Protecting Your Business From Cyber Risks

Protecting Your Business From Cyber Risks

November 12, 2014

From Cyber Risks

Today’s Topics

• Nature and extent of cyber losses• Traditional commercial cover• Coverage jurisprudence• D&O connection• Risk management considerations• Regulatory framework• Privacy breach jurisprudence• Best practices in breach response

2

Cyber Threats

• More electronic data will be produced in the year 2017 then will have been produced in total up to that point in time

f• Web based information technology changing risk profiles

• Outsourced IT services and cloud based IT services have increased potential data lossservices have increased potential data loss

3

Cyber Threats

• More devices being connected on-line

• Widening potential entry points for disruption

• Broadening impacts of a disruption

4

Devices connected to internet worldwide

5

Sources of Risk

• Targeted attacks

• Human error

• Rogue employeesg p y

• Physical loss/theft of devices

• Phishing

• POSPOS

6

Potential Consequences

• Large scale privacy breaches

• Theft of funds/IP

• Business Interruption

• Cyber extortion

7

Data Breaches

• Breaches increasing in number and severity

• Number of known data breaches in 2013 tripled from that in 2012

• On average, attackers in system for over 200 ddays

8

Cost of Breach

• Poneman Institute study:

• Average cost of breach is US$3.5 Million

• Average cost per record is US$145

10

Insurable Cyber Losses

• First-party losses

• Data breach response • Crisis management costs• Lost income• Online defamation

Regulatory defence costs and fines• Regulatory defence costs and fines• Cyber-extortion

11

Insurable Cyber Losses

• Third-party losses

• Customer or client losses resulting from data breach• Invasion of privacy claims• Client losses resulting from inability to access systems

12

Uninsurable Cyber Losses

• Damage to reputation/brand

• Loss of goodwill

• Loss of future earnings

• Opportunity cost

13

Where Could Losses be Covered ?

• E&O

• CGL

• D&O

• Cyber/tech

14

E&O

• Damages or losses that insured legally obligated to pay as a result of a “claim”

• Ordinarily tied to “wrongful act” or negligence f f farising from delivery of “professional services”

M t i i /d t b h l i• May contain privacy/data breach exclusion

15

D&O

• Damages or losses that insured legally obligated to pay as a result of a “claim”

• Claim arising from decisions and actions taken f fon behalf of the corporation

16

CGL

• ‘Bodily injury' or 'property damage’

• Caused by an 'occurrence,'

• ‘Advertising injury' or 'personal injury'

17

CGL

• In 2001, Insurance Services Office (U.S.) revised its standard CGL policy form to exclude “electronic data” from the definition of “property damage”

• In 2005, Insurance Service Bureau of Canada followed suitfollowed suit

18

CGL

Zurich American Insurance Company v Sony Corporation of America, (NY Sup Ct, Feb 21 2014).

• Sony’s online systems breached by hackersPersonal data of 77 million users stolen• Personal data of 77 million users stolen

• Approximately 12 million credit card numbers stolen

• Estimated $2 billion in losses• 55 class actions commenced• Sony claimed under CGL and excess policies

19

CGL

Zurich v Sony, cont’d

• Sony’s CGL policy included coverage for “oral or• Sony s CGL policy included coverage for oral or written publication, in any matter, of material that violates a person’s right of privacy”

• Zurich argued that “publication” required an intentional act on the part of the insuredintentional act on the part of the insured

• Court agreed with Zurich and denied coverage; theCourt agreed with Zurich and denied coverage; the acts of third-party hackers did not satisfy the “publication” requirement in the CGL policy

20

CGL

• Sony decision has been appealed, with no date set yet for the hearing

T ll h tl ht C t li th t it• Travellers has recently sought a Court ruling that it is not required to defend or indemnify P.F. Chang under CGL in class actions commenced in connection with data breach

N fi lit t t h C t i t d l• No finality yet as to how Courts are going to deal with this issue

21

CGL

• Effective May, 2014, ISO has released standard form electronic data exclusion for CGL policies

• No guidance yet on how that exclusion will hold up

22

Conclusions

• Remains to be seen how Courts will interpret various coverage issues

• Businesses should be aware of the scope of cyber risks and proactively assess insurance coverage

• Businesses should not assume that CGL/D&O/E&O policies will be sufficient to coverCGL/D&O/E&O policies will be sufficient to cover all losses associated with a cyber event.

23

Thank YouThank You

Belinda BainBelinda BainPartner

Tel: 416-369-6174Email: [email protected]

montréal ottawa toronto hamilton waterloo region calgary vancouver beijing moscow london

CYBER IS A STRATEGIC RISK

MARSH CANADA LIMITED12 NOVEMBER, 2014

Gregory L. EskinsNational Cyber Practice Leader

[email protected]

Risk Management Considerations

A Structured Approach to Cyber Risk

“What does the organization’s current

posture look like?

“What are the top risks which could materially

impact the organization?“How can we mitigate

these risks?”

“What are the economic implications of the risks

identified?

• Dependency on Vendors (cloud mobile hosting

• Review existing risk assessment material and

• Generate loss scenario’s based on the priority risk

• Based on the outcomes , seek to identify the root

Risk QuantificationUnderstanding the risk exposure Risk Assessment1 2 3

Recommendations and prioritization 4

(cloud, mobile, hosting, etc…)

• Domicile of Customers

• Compliance with Regulatory Requirements

assessment material and identify top cyber risk elements

• Conduct interviews with internal business units and operational

based on the priority risk categories

• Model the costs of a privacy breach, if relevant

• Quantify economic loss

seek to identify the root causes

• Align largest risks with risk appetite

• Create risk mitigation (including PCI)

• Critical Asset Inventory (what protections are in place?)

• Conduct platform

and operational departments

• Based on the above, and understanding of the business, create a common risk taxonomy

stemming from an interruption to the business due to a technology failure (internal or external –vendor)

recommendations for the highly exposed risk elements

Conduct platform operational maturity assessment

• Reliance of technology to conduct business operations?

ywith cyber risk categories and the cyber risk elements within each category

• Prioritize risk categories in

MARSH

pterms of economic impact and frequency (likelihood)

Getting Key Stakeholders Involved.

• It has long been recognized that D&O’s have a fiduciary duty to protect the assets of their organization. Today this duty extends to digital assets.

• Is the board informed about the most serious cybersecurity risks facing the industry, and has it worked with executives to develop a cybersecurity risk appetite statement?

• Does the company have a written cybersecurity risk management strategy andDoes the company have a written cybersecurity risk management strategy and governance framework? How is it measured and how well is it working? When was it last reviewed?

• What are the most likely types of external threats? What are the internal threats?

• Security risk is complex, widespread, technical, and ever-changing. As a result, it is difficult to quantify probability – there is little data.

• The process of applying for cyber insurance is itself a constructive exercise for raisingThe process of applying for cyber insurance is itself a constructive exercise for raising awareness and identifying potential vulnerabilities.

• What insurance policies cover the company against network security breaches and other cybersecurity incidents? Is this coverage up to date and is it adequate?

MARSH

other cybersecurity incidents? Is this coverage up to date and is it adequate?

28

Bridging the Gaps

Current Purchasing Patterns

5%

1%

11%

4%

13%

5%

Sports Entertainment & Events

Transportation

The number of Marsh clients

8%

8%

10%

10%

14%

13%

Power and Utilities

Retail and Wholesale

The number of Marsh clients purchasing cyber insurance increased 21% from 2012 to 2013

32%

4%

8%

37%

8%

45%

16%

Health Care

Hospitality and Gaming

10%

32%

19%

13%

22%

17%

Education

Financial Institutions

7%

10%

10%

10%

19%

13%

11%

All I d t i

Communications, Media and Tecnology

Education

201320122011

MARSH

7%10%All Industries 2011

30

Security and Privacy Insurance Policy Risk Matrix For Illustrative Purposes Only

Privacy and Cyber Perils PropertyGeneral Liability

Traditional Crime

Computer Crime E&O Special Risk

Broad Privacy and Cyber Policy

Indemnification of your notification costs including Privacy Liability

Not covered

Covered Dependent upon specifics of claims, may have some coverage

Indemnification of your notification costs, including credit monitoring services

Privacy Liability(sub-limited)

Defense of regulatory action due to a breach of privacy regulation

Privacy Liability(sub-limited)

Coverage for Fines and Penalties due to a breach of privacy regulation

Privacy Liability(sub-limited)privacy regulation (sub-limited)

Threats or extortion relating to release of confidential information or breach of computer security

Cyber Extortion

•Liability resulting from disclosure of electronic information and electronic information assets

Network Security

Liability from disclosure of confidential commercial and/or personal information (i.e. breach of privacy)

Privacy Liability

Liability for economic harm suffered by others from a failure of your computer or network security (including written policies and procedures designed

Network Security

to prevent such occurrences)

Website infringes on IP or is defamatory Media/Content Coverage

Destruction, corruption, or theft of your electronic information assets/data due to failure of computer or

t k

Digital Assets

MARSH

network

Theft of your computer systems resources Digital AssetsLoss of revenue and extra expense incurred due to a failure of security

Business Interruption31

Privacy and Cyber Coverage Overview

• Privacy Liability: Harm suffered by others due to the collection or disclosure of confidential information.

• Network Security Liability: Harm suffered by others from a failure of your network3rd

Network Security Liability: Harm suffered by others from a failure of your network security.

• Cyber Extortion: The cost of investigation and the extortion demand (limited crisis consultant expenses).

• Regulatory Defense: Legal counsel for regulatory actions including coverage• Regulatory Defense: Legal counsel for regulatory actions including coverage for fines and penalties where permissible.

• Event/Breach Costs: The costs of complying with the various breach notification laws and regulations including legal expense, call centers, credit

monitoring, and forensic investigation.g, g

• Digital Assets: The value of data stolen, destroyed, or corrupted by a cyber attack.

• Business Interruption: Business income that is interrupted by a cyber attackor a failure of technology (including the extra expense)

1st

or a failure of technology (including the extra expense).

Coverage for privacy liability requires no negligence on the part of the insured and provides defense to the entity for the intentional acts of the insured’s employees.

MARSH 32

Where are the Risks Going?

Standard Cyber• Network Security & Privacy Liability• Privacy Breach Response Costs

Coverage Spectrum Exposures

Com

plexi

Standard Cyber Policy

• Privacy Breach Response Costs• Regulatory Investigations• Cyber Extortion

ity of Insur

Some insurers are silent; others explicitly address • Cyberterrorism

rance Solu

Manuscript Language • Business interruption attributable to a network outage for any reason, e.g. operational error.

utions

Emerging Products• Cyber CAT• 1st Party Property Damage and Bodily Injury• Reputational Damage

MARSH

p g

33

Cyber is a Strategic Risk

The Board’s Role is Critical

“Until such time as cyber security becomes a regularUntil such time as cyber security becomes a regular board of director's agenda item…the potential for disruption is real and serious and we all pay the price.”

— Howard A. Schmidt, former Cyber Security Coordinator for President Obama

MARSH 35

Cyber Breach Related Derivative Lawsuit

Cyber Liability: Data Breach Incident

“If ff t t t t th it f l i f ti b t“If our efforts to protect the security of personal information about our customers and employees are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation

could suffer. “ Company X, Inc. 10 (K) Risk Factors

A shareholder for Company X. has initiated a derivative lawsuit against certain directors and officers of the company, as well as against the

D&O Liability: Derivative Lawsuit

MARSH

certain directors and officers of the company, as well as against the company itself as nominal defendant, related to the multiple data breaches

the company sustained.36

Cybersecurity Securities Class Actions are Likely

Cyber Liability: Data Breach Incident“If our efforts to protect the security of personal information about our

customers and employees are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation

could suffer. “ Company X. 10 (K) Risk Factors

D&O Liability: Securities Class Action

There appears to be a growing consensus that stock drops are inevitable when the market better understands cybersecurity threats the cost of

MARSH

when the market better understands cybersecurity threats the cost of breaches, and the impact of threats and breaches on companies’ business

models. 37

Directors and Officers Liability – Cyber

• The SEC guidance does not create a new obligation as far as reporting of material events, but it does shine a spotlight on the issue

• Both the CSA and OSFI have weighed in on the increasing risks associated with cyber security and crime. Specifically, the CSA has issued Staff Notice 11-326, and OSFI has put forth their Cyber Security Self Assessment template (for FRFI’s)FRFI s).

• Privacy and IT security exposure can be difficult for boards and senior management to fully understand and keep pace with, BUT,

• This does not relieve them of the duty of oversight– Directors need to ensure their organization’s have appropriate privacy and IT

security risk management measures in place

– Process, risk assessment, governance, and risk mitigation are critical

MARSH 38

D&O Liability Claims - Cyber

• Limited amount of cyber-related D&O litigation to date– Issue not high on the list of exposures for D&O underwriters

Expected to rise as the exposure continues to grow– Expected to rise as the exposure continues to grow

• D&O insurance may be implicated:– If directors and officers are sued for failing to properly disclose exposure to

IT securityIT security – If privacy risks lead to a financial loss and/or drop in a company’s stock price – A plaintiff’s attorney will look at the adequacy of the disclosures

around the risk

• To date, most claims have been brought by customers and regulators against the company—claims that are typically not covered under a D&O policy (unless entity coverage is purchased – private companies only)

• A steady growth in the dependence of business on technology and a steady growth in cyber attacks means that the exposure is growing

• In terms of disclosure, the issue of materiality may be in the eye of the beholder

MARSH

, y y yor investor: Could prove a fertile area of litigation

39

Directors and Officers Liability - Cyber

Board members need to be informed of the risks associated with privacy andIT security

• Protection from claims of negligence • Defense under the business judgment rule

They need to understand:• The magnitude of the risks• The procedures in place to mitigate the risksThe procedures in place to mitigate the risks

And thus, Organizations may want to look at:• How often the board receives reports on privacy and IT security risks?

H h i th t ?• How comprehensive are those reports?

MARSH 40

This document and any recommendations, analysis, or advice provided by Marsh (collectively, the “Marsh Analysis”) are intended solely for the entity identified as the recipient herein (“you”). This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh’s prior written consent Any statements concerning actuarial tax accounting or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to bewritten consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or reinsurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.

Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer, and Oliver Wyman.

Copyright © 2014 Marsh Canada Limited and its licensors. All rights reserved. www.marsh.ca | www.marsh.com 141006vg

P i B h C di L lPrivacy Breach: Canadian Legal Update, Notification Obligations

and Risk Mitigationg

Peter Murphy(416) 369-4674( )[email protected]

Legal Update: PIPEDA

PIPEDA established an “ombudsman” privacy enforcement system

• A complaint is made to PCC for breach of PIPEDA• PCC may investigate and issue a report

Th l i l i f h• The complainant may apply to court in respect of the complaint or the report

• The court may grant remedies order the defendant toThe court may grant remedies, order the defendant to change its practices, and/or award damages, including damages for any humiliation the complainant has s fferedsuffered

43


Chitrakar v. Bell TV, 2013 FC 1103• Bell TV ran a credit check on complainant without

permission• If performed with sufficient frequency, this type of

credit check impacts on the credit ratingcredit check impacts on the credit rating• Bell TV gave complainant “the royal runaround” and

did not resolve his privacy concernsy• Bell TV responded to PCC in a “disingenuous”

manner. First it denied it knew which employee ordered the credit check then it said the employeeordered the credit check, then it said the employee was terminated

44


• PCC upheld complaint and issued recommendations• Complainant applied to court• Bell did not appear in court• Justice Phelon concluded that Bell TV “violated

Chitrakar’s privacy rights under PIPEDA”Chitrakar’s privacy rights under PIPEDA”• The court acknowledged common law principles of

compensation, deterrence and vindication when p ,granting damages

• Court awarded $10,000 damages, $10,000 exemplary d d $1 000 tdamages, and $1,000 costs

45

Legal Update: Ontario Privacy Tort

Jones v. Tsige, 2012 ONCA 32• Created tort of “intrusion upon seclusion” in Ontario• Jones sued Tsige, a BMO employee, for accessing

Jones’ banking records for personal reasons at least 174 times over four years174 times over four years

• Jones sued Tsige for invasion of privacy and breach of fiduciary dutyy y

• OCA recognized “intrusion upon seclusion” as a cause of action and awarded $10,000 damages

46


To find “intrusion upon seclusion”:• The defendant must have acted intentionally or

recklessly;• The defendant must have invaded the plaintiff’s private

affairs or concerns; andaffairs or concerns; and• A reasonable person would regard the invasion as

highly offensive, causing distress, humiliation or g y ganguish

P f f t l l i t l t f th fProof of actual loss is not an element of the cause of action!

47


Limits on “intrusion upon seclusion”:• Claims can only arise for significant invasions of

personal privacy• The right of privacy may be subject to competing rights

D f thi t t “ b li ” “ l” d ill• Damages for this tort are “symbolic” or “moral” and will likely be no more than $20,000

Note the British Columbia Court of Appeal has ruled that, despite Jones, in B.C. there is no common law tort of b h f i 1breach of privacy.1

1 Uf k A i I C ti f B iti h C l bi 2013 BCSC 1308

48

1 Ufuk Ari v. Insurance Corporation of British Columbia, 2013 BCSC 1308

Legal Update: Privacy Class Actions

During 2013:• 81% year-over-year increase in breach reports to PCC

from private sector organizations• PIPEDA complaints increased from 220 to 426

P i l ti it l d d• Privacy class action suits exploded

49


Condon v. Canada, 2011 FC 250• Motion to certify a class action against the Minister of

Human Resources and Skills Development Canada (“MHR”)

• Alleges MHR lost a hard drive that contained student• Alleges MHR lost a hard drive that contained student loan information of 583,000 individuals

• Hard drive was not encrypted and went missing from y gcabinet

• MHR notified PCC 3 weeks after becoming awareMHR d th t l i tiff ff d bl• MHR argued that plaintiffs suffered no compensable damages

50


• Plaintiffs allege (a) breach of contract and warranty, (b) intrusion upon seclusion, (c) negligence, (d) breach of

fidconfidence:• application forms provided that application information

would be held confidential and secure• for intrusion upon seclusion, plaintiffs argue a reckless

breach of privacy by MHR• the court held that the claims based on negligence and• the court held that the claims based on negligence and

breach of confidence would fail because there is no evidence of damages

f• class proceeding approved on the questions of alleged breach of contract and warranty and tort of intrusion upon seclusion

51


Hopkins v. Kay, 2014 ONSC 321• Alleges that 280 patient records in a hospital were

wrongfully accessed and disclosed amounting to intrusion upon seclusion

• The defendant argues that PHIPA governs such that• The defendant argues that PHIPA governs, such that common law tort claims are precluded

• PHIPA sets out a complaint resolution scheme similar to PIPEDA, but also has a $10,000 cap on damages and immunity provisions that protects custodians from acts or omissions done in good faith and reasonable inacts or omissions done in good faith and reasonable in the circumstances

52


Evans v. Scotia 2014 ONSL 2135• Alleges that Bank employee disclosed customer

information for fraudulent and improper purposes • Both employee and employer named as defendants

Th l i i f i t i l i li• The claim is for intrusion upon seclusion, negligence and breach of contract

• Bank argues it is not liable for its employee and thereBank argues it is not liable for its employee and there is no cause of action

• The court decided it is not “plain and obvious” that the B k ill t b h ld i i l li bl f thBank will not be held vicariously liable for the employees’ tort or for resulting “symbolic and moral” damagesg

53


Key Privacy Class Action Issues• Where the breach was inadvertent, what will the

standard for “recklessness” be?• Will privacy breaches amount to “breach of contract”

where a privacy policy was not followed?where a privacy policy was not followed?• Will the dispute resolution scheme in PHIPA (or other

privacy statues) pre-empt or limit actions for inclusion y )upon seclusion?

• When will an organization be vicariously liable for its employees’ breach of privacy?employees breach of privacy?

• How does the “cap” on damages under Jones v. Tsige($20,000) apply to class actions?( ) pp y

54

Breach Notification

Statutory Breach Notification Requirements:• At present, only Alberta and Manitoba have statutory

breach notification requirements for the private sector.

55

Breach Notification

Alberta PIPA1. An organization must, without unreasonable delay, give

notice to the Privacy Commissioner of any loss, unauthorized access to or unauthorized disclosure of personal information under its control if a reasonable person would consider that there is a real risk of significant harm to an individual as a result of the security breach. (PIPA s. 34.1(1))y ( ( ))

2. The Privacy Commissioner may require the organization to notify affected individuals where there is a real risk of significant harm as a result of theis a real risk of significant harm as a result of the security breach (s. 37.1(1))

3. The notice must comply with PIPA regulations s. 19.1(1) as to contentas to content

56

Breach Notification

Manitoba PIPITPA1. An organization must, as soon as reasonably

practicable, notify an individual if personal information about the individual under the organization’s custody is stolen, lost or accessed in an unauthorized manner.

2. The requirement does not apply where the organization is satisfied it is not reasonably possible for the personal information to be used unlawfully.information to be used unlawfully.

57

Breach Notification

Bill s. 4 will amend PIPEDA• Requires mandatory breach reporting to PCC and

affected individuals:• notice required as soon as “feasible” • where it is reasonable in the circumstance to believe that• where it is reasonable in the circumstance to believe that

the breach creates a real risk of significant harm to an individual

• requires records be kept relating to such a breach and their disclosure to PCC on request

• establishes fines up to $100,000 for breach of the p ,reporting or record keeping requirements

58

Breach Notification

Canadian health sector statutory breach reporting obligations

• Ontario Personal Health Information Protection Act, s. 12(2)

• New Brunswick’s Personal Health Information Privacy• New Brunswick s Personal Health Information Privacy and Access Act, s. 49(1)(c)

• Nova Scotia’s Personal Health Information Act, s. 69,• Newfoundland and Labrador’s Personal Health

Information Act, s. 15(3)

59

Breach Notification

U.S. Statutory Breach Notification Obligations• Most U.S. States require notice of security breaches

involving personally identifiable information (only Alabama, New Mexico and South Dakota do not)

• Requirements vary state by state as to who is subject• Requirements vary state by state as to who is subject to the law, who to notify, the subject information, what constitutes breach and exemptions

60

Breach Notification

The case of California• California was the first state to require data breach

notification (2003); there, both businesses and state agencies must report to individuals and the Attorney GeneralGeneral

• As of January 2015, California will require persons or businesses that suffer a breach that exposed the individual’s name and either SSN or D/L number, where the information was not encrypted, to offer identity theft prevention or mitigation services at no y p gcost to the affected individuals for at least 12 months

61

Guidelines

Privacy Commissioners in Canada have published guidelines for responding to security breaches

• The guidelines contain consistent approaches to security breaches, the main components being:1 Contain the Breach1. Contain the Breach2. Evaluate the Risks3 Notification3. Notification4. Prevention

62

Guidelines

1. Contain the Breach• Take immediate practical and technological steps to

contain the breach• Activate breach management policy (you should have

one!)one!)• Designate a response team (e.g., Privacy Officer,

security, IT, communications and legal) to investigate y g ) gthe breach and handle the situation

• Appoint a company spokesperson C t t t l l l l d di l ti• Contact external legal counsel and media relations advisor

63

Guidelines

• Plan reactive customer and media statements• Conduct interviews (consider using lawyers to protect

the discussions with privilege)• Preserve all internal and external data and records

necessary for subsequent investigationnecessary for subsequent investigation

64

Guidelines

2. Evaluate the Risks• How sensitive is the information?• Is the information encrypted or protected?• Are the recipients known or unknown, and possibly

i i l?criminal?• What harm could result from the breach?

• identity theftidentity theft• financial loss• loss of business or employment opportunities• damage to reputation• physical safety, security

65

Guidelines

3. Notification• Is notification required?

• statutory requirements• Commissioner guidelines

t t l i t ( i t t dit• contractual requirements (e.g., services contracts, credit agreements, insurance policies)

• would notification prevent or mitigate potential harm to the affected individuals?

• When to notify?• notification should occur as soon as possible following• notification should occur as soon as possible following

assessment and evaluation of the breach

66

Guidelines

• Who to notify? Consider:• Privacy Commissioners, to help them provide advice or

id t th i ti i di t th b hguidance to the organization in responding to the breach, including notification, and to meet legal obligations

• affected individuals, to help them prevent or mitigate p p gpotential harm from the breach

• police, if theft or other crime is suspected• insurers banks• insurers, banks• professional or regulatory bodies, if required by

applicable regulatory standards• third parties who may be impacted, e.g., contractors,

suppliers, trade unions• public at large for publicly traded companies underpublic at large for publicly traded companies under

securities laws/guidelines67

Guidelines

4. Prevention• Investigate the cause of the breach and develop a plan

to prevent breaches• Prevention Tips:

dit d i i t ti h i l d t h i l f d• audit administrative, physical and technical safeguards• review and update policies and procedures (e.g., security

policies, records retention policies, incident response plan, etc.)

• ensure policies are followed in practice• employee training• employee training• review service providers, partners, distribution channels

68

Guidelines

• use encryption where appropriate• inventory your PI• review/consider insurance coverage

69

Thank YouThank You

montréal ottawa toronto hamilton waterloo region calgary vancouver beijing moscow london