Dangerous Assumptions and Serious Consequences in Cybersecurity

June 29, 2017

Written By Ruth E. Promislow and Michael R. Whitt Q.C.

It's not the kind of news a retail giant wants to make. In May 2017, Target agreed to a $18.5-million settlement to resolve a 47-state investigation into a massive 2013 hack. This settlement put Target's total cost of the breach at $202 million. More than 40 million customers had their credit or debit card information compromised after hackers accessed Target's server. Access was gained through credentials stolen from a third-party vendor.

Companies can be more vulnerable than they think when it comes to cybersecurity—and dangerous assumptions can lead to serious consequences. Bennett Jones’ Cybersecurity group hosted panel discussions where firm members joined insurance and security experts to discuss emerging patterns and threats in cybersecurity. Panels were held in Toronto and Calgary. Key takeaways were:

1. Cyber insurance can be a part of the solution, but there are potential pitfalls. It's a developing market and not everything is covered or well-integrated with other coverage elements. It's also essential to identify the scope of the coverage and tailor it to a company's needs. It's not typically an off-the-shelf product.
2. Third-party vendors are a critical piece in cybersecurity. Companies must make them a part of their overall strategy, ask the right questions and monitor their performance. Ultimate responsibility cannot be delegated to a third-party, but third party risks can be managed.
3. Employees who are properly trained and motivated are in some ways the firm’s “intelligent agents,” and one of the strongest lines of defence. The obverse is also true—insiders, whether by accident or purposefully, have proven to be a main cause of serious cyber breaches.
4. Directors can face exposure. There is the possibility for personal exposure of directors in cybersecurity breaches. Further, in some claims against a breached organization, plaintiffs may not need to prove actual damages to succeed based on the new tort of “intrusion upon seclusion.”
5. A comprehensive understanding of the organization's information assets and systems, risks and vulnerabilities is needed to protect it. This includes knowing who has access to confidential information—and if everyone who does really needs it.

The events were moderated by Stephen Bowman, managing partner of Bennett Jones’ Toronto office and Martin Kratz, intellectual property and technology partner in Calgary. Bennett Jones commercial litigation partner Ruth Promislow was a panel member in both Toronto and Calgary. Stephen Burns, the firm's head of intellectual property was on the panel in Toronto. Bennett Jones’ Lionel Cochey, director, information security governance, risk management and compliance, was on the Calgary panel along with head of information technology Michael Whitt. They were joined by:

• Toronto—Robert Beggs, founder and CEO of Digital Defence
• Toronto—Jacqueline Detablan, vice president, regional professional liability manager, AIG
• Calgary—David Gray, vice president at Jones Brown, a privately held Canadian insurance brokerage and strategic consultancy

Ruth and Michael lead Bennett Jones’ Cybersecurity group.

These events are part of a series of a Cybersecurity Seminar Series planned for 2017, and Bennett Jones thanks the panelists and attendees for making them such a success.

Authors