Cybercrime: Be Careful What You Click For

December 15, 2014

Author: Gregory Cohen

Cybercrime highlights the unique value of information and the need for a risk strategy to deal with online security and liability. In particular, data breaches and network outages can cause significant consequences for individuals, governments, organizations, and companies of all sizes.

Resulting costs include recovering lost or corrupted data, economic loss, copyright and patent infringement, business interruption, violation of privacy, reputation damage, and legal fees and fines.

For example, the Canada Revenue Agency encountered the “Heartbleed Bug” which compromised taxpayer information; a prominent electronics company lost over $150 million responding to a cyber attack exposing 77 million customer files; and software and social media companies faced similar attacks affecting over 40 million users. An estimated 40% of such attacks involve small to medium-sized businesses.

In Jones v. Tsige (2012), the Ontario Court of Appeal provided a judicial response to digital crime. A new tort – intrusion upon seclusion – exemplifies the importance of a risk strategy to protect privacy and digital assets and reduce exposure to liability. When an employee infiltrated a colleague’s personal financial records and Justice Stinson held that invasion of privacy was not a recognized tort in Ontario, this prompted judicial lawmaking by the Court of Appeal.

An intrusion upon seclusion may be established where:

  • a Defendant invades a plaintiff’s private affairs without lawful justification;
  • the Defendant’s conduct is intentional or reckless; and
  • a reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish.

This case serves as a reminder of the vicarious liability employers face and the need for strict policies governing privacy and security.

A Risk Strategy (including an incident response plan) is an important component of a proactive approach to cybercrime and should focus on:

  • creating guidelines and policies to ensure best practices
  • prioritizing prompt communication, investigation, and containment
  • adherence to mandatory notification requirements (eg. Personal Health Information Protection Act and Personal Information Protection and Electronic Documents Act)
  • protecting data, eradicating threats, and reducing exposure to liability
  • specialized insurance coverage where electronic data is excluded from general policies (eg. in definitions of tangible property).

Cybercrime and related legal issues require attention and preparedness. Individuals, governments, and organizations of all sizes are recommended to address technological challenges pre-emptively before they cause significant harm.

“Sink or swim the internet is a vast cyberspace enabling instant connectivity with global markets, seemingly endless growth potential, and an innovative pulse driving rapid change…”

Disclaimer

This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.