Internet and business: an underestimated liability risk

In recent years, information technology (IT) has revolutionized the way organizations think, interact, and do business. It appears this was only the beginning as recent trends currently emerging bring these changes to another level with automation,artificial intelligence (AI) and the multiplication of IoT[2]devices. One of these trends is strongly evidenced by the growing conversion of businesses to Industry 4.0 characterized by the integration of data management and robotization in production processes.

Cette transformation numérique se caractérise fondamentalement par l’automatisation et par une intégration de nouvelles technologies à la chaîne de valeur de l’entreprise. L’exploitation et la gestion massive des données,l’interconnexion des machines, la dématérialisation des canaux de communication et de distribution et la restructuration de l’entreprise pour une production flexible et personnalisée constituent toutes des défis qui demandent à chaque usine d’agir rapidement pour se transformer en une usine connectée et intelligente. [3]

These developments and breakthroughs, designed to improve the performance and competitivity of businesses, also increased our dependency on data management and interconnectivity[4]. Indeed,it would be hard to conceive doing business nowadays without the one or the other. As a result, the volume of data that enterprises generate, manage and collect on a routine basis (whether on clients, suppliers, employees, finances,contract information, trade secrets, etc.). has skyrocketed. In fact, data has become so valuable that it should now be considered a “critical asset” in most businesses. Similarly, the role of the internet has expanded to such a point that it has become an essential service. In fact, it is fair to say that internet and its applications have played and still play a pivotal role in communications during the present Covid-19 crisis.

Not surprisingly, this dual-dependency of people and businesses on data and internet have become increasingly the target of cyber criminals who strive to access your computers via internet in order to infect them with malicious programs[5]designed to steal, ransom or destroy your data.

Il y a une montée fulgurante des cyberattaques. Les cybercriminels sont de mieux en mieux équipés et de plus en plus nombreux.[6]

In fact, this type of criminal activity has been steadfastly on the rise[7];this can be explained by the fact that limited resources that are required (a computer and access to internet) to launch an attack, the availability of breaching tools on the internet, the high potential return of investment,and the unlikeliness of being caught.

If you are a business executive, what are the chances?

Backin 2012, former FBI Director, Robert Mueller, warned that no organization could expect to be safe from such attacks:

I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again. [8]

Following those prophetical words, an endless string of major hacks[9] have occurred around the world with well-known corporations such as Target (2013),Sony Entertainment Picture (2014), Anthem (2015), Yahoo (2016), Equifax (2017),Facebook (2018), Mariott Hotels (2019), etc., to name a few. The province of Quebec also had its fair share of high-profile cyber incidents involving among other organizations such as Hydro-Québec, Trans-Union, Banque de Montréal, l’Institut national de la recherche scientifique (INRS), etc. For the most part, these cyberattacks resulted in the theft of millions of users’ confidential informationlater sold in bulk on the darkweb[10] forfuture criminal activity. Not surprisingly, according to Allianz’s Risk Barometer for 2019, cybercrime has become one of the top threats to businessoperations.

Impact of business interruption (incl. supply change disruption) is the major risk for companies for the seventh year in arow according to the Allianz Risk Barometer with 37% of responses ranking it asone of the three most important risks companies face in 2019. Fittingly, it isjoined at the top of the rankings for the first time by cyber incidents (e.g.cybercrime, IT failure/outage, data breaches, fines and penalties) (37%) whichare increasingly resulting in significant business interruption (BI) losses oftheir own.[11]

In view of the above, considering that cybercrime is a reality, what are the risks?

It is essential to determine how vulnerable your business is to these attacks in order to mitigatethe risks. What are your critical assets in terms of data, networks, systems?How are they protected? If you were to lose access to these critical assets,how would your operations be impacted? What are the most likely threats? Do you have an incident response plan?

In order to protect Quebec businesses from what has become a clear and present danger, executive members have to integrate cyberthreats in their risk analysis to make cybersecurity an operational priority so that safeguards will be put in place to minimize business operations, reputationaland liability/compliance risks. If you have not done so already, it isimportant to act without delay and make cybersecurity a part of your organizational culture as this is the new reality businesses have to compose with in the digital age. By being proactive now, you will not only improve your organization’s resilience to cybercrime and its ability tomitigate risks, but you will also make it more eligible to cyber security insurance, a worth while risk-mitigating option[12]that has now become a must in any industry.

Moreover,with the new anticipated legislation expected from the Quebec government on confidentiality and data protection (to replace the antiquated Loi sur la protection des renseignements personnels dans le secteur privé), you can expect sweeping changes to the responsibility that organizations will be liable for in the management of confidential data (whether from clients, users, employees, stakeholders, etc.)which is expected to emulate to some degree Europe’s Règlement general surla protection des données (RGPD), a set of rules that render organizationsfully accountable for the use, protection and disposition of data.

In addition, it is to be expected that tribunals will soon reconsider theliability of corporations for the prejudice incurred by individuals following the loss of theft of confidential data[13] due to a cyber incident. Until now, the proof of the prejudice was incumbent upon the individual who often could not present much evidence, a fact that did not encourage businesses to invest in cybersecurity and data protection…

Our firm would be most happy to assist you in evaluating the liability risks your organization is exposed to.