Close X

By subscribing to our newsletter you agree to receive periodic e-mails from Dubé Latreille Avocats Inc.

Thank you for subscribing!

An error has occurred. Please try again later.

Article

Your Business Bulletin - Special C19

Internet and business: an underestimated liability risk

3/27/2020
Droit des affaires
Internet and business: an underestimated liability risk

A pandemic is a strong vector of anxiety; it requires exceptional measures to fight an invisible and deadly enemy. Yet, in everyday life lurks with relative indifference another type of pandemic that threatens to cripple every Quebec business:internet criminality.

The recent eruption of the Covid-19 crisis is no exception to this as a significant upsurge of cyberattacks have been observed around the world[1].  

Is your organization aware of the liability risks this entails?

In recent years, information technology (IT) has revolutionized the way organizations think, interact, and do business. It appears this was only the beginning as recent trends currently emerging bring these changes to another level with automation,artificial intelligence (AI) and the multiplication of IoT[2]devices. One of these trends is strongly evidenced by the growing conversion of businesses to Industry 4.0 characterized by the integration of data management and robotization in production processes.

Cette transformation numérique se caractérise fondamentalement par l’automatisation et par une intégration de nouvelles technologies à la chaîne de valeur de l’entreprise. L’exploitation et la gestion massive des données,l’interconnexion des machines, la dématérialisation des canaux de communication et de distribution et la restructuration de l’entreprise pour une production flexible et personnalisée constituent toutes des défis qui demandent à chaque usine d’agir rapidement pour se transformer en une usine connectée et intelligente. [3]

These developments and breakthroughs, designed to improve the performance and competitivity of businesses, also increased our dependency on data management and interconnectivity[4]. Indeed,it would be hard to conceive doing business nowadays without the one or the other. As a result, the volume of data that enterprises generate, manage and collect on a routine basis (whether on clients, suppliers, employees, finances,contract information, trade secrets, etc.). has skyrocketed. In fact, data has become so valuable that it should now be considered a “critical asset” in most businesses. Similarly, the role of the internet has expanded to such a point that it has become an essential service. In fact, it is fair to say that internet and its applications have played and still play a pivotal role in communications during the present Covid-19 crisis.

Not surprisingly, this dual-dependency of people and businesses on data and internet have become increasingly the target of cyber criminals who strive to access your computers via internet in order to infect them with malicious programs[5]designed to steal, ransom or destroy your data.

Il y a une montée fulgurante des cyberattaques. Les cybercriminels sont de mieux en mieux équipés et de plus en plus nombreux.[6]

In fact, this type of criminal activity has been steadfastly on the rise[7];this can be explained by the fact that limited resources that are required (a computer and access to internet) to launch an attack, the availability of breaching tools on the internet, the high potential return of investment,and the unlikeliness of being caught.

If you are a business executive, what are the chances?

Backin 2012, former FBI Director, Robert Mueller, warned that no organization could expect to be safe from such attacks:

I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again. [8]

Following those prophetical words, an endless string of major hacks[9] have occurred around the world with well-known corporations such as Target (2013),Sony Entertainment Picture (2014), Anthem (2015), Yahoo (2016), Equifax (2017),Facebook (2018), Mariott Hotels (2019), etc., to name a few. The province of Quebec also had its fair share of high-profile cyber incidents involving among other organizations such as Hydro-Québec, Trans-Union, Banque de Montréal, l’Institut national de la recherche scientifique (INRS), etc. For the most part, these cyberattacks resulted in the theft of millions of users’ confidential informationlater sold in bulk on the darkweb[10] forfuture criminal activity. Not surprisingly, according to Allianz’s Risk Barometer for 2019, cybercrime has become one of the top threats to businessoperations.

Impact of business interruption (incl. supply change disruption) is the major risk for companies for the seventh year in arow according to the Allianz Risk Barometer with 37% of responses ranking it asone of the three most important risks companies face in 2019. Fittingly, it isjoined at the top of the rankings for the first time by cyber incidents (e.g.cybercrime, IT failure/outage, data breaches, fines and penalties) (37%) whichare increasingly resulting in significant business interruption (BI) losses oftheir own.[11]

In view of the above, considering that cybercrime is a reality, what are the risks?

It is essential to determine how vulnerable your business is to these attacks in order to mitigatethe risks. What are your critical assets in terms of data, networks, systems?How are they protected? If you were to lose access to these critical assets,how would your operations be impacted? What are the most likely threats? Do you have an incident response plan?

In order to protect Quebec businesses from what has become a clear and present danger, executive members have to integrate cyberthreats in their risk analysis to make cybersecurity an operational priority so that safeguards will be put in place to minimize business operations, reputationaland liability/compliance risks. If you have not done so already, it isimportant to act without delay and make cybersecurity a part of your organizational culture as this is the new reality businesses have to compose with in the digital age. By being proactive now, you will not only improve your organization’s resilience to cybercrime and its ability tomitigate risks, but you will also make it more eligible to cyber security insurance, a worth while risk-mitigating option[12]that has now become a must in any industry.

Moreover,with the new anticipated legislation expected from the Quebec government on confidentiality and data protection (to replace the antiquated Loi sur la protection des renseignements personnels dans le secteur privé), you can expect sweeping changes to the responsibility that organizations will be liable for in the management of confidential data (whether from clients, users, employees, stakeholders, etc.)which is expected to emulate to some degree Europe’s Règlement general surla protection des données (RGPD), a set of rules that render organizationsfully accountable for the use, protection and disposition of data.

In addition, it is to be expected that tribunals will soon reconsider theliability of corporations for the prejudice incurred by individuals following the loss of theft of confidential data[13] due to a cyber incident. Until now, the proof of the prejudice was incumbent upon the individual who often could not present much evidence, a fact that did not encourage businesses to invest in cybersecurity and data protection…

Our firm would be most happy to assist you in evaluating the liability risks your organization is exposed to.      

[1] https://www.businessinsider.com/microsoft-research-shows-coronavirus-cyberattacks-in-every-country-2020-4;

[2] IoT : technical term referring to the “Internet of Things”,that is a general expression referring to internet connected devices;

[3] https://www.economie.gouv.qc.ca/bibliotheques/outils/gestion-dune-entreprise/industrie-40/feuille-de-route-industrie-40/;

[4] Interconnectivity: refers to the need of being connected tointernet;

[5] Malicious programs are also known as “malware”;

[6] https://www.journaldequebec.com/2019/11/13/montee-fulgurante-des-cyberattaques;

[7] https://www.itworldcanada.com/article/cybersecurity-in-canada-2019-it-was-an-awesome-year-for-attackers/425514;

[8] Robert S. Mueller, III Director of FBI, RSA, Cyber SecurityConference, San Francisco, CA, March 01, 2012;  

https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies;

[9] “Hacks” refers to “cyber incidents involving a breach to aninformation system”;

[10] Dark web: a separate internet network used by criminals tocommunicate and conduct business;

[11] https://www.agcs.allianz.com/content/dam/onemarketing/agcs/agcs/reports/Allianz-Risk-Barometer-2019.pdf

[12] Cyber insurance is not granted upon demand; industries andbusinesses must answer a variety of criteria in order to be eligible. If youhave already been the object of a cyberattack, for example, it is possible thatyou may not be eligible without complying to a variety of costly improvementsto your organization. Also, insurance policies ought to be carefullyscrutinized in order to ensure they adequately protect your organization.

[13] Regarding the disproportionate burden of proof weighing ofcybercrime victims, please read our article on the matter: https://www.dubelatreille.ca/blog/indemnisation-en-matiere-de-vol-de-donnees-personnelles-un-fardeau-exorbitant-pour-les-victimes;

Share:

Our Newsletter

Subscribe to our Newsletter and keep up to date with
DUBÉ LATREILLE’s news, events, and columns.

I wish to subscribe