Globally, 2017 saw a year-over-year increase from 2016 in the number cyberattacks and data breaches that were reported in the media and to various regulators. Canadian organizations (public and private) were no exception to this global trend. Interestingly, attackers did not discriminate who they targeted – victims included financial institutions, manufacturers, retailers, universities, hospitals, and government agencies. The techniques used were both sophisticated and varied, ranging from ransomware attacks (malware that encrypts data until the victim pays a ransom) to advanced persistent threats (deliberate attempts to break into a particular organization’s network). Unfortunately, 2018 is shaping up to be another busy year for attackers who show no signs of slowing down.
The following five key cybersecurity trends in 2018 should be on every general counsel’s and risk manager’s radar.
- Mandatory Data Breach Notification Finally Coming?
On June 18, 2015, the federal government passed Bill S-4 – The Digital Privacy Act, which introduced several key changes to Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Some of the changes anticipated to come into force later this year include mandatory data breach notification and mandatory record keeping for all breaches.
The mandatory data breach notification will require organizations to notify affected individuals, certain other organizations and the Office of the Privacy Commissioner of Canada (the “Commissioner”) of any data breach (referred to in PIPEDA as “a breach in security safeguards”), that is reasonably believed to create a “real risk of significant harm to the individual.” The new breach notification model will align the Canadian approach with those of our American and European counterparts.
Despite several delays, the federal government completed its consultation process regarding the Breach of Security Safeguards Regulations this past fall. It is therefore anticipated that these provisions will come into force in the first half of 2018 and are likely to increase an organization’s litigation exposure as a result of a major breach.
The Breach of Security Safeguards Regulations will also require organizations to maintain a record of every data breach for a minimum of 24 months after it has determined that a breach has occurred. These records should be sufficiently detailed and include, among other things, the methodology used and factors considered in determining whether a particular breach met the threshold of “real risk of significant harm.” These records will be used by the Commissioner as a means to verify compliance and inform further enforcement action, if required.
For detailed information about what will be required under the Breach of Security Safeguards Regulations, please see our commentary here.
- Rise in Complex Ransomware Attacks
Ransomware attacks – malware that encrypts data pending an extortion payment – will continue to increase both in frequency and complexity in 2018.
Traditional ransomware attacks that simply encrypt data on a computer and demand the payment of a ransom will evolve into a more complex form of cyber threat, one which will target an organization’s critical data, disrupt key business operations and demand larger payment amounts as a result.
2017 saw an alarming growth in the development of new ransomware variants. What is new is that attackers are investing significant resources to modify the code of existing ransomwares, so that it can slip past antivirus programs unrecognized and undetected. What is more concerning is that newer variants are not only encrypting data, but also deleting or corrupting it when the ransom is not paid. This is particularly significant given that reliance on backups is not a perfect solution – studies show that close to 60% of organizations that relied on their backups were not able to fully recover everything.
Also, there has been a marked increase in ransom amounts. Following the “success” of the WannaCry and NotPetya ransomware campaigns, attackers have upped the ante and are now demanding ransoms of several hundreds of thousands of dollars. This trend is likely to continue in 2018.
Recognizing that (i) ransomware attacks usually rely on human error, (ii) attackers are now targeting critical data that can cripple an organization’s day-to-day operations, and (iii) the ransom amounts have increased significantly, it is safe to say that not only will ransomware attacks continue but that their impact on organizations will be much more significant.
- Europe’s General Data Protection Regulations
In May 2018, the European Union’s General Data Protection Regulation (“GDPR”) will come into force. The GDPR’s stated aim is to reinforce data protection rights of European Union (“EU”) residents (commonly referred as “data subjects”), facilitate the free flow of personal data in the digital single market and reduce administrative burden.
One of the key features of the GDPR is that it applies to all companies processing personal information of data subjects residing in the EU, regardless of the company’s location. Additionally, the scope of the GDPR is not limited to organizations that are actively targeting customers or users located within the EU. The GDPR will apply to all businesses that are processing personal information of EU data subjects, and where the processing activities are related to: (i) offering goods or services to an EU data subject (including goods and services offered at no charge); or (ii) monitoring (e.g., internet tracking and profiling) the behaviour of EU data subjects.
The GDPR is comprehensive when it comes to specific requirements that organizations must meet to ensure compliance. Some of the key elements include:
- Imposing obligations on data controllers and processors;
- Strengthening consent requirements; and
- Introducing or enhancing data subject rights relating to:
- Breach notification,
- Right to access,
- Right to be forgotten,
- Data portability,
- Privacy by design, and
- Data Protection Officers.
To ensure compliance, the GDPR provides EU regulators with enforcement tools that include the imposition of significant monetary penalties (i.e., up to 4% of an organization’s annual revenues or €20 million – whichever is greater).
Given the severity of potential sanctions under the GDPR, Canadian organizations should conduct a compliance assessment of their current policies and practices in order to (i) determine whether the GDPR applies to them and, if so, (ii) identify gaps in relation to the GDPR. Upon identifying these gaps, different strategies can be efficiently developed along with a compliance plan with a clear implementation timeline.
In the event of any enforcement action by the EU, such an assessment can serve Canadian organizations in demonstrating the steps taken to comply and allow for a successful defence or, at the very least, demonstrate good corporate governance that may result in a reduction of fines or enforcement action.
For more information about what the GDPR means for Canadian organizations, please see our commentary here.
- Mobility and Increased Use of Cloud Services
The use of mobile devices (whether personal or company owned) and cloud services is expected to continue at an accelerated pace in 2018.
Broadly speaking, mobile devices are heterogeneous, change rapidly and often necessitate the use of external cloud services. This adds to the demand by organizations to use software- and infrastructure-as-a-service (“Saas” and “IaaS”) offerings to reduce time to market and capital expense costs. Every use of SaaS is like using a new unique software application, and every use of IaaS is like adding a new data centre. Therefore, the risk for organizations relying on cloud services is that traditional IT departments will often not be able to manage such things as version control, patch frequency and code reviews. As a result, traditional IT departments will need to adapt their development, quality assurance, administration and operation processes.
As transition to the cloud accelerates, organizations should ensure they are effectively managing security risks by implementing processes for continuous cloud monitoring, vulnerability management, and compliance monitoring. Some of the best practices in this regard include:
- Ensuring that security teams participate in the cloud service selection process and that security requirements are highly weighted in this process;
- Emphasizing configuration and application vulnerability assessment and mitigation as part of the development process, as well as final quality assurance before applications are approved for deployment onto cloud services;
- Integrating continuous monitoring for security vulnerabilities and changes into updated IT administration and operations processes, as IaaS and hybrid cloud use grows; and
- Merging the monitored data from cloud services with that from applications hosted in the organization’s data center (if applicable).
The goal should not be to halt the adoption of cloud services, but rather to have a process in place to effectively manage (and mitigate) security risks associated with the increased adoption of mobile devices, Saas and Iaas offerings.
- Internet of Things
Broadly speaking, an Internet of Things (“IoT”) device is defined as one that can be connected to the internet. This can include everything from smartphones and wearable devices to industrial devices used in advanced manufacturing. It is estimated that over 26 billion IoT devices will be connected to the internet by 2020.
Most IoT devices are manufactured with little or no oversight or regulatory control, are typically Wi-Fi and Bluetooth enabled, and designed for immediate connectivity. Moreover, security is often a secondary concern for the manufacturers of these devices who are rushing to get them to market as quickly as possible. As a result, these IoT devices can be easily “hacked” by attackers. This is particularly problematic when IoT devices are incorporated into legacy systems’ controls (referred to as supervisory control and data acquisition (SCADA) controls), such as those for train switches, power plans, energy grids, etc.
Given the risk that an attacker can potentially gain access to an IoT device (or a suite of IoT devices), some of the practical concerns relate to business interruption, theft of data (including personal and confidential data), and physical harm to individuals using these devices. Before introducing IoT devices into the workplace, organizations should, among other things, (i) ensure they are aware of the security standards embedded in the IoT device, (ii) ensure the associated contract has been appropriately scrutinized (especially with respect to product liability), and (iii) have appropriate protocols and policies to manage IoT devices being introduced into its environment.
Cyber threats will continue to dominate the agenda of Board members, senior leadership teams and risk managers in 2018. As Canadian organizations continue to collect large quantities of data, roll-out new mobile applications, incorporate internet-enabled devices and generally incorporate new technologies to streamline operations and find new efficiencies, they will need to ensure that they are carefully vetting vendor agreements, have clear protocols and processes in place that can be deployed in the case of a successful cyberattack.