As Canadian businesses beef up their defences against cyberattack, some of the country''s biggest law firms are growing their own cybersecurity teams in an attempt to match client demand.
“Ten years ago, when you heard about a data breach, it was quite an isolated event,” says Bernice Karn, a Toronto-based partner at Cassels Brock & Blackwell LLP, and a member of its cybersecurity practice. “Now, it seems like they happen all the time. It's becoming more and more prevalent in business, so clients are looking for advice on it.”
Just last month, the University of Calgary admitted making a $20,000 payment to cybercriminals, becoming one of the highest-profile victims of a ransomware attack. The university paid the cash in order to unfreeze almost 10,000 faculty and staff e-mail accounts compromised by the virus.
A number of U.S.-based hospitals have made similar payments after falling victim to virtually identical scams, which are growing in popularity among cybercriminals, according to Imran Ahmad, a Miller Thomson LLP partner with a practice focused on cybersecurity issues.
He says an unknown number of less spectacular ransoms have also been paid by smaller organizations anxious to avoid the hassle and embarrassment that can result from a successful hack of their systems.
Precise statistics are hard to come by in the Canadian cybersecurity world because of the very limited circumstances under which companies are required to report data breaches, according to Ahmad, but there is no shortage of reports attempting to put numbers to the problem. In June, the Ponemon Institute and IBM Security's annual survey of global businesses found cybersecurity incidents jumped 64 per cent last year around the world compared with 2014. The survey also put the average cost of a data breach at US$4 million, a 29-per-cent jump over the number in 2013. For Canadian-based companies who took part, the cost was even higher, at about $6 million per breach.
With figures like that, Ahmad says the focus of clients should be on the proactive side: preventing attacks from happening in the first place and preparing a plan should the worst happen.
“There are studies out there that suggest organizations that fail to invest in pre-breach measures will end up paying two to three times more to deal with an attack,” he says. “There is a lot of work you can do beforehand. From a governance perspective, you want policies and protocols in place. Cyber-insurance is also a good thing to have, as well as backups and encryption for confidential information.”
Ahmad says his concentration on cybersecurity grew out of his privacy practice, driven by demands from clients in that field. However, things really took off towards the end of 2013 when Target revealed a hack of its systems had resulted in the theft of credit and debit card data related to about 40 million of its customers in the U.S., bringing home the reality of the cybercrime threat to companies who may never have considered it a priority before then. Within a year, another high-profile hack at Sony Pictures Entertainment reinforced the danger as thousands of leaked e-mails and personal information of the company's employees dominated news headlines worldwide for weeks.
“It's hard to pinpoint a turning point, but those two events seemed to shift a lot of mindsets,” Ahmad says.
Kristin Ali, a cybersecurity lawyer at Blake Cassels & Graydon LLP in Toronto, says American cases often provide valuable lessons for Canadian lawyers and businesses due to the scarcity of cybersecurity case law north of the border. Before joining Blakes in 2013, she practised at Boston firm Ropes & Gray LLP, litigating cases in the emerging field.
“They have more breaches in the U.S., so it's important to keep up to date with developments there,” Ali says. “A lot of the clients I've been dealing with here and in the U.S. are large, sophisticated businesses that understand their boards of directors, corporate counsel, and IT professionals all have to work together to maintain their cybersecurity programs.”
At Cassels Brock, the firm has developed a cybersecurity team over the last year to cover all legal aspects of a breach. According to Karn, most of her work comes after the event, helping clients deal with the fallout from an attack.
“At the earliest stages, you want to preserve privilege to the extent possible. If they don't already have an action plan in place to deal with a breach, then you develop one, and begin taking steps to contain and investigate the problem,” she says.
Ahmad says the immediate aftermath of a breach can be a chaotic time.
“It's a very intense situation. It can be very stressful for management, and for employees, depending on the scope of the breach,” he says. “It can get pretty complicated very quickly, and how you deal with it in the first 24 hours is key. The trick is to bounce back as quickly as possible.”
Daniel Tobok, the founder and CEO of cybersecurity consultancy Cytelligence Inc., says businesses have been forced to take cybercrime seriously thanks to the increasingly sophisticated and successful methods of its perpetrators.
“We're seeing a lot of organized crime involvement in cybercrime. It's attractive to them because it's lucrative and it's silent. You can make millions without shooting or kidnapping anyone,” Tobok says. “There is no such thing as 100-per-cent security.”
Many of his clients are law firms, who, according to Tobok, make popular targets due to the amount of valuable confidential data they hold on behalf of clients.
“Law firms are doing a better job today than they did four years ago, but they're still not perfect,” he says.
“Ten years ago, when you heard about a data breach, it was quite an isolated event,” says Bernice Karn, a Toronto-based partner at Cassels Brock & Blackwell LLP, and a member of its cybersecurity practice. “Now, it seems like they happen all the time. It's becoming more and more prevalent in business, so clients are looking for advice on it.” Just last month, the University of Calgary admitted making a $20,000 payment to cybercriminals, becoming one of the highest-profile victims of a ransomware attack. The university paid the cash in order to unfreeze almost 10,000 faculty and staff e-mail accounts compromised by the virus.
A number of U.S.-based hospitals have made similar payments after falling victim to virtually identical scams, which are growing in popularity among cybercriminals, according to Imran Ahmad, a Miller Thomson LLP partner with a practice focused on cybersecurity issues.
He says an unknown number of less spectacular ransoms have also been paid by smaller organizations anxious to avoid the hassle and embarrassment that can result from a successful hack of their systems.
Precise statistics are hard to come by in the Canadian cybersecurity world because of the very limited circumstances under which companies are required to report data breaches, according to Ahmad, but there is no shortage of reports attempting to put numbers to the problem. In June, the Ponemon Institute and IBM Security's annual survey of global businesses found cybersecurity incidents jumped 64 per cent last year around the world compared with 2014. The survey also put the average cost of a data breach at US$4 million, a 29-per-cent jump over the number in 2013. For Canadian-based companies who took part, the cost was even higher, at about $6 million per breach.
With figures like that, Ahmad says the focus of clients should be on the proactive side: preventing attacks from happening in the first place and preparing a plan should the worst happen.
“There are studies out there that suggest organizations that fail to invest in pre-breach measures will end up paying two to three times more to deal with an attack,” he says. “There is a lot of work you can do beforehand. From a governance perspective, you want policies and protocols in place. Cyber-insurance is also a good thing to have, as well as backups and encryption for confidential information.”
Ahmad says his concentration on cybersecurity grew out of his privacy practice, driven by demands from clients in that field. However, things really took off towards the end of 2013 when Target revealed a hack of its systems had resulted in the theft of credit and debit card data related to about 40 million of its customers in the U.S., bringing home the reality of the cybercrime threat to companies who may never have considered it a priority before then. Within a year, another high-profile hack at Sony Pictures Entertainment reinforced the danger as thousands of leaked e-mails and personal information of the company's employees dominated news headlines worldwide for weeks.
“It's hard to pinpoint a turning point, but those two events seemed to shift a lot of mindsets,” Ahmad says.
Kristin Ali, a cybersecurity lawyer at Blake Cassels & Graydon LLP in Toronto, says American cases often provide valuable lessons for Canadian lawyers and businesses due to the scarcity of cybersecurity case law north of the border. Before joining Blakes in 2013, she practised at Boston firm Ropes & Gray LLP, litigating cases in the emerging field.
“They have more breaches in the U.S., so it's important to keep up to date with developments there,” Ali says. “A lot of the clients I've been dealing with here and in the U.S. are large, sophisticated businesses that understand their boards of directors, corporate counsel, and IT professionals all have to work together to maintain their cybersecurity programs.”
At Cassels Brock, the firm has developed a cybersecurity team over the last year to cover all legal aspects of a breach. According to Karn, most of her work comes after the event, helping clients deal with the fallout from an attack.
“At the earliest stages, you want to preserve privilege to the extent possible. If they don't already have an action plan in place to deal with a breach, then you develop one, and begin taking steps to contain and investigate the problem,” she says.
Ahmad says the immediate aftermath of a breach can be a chaotic time.
“It's a very intense situation. It can be very stressful for management, and for employees, depending on the scope of the breach,” he says. “It can get pretty complicated very quickly, and how you deal with it in the first 24 hours is key. The trick is to bounce back as quickly as possible.”
Daniel Tobok, the founder and CEO of cybersecurity consultancy Cytelligence Inc., says businesses have been forced to take cybercrime seriously thanks to the increasingly sophisticated and successful methods of its perpetrators.
“We're seeing a lot of organized crime involvement in cybercrime. It's attractive to them because it's lucrative and it's silent. You can make millions without shooting or kidnapping anyone,” Tobok says. “There is no such thing as 100-per-cent security.”
Many of his clients are law firms, who, according to Tobok, make popular targets due to the amount of valuable confidential data they hold on behalf of clients.
“Law firms are doing a better job today than they did four years ago, but they're still not perfect,” he says.
