Attorney Imran Ahmad serves as a partner at Toronto’s Blake, Cassels & Graydon LLP, where he specializes in cybersecurity, privacy and technology law. As a breach lawyer and coach, he works closely with clients to develop and implement strategies related to cyber threats and data breaches, while also advising them on legal risk assessments, compliance, and other related issues; he also serves as a breach counsel when cybersecurity incidents occur.
We sat down with Imran to talk with him about cybersecurity, data breaches and online privacy.
Q: You literally wrote the book on cybersecurity, a preparation and response handbook entitled “Cybersecurity in Canada: A Guide to Best Practices, Planning, and Management.” Today, in the age of cybercrime, what are many companies not doing that they should be doing when it comes to cyber security?
Imran Ahmad: It’s all about preparation. There are several studies that show that organizations that invest in preparing for a cybersecurity incident will be able to better respond, meaning that the impact of the incident will be less severe and operations will not be disrupted.
Key areas they should invest in include:
• Building a practical cyber incident response plan;
• Reviewing and revising their contracts with key B2B customers and partners;
• Data mapping the information they hold; and
• Developing and implementing a robust data retention policy. How, specifically, do data breaches occur and, in your experiences, what are the legal ramifications when they do?
Cyber criminals are looking to make money. They will typically do this by either (i) stealing corporate data and then selling it on the dark net (e.g., credit information) or (ii) disrupt operations and ask for a ransom (e.g., ransomware attacks).
Increasingly, cyber criminals are stealing data that will trigger legal reporting obligations under our provincial and federal privacy laws. There are also sectoral laws to keep in mind (e.g., financial organizations, energy sector, health sector, etc.). Also, companies often have to navigate their contractual obligations vis-à-vis clients and vendors.
Q: How prevalent have cybersecurity issues become in Canada, and how costly can they be to correct once they’ve occurred?
Imran Ahmad: The number and complexity of cyber security incidents has increased year over year in recent years. Given our complicated legal landscape in Canada and the increase in class action litigation, the risks related to cyber security incidents have never been higher. Additionally, the reputational impact and the loss of credibility vis-a-vis clients and vendors is a key consideration. In terms of cost, the impact can be felt on the bottom line in terms of business interruption but also the cost of remediation and potential regulatory and legal investigations can be significant. Organizations that go through a major cyber security incident can take several years to get back on their feet.
Q: With many people now working from home and often connected to their company network via their own personal wifi, how do you advise both companies and individuals regarding steps to take to ensure privacy?
Imran Ahmad: The risk related to remote working has never been higher. This is because cyber criminals are attempting to take advantage of either hardware or software vulnerabilities. Think of individuals working from home who may be using a work laptop for personal use to surf the net and may be inadvertently downloading malware which will not be detected until they reconnect that laptop to their corporate network when they return to work. We anticipate that the return to work period will result in an increase in cyber security incidents.
As we’ve seen all-too-frequently, cybercriminals are a devious group with the ability to create email correspondence and even websites that look official, but are really fronts for the delivery of malware and other malicious items.
Q: What should the savvy employee look for to determine the legitimacy of the content?
Imran Ahmad: The key is to be vigilant. As the famous FBI saying goes “trust but verify”. Employees should question requests that seem to be out of the norm even when they appear to be coming from “so-called” trusted sources. Organizations should ensure that they have implemented an analog process whereby instructions related to wire transfers or changes to banking information are manually verified by picking up the phone and calling the individual making the request.