in the wake of a cyberattack?
On March 2, the University of Toronto Faculty of Law’s Privacy and Cybersecurity Law Group (PCLG) held its fourth event in its Digital Discussion Series: a panel discussion on the unique business and legal risks that a company faces when threatened by a ransomware attack. This follows the colossal increase in ransomware attacks globally, where approximately 37 percent of global organisations reported they were the victim of some form of ransomware attack in 2021.
A ransomware attack is a cyberattack that holds a victim’s data hostage. For instance, attackers can encrypt critical data and demand a ransom to restore access to it. Ransomware can spread across a network and quickly paralyze an entire organisation. With the growing importance of data, it has become a major “industry” for cybercriminals, generating billions of dollars in payments (usually in cryptocurrency) and creating significant risks for businesses and governmental organizations. For example, the Colonial Pipeline ransomware attack on May 7, 2021 left the United States’ largest pipeline system for refined oils completely offline, causing President Joe Biden to declare emergency orders on May 13.
The panel was moderated by Professor Lisa Austin (Chair in Law and Technology), and featured four distinguished industry professionals: Imran Ahmad (Partner, Head of Technology, Co-Head of Information Governance, Privacy and Cybersecurity, Norton Rose Fulbright LLP), Juan Castaneda (Security Consulting Senior Manager, Accenture), Ruth E. Promislow (Partner, Cybersecurity, Privacy & Data Protection, Bennett Jones LLP), and Daanish Samadmoten (Partner, Privacy & Cybersecurity, Fasken Martineau DuMoulin LLP).
The Role of the Lawyers
After discussing how ransomware is a growing industry, the panellists turned to how lawyers aid in mitigating the legal and technical risks of a cyber breach.
Prior to a cyber incident, cybersecurity and data privacy lawyers advise organisations on data breach preparedness and response. One way of doing so is by running “tabletop exercises”, which are sessions where an organization’s key members run through a hypothetical cyber breach scenario and discuss each role in the emergency situation. These exercises aim to ensure that a company’s key players understand their roles and responsibilities, where they are lacking in preparedness, and how communication lines will operate when all internal systems are compromised.
In the wake of a cyberattack, a lawyer takes on the critical role of “breach counsel” for the attacked company or organisation, adopting three main responsibilities.
The first is one of legal privilege; lawyers called immediately after a cyberattack have the most visibility, and thus have the capabilities to act similar to a project manager. Samadmoten described a lawyer’s role as a quarterback: the leader of the offence, calling plays in the huddle. In this capacity, lawyers coordinate across the organization to ensure business continuity and minimize exposure to further risks. As part of this responsibility, the lawyer aids in deciding whether to pay a ransom or not, with the organization’s particular circumstances in mind. In some cases, the company may be able to move back online without paying the ransom. In other cases, business may be more severely impacted and require technical control much sooner.
Second, lawyers give the company legal advice, following federal and provincial privacy laws or other requirements in regulated industries. For example, the Office of the Superintendent of Financial Institutions (OSFI) has created notification requirements; once a financial institution is breached with a cyberattack, it must notify the regulator within a certain timeframe. Furthermore, in this capacity, lawyers assist with coordinating information with law enforcement. Third, lawyers manage any and all communications made about the cyberattack to the public. This is particularly difficult in the early stages of the attack, where the facts are still unknown; breach counsel needs to determine how much information can be disclosed without potentially compromising internal or external investigations.
In the aftermath of a cyberattack, lawyers can also represent clients in regulatory complaints and investigations, administrative proceedings, and civil litigation. Cyberattacks can give rise to class action lawsuits; for example, where an organisation has failed to meet its data retention obligations.
Federal and Provincial Regulation
The panellists also discussed how legislation in Canada has been slow to create legal repercussions for organisations that have been hacked and negligently lost individuals’ personal information. There are provincial and federal privacy laws that may require an organisation to act in the wake of a cybersecurity incident.
Federally, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires that an organization report any breach of security safeguards involving personal information under the organisation’s control if it is reasonable in the circumstances to believe that the breach created a real risk of significant harm to an individual. Provincially, Alberta’s Personal Information Protection Act creates a similar obligation in section 34.1(1). However, these provisions alone create narrow opportunities for an individual right of action. The November 2020 revision to PIPEDA, Bill C-11, proposed an individual cause of action against an organization for damages for loss or injury where the individual was affected by an act or omission by the organization that constituted a contravention of PIPEDA. However, Bill C-11 died on the order paper as it was not passed before the dissolution of Parliament.
On September 21, 2021, Quebec’s National Assembly adopted Bill-64, An Act to modernise legislative provisions as regards to protection of personal information (Act). The provincial private-sector privacy legislation is set to come into force starting this year through 2024. The Act creates obligations for organisations to act in the wake of a cyberattack, including designating a person in charge of the protection of personal information and of mandatory breach reporting. Bill-64 provides three different types of mechanisms to enforce compliance: (1) administrative monetary penalties administered by Quebec’s privacy regulator of up to $10,000,000 or two percent of worldwide turnover; (2) penal offences, sanctioned by a fine of up to $25,000,000 or 4 percent of worldwide turnover, imposed by the Court of Quebec; and (3) a private right of action, with the possibility of punitive damages when there is an unlawful infringement of a right conferred by the Act. Quebec’s Act is the first of its kind in Canada, moving closest to the EU’s General Data Protection Regulation.
The Future of Law?
The role of a lawyer before, during, and after a cyberattack is multifaceted and rapidly evolving, especially as cyberattacks increase in number. Lawyers are charged with taking on the role of a psychologist, strategist, policy analyst, and public relations specialist, to name a few, in addition to providing legal advice in the face of developing federal and provincial legislation.
During the panel, Professor Austin highlighted the gap in U of T Law’s program when it comes to a course centred around cybersecurity law; the current legal-tech courses, which are taught by Prof. Austin herself, do not address this growing practice area. Prof. Austin intends to advocate internally for a cybersecurity law course.
Getting Involved with Law and Technology
The PCLG plans to host more events in the future, as part of its Digital Discussion Series. You can get involved by joining the PCLG Facebook Group for current events, articles, panels, conferences, and job postings relating to law and technology.
Editor’s Note: Natasha Burman is Co-President of the PCLG.
