Jordan: Hi, I’m Jordan Virtue.
Nathan: And I’m Nathan Kanter, and this is Blakes Sound Business.
Jordan: Nathan, we all know business leaders have a host of worries to keep them up at night, but did you know cybersecurity is at the top of the list?
Nathan: That’s no surprise, Jordan, considering the continuing escalation in cyberattacks and the devastation they can cause.
Jordan: That’s where Blakes comes in. The Firm pioneered the Canadian Cybersecurity Trends Study for this reason, and it’s now in its third year. To talk about some of the latest cyber trends, we’re joined by Blakes lawyers John Lenz in Montréal and Ellie Marshall and Nicole Henderson in Toronto.
Nathan: John, what are some key aspects of the recent Blakes Cybersecurity Trends Study? Anything new listeners should know about?
John: Some of the key trends that we observed in this year’s study period are consistent with last year’s study. Once again, we saw that attacks occur across the country. They affect organizations of all sizes and organizations who operate in just about all industries.
What sets this year’s study period apart from last year’s, though, is the evolution that we saw in the operation of various threat-actor groups. New ransomware variants have appeared, and some have emerged as offshoots from well-known groups. We also observed an increased focus on accessing an organization’s sensitive information, including personal information. In fact, in about 70% of attacks we studied this year, the threat actor was able to access sensitive information, which is a notable increase compared to last year’s study.
Nathan: Speaking of last year’s study, ransomware attacks have been identified as the most prevalent form of cybercrime threatening organizations. Is that still the case today?
John: Yes, ransomware attacks continue to be the leading type of cybersecurity incident that we observe, representing over half of the attacks that we’ve studied. Not only are these attacks highly common, but they’re becoming increasingly costly for Canadian organizations with payments routinely exceeding US$1-million.
One trend that might explain the prevalence of ransomware attacks is the ability of these threat-actor groups to take advantage of security flaws in an organization’s supply chain or in the third-party tools that they use. In fact, about one-third of the incidents that we studied were the result of a software vulnerability.
One way this might play out in practice is that an organization doesn’t have the latest software update installed, and an attacker is able to take advantage of a known vulnerability in the older version and get into the network to carry out the attack.
Jordan: Ellie, the study talks about mandatory breach-reporting obligations and how privacy law reform in Canada is undergoing a transformation. How will businesses be impacted?
Ellie: Right, so Canadian privacy and data protection laws, which are a bit of a patchwork, are currently undergoing a lot of reform in response to growing threats to personal information.
In June, the federal government tabled Bill C-27. If passed, the bill would repeal parts of the federal private-sector privacy act, PIPEDA, which regulates the processing of personal information, and enact a new Consumer Privacy Protection Act, or the CPPA. As currently drafted, this new CPPA would include the same mandatory reporting breach obligations for organizations as are currently provided for under the federal PIPEDA. However, if there’s a breach of security safeguards, service providers would be obligated to notify the organization that controls the personal information they process as soon as feasible.
This new legislation would expand the Privacy Commissioner’s enforcement powers and significantly raise fines for offences.
Jordan: What about M&A deals? How have they been impacted by cyber incidents?
Ellie: We have definitely seen an increased focus on cybersecurity diligence in M&A transactions. This stems from the fact that most organizations are now heavily dependent on their digital assets to operate and deliver goods and services to customers.
At a minimum, legal diligence should be sufficient to understand the technological assets in the transaction, and the target cybersecurity posture should be closely considered by determining whether they are testing or auditing their cybersecurity measures and whether any cyber insurance policies are broad enough to cover the different consequences flowing from a breach.
Diligence should also identify what data privacy laws apply and assess whether relevant policies comply with that legislation.
Nathan: Nicole, based on trends your team observed, it seems like certification of cyber-related privacy class actions continues to be low. Should businesses be concerned?
Nicole: You know, of course we’re really happy to see courts taking a harder look at some privacy class actions at the certification stage, but I also think it’s fair to say that plaintiffs’ counsel continue to see class actions as a viable vehicle to address data breaches, and we’re still seeing a pretty high number of new cases being started. And we also can’t lose sight of the fact that some settlements have been fairly substantial overall.
In the cyber study, we talk about how most class action settlements in the privacy arena have represented pretty low amounts per person, and that’s definitely true. But if you have a breach that affects tens of thousands of people, those numbers start to add up quite quickly. So, this definitely isn’t something that anyone should stop paying attention to. What I do think we should be keeping our eyes on is the Equifax data-breach case in Ontario, which is making its way through appeals, and that’s going to be a very important case in terms of determining the scope of the “intrusion on seclusion” privacy tort and whether it can even apply in the case of a third-party cyberattack.
Nathan: And at last, there’s some good news coming from a case earlier this year where a hacker received a prison sentence for orchestrating large-scale ransomware attacks. Will we see more of the same?
Nicole: Only time will tell, but I suspect we will. I’ll say one of the reasons I thought this was interesting is because a question that we frequently get from organizations who have experienced a cyberattack is whether they ought to report it to law enforcement. And one aspect of that decision is always whether it’s likely that the police or other authorities will really be able to do anything about it.
So, we have to be realistic, of course. Many threat actors are operating overseas in jurisdictions that aren’t necessarily going to offer much cooperation with the RCMP or the FBI, but one thing about this case is, I think it’s important to see that cybercrime is a type of crime that’s getting significant attention from law enforcement agencies and being taken seriously by the courts with some real sentences being meted out. So, that’s encouraging, and I think we all hope we continue to see that going forward.
Jordan: Thank you, Nicole, John and Ellie. We know how much work goes into developing our Cybersecurity study, and your insights are invaluable.
Nathan: Listeners, for more information on our Cybersecurity group, and our podcast, please visit blakes.com.
Jordan: Until next time, stay well and stay safe…in the real world and online.