Privacy and Cybersecurity Law 

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced the first undertaking and fine involving text message violations under Canada’s Anti-Spam Legislation (CASL). This first, involves Quebec-based 514-BILLETS, a ticket broker for sporting and cultural events.

Between July 2014 and January 2016, the CRTC alleges 514-BILLETS sent text messages to recipients without their consent. The CRTC also alleges the company sent text messages without information that identified who sent the messages as well as failed to provide information to recipients that would allow them to easily contact 514-BILLETS.

514-BILLETS has agreed to pay  a total of $100,000 in compensation, appoint a compliance officer and institute a CASL-compliance program. 514-BILLETS will pay $75,000 in the form of $10 rebate couples to 7,500 clients and $25,000 to the Receiver General of Canada.

The CRTC’s media release can be read here.

The federal government released an Order in Council, dated March 26, 2018, announcing that the mandatory data-breach notification rules will come into force on November 1, on the recommendation of Navdeep Bains, Minister of Industry, Science and Economic Development.

After nearly three years, sections 10, 11, and 14, subsections 17(1) and (4) and sections 19 and 22 to 25 of the Digital Privacy Act, Chapter 32 will come into effect to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). The federal government released the proposed breach reporting rules in September 2017 and advised at that time that the proposed regulations will be delayed coming into force after their publications, meant to “give regulated organizations time to adjust their policies and procedures accordingly and ensure that systems are in place to track and record all breaches of security safeguards that they experience.”

With the amendment, PIPEDA will contain provisions requiring organizations to notify affected individuals and organizations of breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner. It also creates offences in relation to the contravention of certain obligations respecting breaches of security safeguards. Among the changes, the new rules will also give the privacy commissioner the power to enter into a “compliance agreement” with an organization in certain circumstance to ensure the organization’s compliance with PIPEDA.

Stay tuned for further updates.

On March 15, 2018, the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a joint Technical Alert (TA18-074A) warning “network defenders” in critical sector industries that “Russian government cyber actors” have been intentionally targeting U.S. government entities and organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors since at least March 2016. These threat actors, according to the joint alert, have used this campaign to engage in reconnaissance missions and to obtain operational control of industrial control processes and systems.

The joint alert identifies two targets of the ongoing attack: “staging” and “intended” targets. Staging targets are those “peripheral organizations such as trusted third-party suppliers with less secure networks.” The threat actors use the “staging” targets’ networks as “pivot points and malware repositories when targeting their final intended victims,” the intended targets. Once compromised, the staging targets are used to download source code from intended targets’ websites and to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections. The threat actors ultimately seek to gain information from the intended target on “network and organizational design and control system capabilities within organizations.”

The joint alert identifies a variety of tactics used by the threat actors, including spear-phishing campaigns, watering-hole domain attacks, and collecting publicly available information:

• Spear-Phishing. Through spear-phishing, the threat actors use email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server, which allows the threat actor to gain access to user credentials. With user credentials, and using a password-cracking technique, “the threat actors are able to masquerade as authorized users in environments that use single-factor authentication.”
• Watering-Hole. Through watering-hole attacks, the threat actors compromise “the infrastructure of trusted organizations to reach intended targets. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.” These watering-holes host legitimate content developed by reputable organizations, but the threat actor alters the website to contain and reference malicious content. The threat actors use legitimate credentials to access and directly modify the website content. Once on the website, the victim provides credentials.
• Public Information. The threat actors review information “posted to company websites, especially information that may appear to be innocuous, [to gain access to] operationally sensitive information.” In one example, the threat actors downloaded a small photo from a publicly accessible human resources page, which when expanded was “a high-resolution photo that displayed control systems equipment models and status information in the background.”

Once threat actors gain access to the network, the DHS and FBI warn they conduct “reconnaissance operations within the network,” including “identifying and browsing file servers within the intended victim’s network.” Perhaps most troubling, the DHS and FBI identified in multiple instances “the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities.” This access would allow the threat actors to control operations within the organization, including control of certain energy sectors.

Takeaways

The new joint alert highlights the dynamic threat landscape facing organizations. Although the alert provides technical advice concerning the identification and deterrence of the ongoing attacks, it also provides best practices applicable to the campaign. Many of the recommendations apply outside of the critical sector industries, and provide a timely reminder that all organizations should review their cybersecurity practices and policies on an ongoing basis. Some of the recommended best practices include:

• Reviewing your existing third party contracts to determine cybersecurity vulnerabilities and protections;
• Monitoring VPN logs for abnormal activity;
• Deploying web and email filters on the network;
• Ensuring proper training to inform end users on proper email and web usage;
• Establishing a complex password policy;
• Using multi-factor authentication;
• Assigning appropriate personnel to review logs;
• Completing “independent security (as opposed to compliance) risk review”; and
• Preparing a robust incident response plan.

If you or your organization is looking to create new, or update existing cybersecurity policies or practices, or you have any questions about this joint alert and how your organization may be impacted, please reach out to the Dentons cybersecurity team to discuss how our cost effective strategies can help mitigate your risk and provide an assessment of your overall cybersecurity readiness.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

The United States Securities and Exchange Commission (SEC) recently published updated interpretative guidance concerning the duty of covered public companies to disclose certain material cybersecurity risks and incidents when filing with the SEC. Entitled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” the new guidance clarifies and expands upon an October 2011 guidance issued by the the SEC’s Division of Corporation Finance, and outlines the SEC’s views as to when cybersecurity risks or incidents must be disclosed to the SEC and investors.

Summary of New Guidance

The new SEC guidance has two areas of focus: (1) it reminds companies of their disclosure obligations generally, and how those obligations relate to cybersecurity risks and incidents; and (2) it provides additional guidance regarding the adequacy of company controls and procedures concerning the disclosure of cybsersecurity risks and incidents, including the need for a policy to prohibit insider trading on nonpublic information about cybersecurity risks or incidents.

Cybersecurity Disclosure Obligations – Generally

Public companies are required to file periodic reports with the SEC, including on Forms 10-K and 10-Q, disclosing material information concerning:

1. Business risk factors;
2. Business operations and financial condition;
3. A description of the business;
4. Legal proceedings;
5. Board oversight risk; and
6. A description of the company’s disclosure controls and procedure.

Certain public companies are also required to file Securities Act and Exchange Act registration statements that disclose all material facts required to be stated or necessary to make the statements not misleading, and current reports on Forms 8-K and 6-K to maintain the accuracy and completeness of the registration statements. Public companies are also required to disclose “such further material information” as may be necessary to make the required statements, “in light of the circumstances under which they are made, not misleading.” The SEC “considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”

According to the SEC, only “material” cybersecurity risks and incidents need be disclosed. Whether a particular risk or incident is “material,” in the view of the SEC, will depend on the “nature, extent, and potential magnitude” of the particular risk or incident, and on the “range of harm that such incidents could cause.” Accordingly, companies should consider the “indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity[,]” including harm to a company’s reputation, financial performance, customer and vendor relationships, and the possibility of “litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”

Specific to the six categories of disclosure outlined above, the new guidance addresses how cybersecurity risks and incidents should be addressed:

Risk Factors

Covered public companies are required to disclose the “most significant factors that make investments in the company’s securities speculative or risky.” When evaluating cybersecurity risk factor disclosure, the SEC advises companies to consider:

• The occurrence of prior cybersecurity incidents, including their severity and frequency;
• The probability of the occurrence and potential magnitude of cybersecurity incidents;
• The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
• The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including third-party vendor risks;
• The costs associated with maintaining cybersecurity protections, including insurance coverage;
• The potential for reputational harm;
• Existing or pending laws and regulations that may impact the companies’ compliance with regard to cybesercurity, and the associated costs with such compliance; and
• Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

The SEC notes companies “may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.” For example, if a “company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur. Instead, the company may need to discuss the occurrence of that cybersecurity incident and its consequences as part of a broader discussion of the types of potential cybersecurity incidents that pose particular risks to the company’s business and operations.” The SEC also notes that past incidents involving suppliers, customers, competitors, and others “may be relevant when crafting risk factor disclosure.”

Business Operations and Financial Condition

Covered public companies are required to discuss their financial condition, changes in financial condition, and results of operations in their public disclosures. According to the SEC, these items require a discussion of “events, trends, or uncertainties that are reasonably likely to have a material effect on its results of operations, liquidity, or financial condition, or that would cause reported financial information not to be necessarily indicative of future operating results or financial condition and such other information that the company believes to be necessary to an understanding of its financial condition, changes in financial condition, and results of operations.”

In this context, the SEC notes the cost of ongoing cybersecurity efforts, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents could inform a company’s analysis. In measuring cybersecurity costs, the SEC says companies “may consider the array of costs associated with cybersecurity issues,” including costs associated with:

• Loss of intellectual property;
• Immediate costs of the incident;
• Implementing preventative measures;
• Maintaining insurance;
• Responding to litigation and regulatory investigations;
• Preparing for and complying with proposed or current legislation;
• Engaging in remediation efforts;
• Addressing harm to reputation; and
• Loss of competitive advantage.

Description of Business

Covered public companies are required to discuss their products, services, relationships with customers and suppliers, and competitive conditions. The SEC advises companies to disclose cybersecurity incidents or risks if they “materially affect” any of these disclosure requirements.

Legal Proceedings

Covered public companies must disclose information relating to material pending legal proceedings to which they or their subsidiaries are a party. The SEC makes clear that this disclosure requirement includes “any such proceedings that relate to cybersecurity issues.” For example, if a company experiences a cybersecurity incident “involving the theft of customer information and the incident results in material litigation by customers against the company, the company should describe the litigation, including the name of the court in which the proceedings are pending, the date the proceedings are instituted, the principal parties thereto, a description of the factual basis alleged to underlie the litigation, and the relief sought.”

Financial Statements

The SEC advises companies that their financial reporting and controls systems must be “designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available.” Cybersecurity incidents and risks may impact a company’s financial statements by resulting in:

• Expenses related to investigation, breach notification, remediation and litigation, and the costs of legal and other professional services;
• Loss of revenue, providing customers “with incentives or a loss of customer relationship assets value;”
• Claims related to warranties, breach of contract, product recall/replacement, indemnification, and insurance premium increases; and
• Decreased cash flow, and impairment of assets.

Board Oversight Risk

Covered public companies are required to disclose the extent of their board of directors’ role in the risk oversight of the company, including how the board administers its oversight function and the effect that has on the board’s leadership. The SEC’s new guidance makes clear that to the extent “cybersecurity risks are material to a company’s business,” such discussion “should include the nature of the board’s role in overseeing the management of that risk.” This disclosure will allow investors to “assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”

Disclosure Controls and Procedures

The SEC encourages companies to “adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.” Specifically, companies should asses whether they have sufficient disclosure controls and procedures in place to “ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate ppersonnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”

When designing and evaluating disclosure controls and procedures, the SEC advises companies to “consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings.” Controls and procedures, according to the SEC, should enable companies to:

• Identify cybersecurity risks and incidents;
• Assess and analyze their impact on a company’s business;
• Evaluate the significance associated with such risks and incidents;
• Provide for open communications between technical experts and disclosure advisors; and
• Make timely disclosures regarding such risks and incidents.

With regard to the requirement that a company’s principal executive officer and principal financial officer make certifications regarding the design and effectiveness of disclosure controls and procedures, the SEC says such certifications and disclosures “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.” In addition, if the cybersecurity risk or incident poses a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed, management “should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.”

Insider Trading

In addition to the disclosure obligations set forth above, the new SEC guidance also advises companies, their directors, officers, and other corporate insiders to comply with “the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.” Specifically, the SEC notes that information about a company’s cybersecurity risks and incidents “may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.”

The SEC also encourages companies to consider how their codes of ethics and insider trading policies “take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.” Additionally, while companies are investigating and assessing cybersecurity incidents, companies “should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities.”

Takeaways

The SEC makes clear in its new guidance that it is not advising companies to “make detailed disclosures that could compromise its cybersecurity efforts[.]” For example, companies are not required to provide a “roadmap” for malicious actors to penetrate the company’s cybersecurity protections. Nor does the SEC “expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”

Instead, the SEC advises companies to “disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.” The SEC further requires companies to “make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders) from trading its securities until investors have been appropriately informed about the incident or risk.”

The SEC makes clear in its new guidance that it expects companies to “provide disclosure that is tailored to their particular cybersecurity risks and incidents.” To that end, companies are advised to “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” If you or your company is subject to these SEC disclosure requirements, or have questions about the SEC’s new guidance, please reach out to the Dentons cybersecurity team to discuss how our cost effective strategies can help mitigate your risk and provide an assessment of your overall cybersecurity reporting readiness.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

On March 14, 2018, IBM Security announced the results of a new global study on organizational cybersecurity readiness and resiliency entitled “The 2018 Cyber Resilient Organization.” The new survey includes insights from more than 2,800 security and IT professionals, and makes clear that cybersecurity readiness and resilience remain a critical challenge for businesses worldwide:

• 77% of respondents admit they do not have a formal cybersecurity incident response plan applied consistently across their organization;
• 77% of respondents report having difficulty retaining and hiring quality IT security professionals;
• 50% of respondents believe their incident response plan is either informal, ad hoc, or non-existent;
• 60% of respondents consider lack of investment in artificial intelligence and machine learning as the biggest barrier to achieving cyber resilience;
• 31% of respondents believe they have an adequate cybersecurity budget in place;
• 29% of respondents report having ideal staffing to achieve cyber resilience; and
• 23% of respondents say they do not currently have a CISO or security leader.

Cyber resiliency and preparedness remain a challenge for businesses worldwide.

Despite these results, 72% of respondents report feeling more cyber resilient than they were last year. Is this confidence misplaced?

The new results largely track the results of PricewaterhouseCoopers’ Global State of Information Security Survey (GSISS) 2018, which found that of the more than 9,500 senior executives surveyed in 122 countries:

• 67% have an internet of things (IoT) security strategy in place or are currently implementing one;
• 36% have uniform cybersecurity standards and policies for IoT devices and systems;
• 34% have new data collection, retention and destruction policies; and
• 34% assess device and system interconnectivity and vulnerability across the business ecosystem.

These low results for cyber preparedness and resiliency present a significant risk for business. In its Global Risk Report 2017, the World Economic Forum found that “large-scale cyber-attacks or malware causing large economic damages” or “widspread loss of trust in the internet” remain the primary business risks in North America.

Organizations must be better prepared for cybersecurity incidents, which can result from unintentional events or deliberate attacks by insiders or third parties, such as cyber criminals, competitors, nation-states, and “hacktivists.” A prior IBM Study on the cost of data breaches found, using a sample of 419 companies in 13 countries and regions, that 47% of data breach incidents in 2016 involved a malicious or criminal attack, 25% were due to negligent employees or contractors (i.e., a human factor), and 28% involved system glitches, including IT and business process failures.  Organizations that fall victim to successful cyber attacks or experience cyber incidents may incur substantial costs and suffer significant consequences, including remediation costs, increased cybersecurity protection costs, lost revenue, litigation and legal risk, reputational damage, increased insurance premiums, and damage to the organization’s competitiveness and shareholder value.

Making things more complicated, there are number of new regulatory regimes requiring covered enterprises to develop robust cybersecurity policies, safeguards, and incident response plans, including the New York Department of Financial Service Cybersecurity Rules and the US Security and Exchange Commission’s recent guidance on cybersecurity risk and incident disclosures.

If you or your enterprise are looking to assess your current cybersecurity practices, risk profile, or incident response preparedness, including legal compliance, or create new systems, policies, and processes, the Dentons cybersecurity team is prepared to help.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.