In the case of new US regulations for businesses required to publicize that they were hacked, there may be an unpleasant price to pay. Observers in the industry say companies are increasingly facing legal consequences and public relations disasters.
The regulation requires businesses to report any cyberattack to the Securities and Exchange Commission (SEC). They must disclose the breach within four days, list various ways the data was compromised, and show how risks were mitigated.
“The new rules are a part of a larger regulatory shift to hold businesses accountable for protecting their customers online, and to hold the companies liable for the losses they suffer because of these attacks,” notes Israel Mazin, co-founder and CEO of Memcyco, a website impersonation detection and protection solution.
The drawbacks?
“This puts businesses in a vulnerable position,” he adds. “Publicly disclosing attacks means potentially big reputational blowback — and it has yet to be shown to help solve the problem.”
Though he won’t mention names, Mazin says he knows of several renowned businesses that lost revenue as a result of their willingness to announce a data breach.
The US regulations have already become a source of perverse games for hackers.
In one story, a hacker played “cop and robber” at the same time: after breaching a company, they then reported them to the SEC for not disclosing the breach. Essentially, this double attack was an unforeseen consequence of otherwise well-intentioned law.
What are the implications in Canada?
The legal problem is another challenge.
Dave Oswald, founder of Forensic Restitution, which specializes in forensic accounting and computer forensics, says there’s already a proliferation of court cases filed against American breached entities. Expect the phenomena to soon inch north to Canada, he says.
“I think over time there will be increased litigation,” he says. “Especially with companies who don’t have adequate cyber training.” Those organizations or businesses that do not have a cyber reaction team, or are not set up to protect against a cyber attack, “are the companies that, I think, will end up on the wrong side of lawsuits going forward.”
There are already plenty of cybersecurity lawsuits being handled in Canada and the US, adds Andrew Buckles, cyber services owner at ISA Cybersecurity in Toronto. He points out five Ontario hospitals that recently faced a “major cyber attack” and are currently facing a close to half-billion dollar class action lawsuit.
“If you’re being hit with a very large lawsuit, that can be extremely detrimental to your business,” Buckles says. “Chances are you weren’t managing that risk effectively. And you may not have even been aware of that risk.”
Canada has its own cybersecurity laws proposed in Bill C-26, also known as the Critical Cyber Systems Protection Act, which Buckles says is a “good example” of oversight. However, he adds that “Canada certainly needs to continue looking at what regulatory authority they have over different industries and how [they can] improve those requirements to a minimum standard.”
“Lots of businesses collect data and information and digitize; if they experience a cybersecurity incident, the public is impacted in many cases,” he continues. “So there is a public interest in making sure that organizations do manage their risks effectively so that the public doesn’t have to ultimately pay the price.”
Guidelines for data security
When it comes to dealing with cyber breaches, the United States and Canada have different rules. In Canada, if a cyber breach is considered significant, companies only need to issue a press release. Other than this, most of the guidelines are more like suggestions than strict requirements.
In February 2017, the guidelines for this in Canada were outlined in the Canadian Securities Administrators’ (CSA) notice for disclosure of cybersecurity risks and incidents.
Canadian Securities Litigation reported that these were characterized as “guidelines,” including: risk governance and risk mitigation strategy, detailed disclosure of material cybersecurity risks, procedures designed to ensure that detected cybersecurity incidents are communicated to management for timely disclosure, disclosure of the anticipated impact, and costs of the incident.
The report said legal and protocol demands of companies are sure to follow. “Trends in the United States are often a harbinger of what may be coming to Canada,” the article states. And, while the trend in cybersecurity disclosure-related litigation hasn’t hit the Great White North to the same extent yet, the authors say that “Canadian companies should be watching.”
In Canada, the emphasis in proposed class actions regarding cyber attacks has mainly centered around individuals whose data might have been impacted by a cybersecurity event rather than securities class actions, according to the authors.
In November 2022, Ontario Court of Appeal issued three decisions that held that companies who had been cyber attacked by unknown third parties, were not liable for the damages. The authors of the article, however, say this law “will continue to be tested.”
Mitigating risk
Ultimately, for any Canadian or American company, cyber damage control is key to mitigating legal issues or reputational issues. At the point of discovering a hack, an organization or company should know the right steps to curtail the threat and minimize damages.
“Communication should include clear identification of the threat, steps the business is taking, and actionable advice for customers, such as verifying website URLs, avoiding clicking on suspicious links, and monitoring their accounts for unusual activity,” says Mazin.
By the time of discovery, attackers may have already harvested user data — which they can use or sell — leading to identity theft or further scams.
As a result, it could shake customer confidence in the brand.
“It’s vital to provide reassurance that customer protection is a priority, and to offer support services for those who may have been compromised,” Mazin adds.
In regards to the new US regulations, he says the government did the right thing by looking out for the consumer’s best interest in requiring data breach crises to be open and transparent. The next requirement should be legally-mandated up-to-date cybersecurity, he says, “to greatly minimize the overall risk of privacy breaches, and legal consequences.”
Something like this would require security professionals to work in tandem with the government so as not to make this kind of law onerous, “but also ensure a standard set for major companies.”
As for the reputational damages after the fact, “it would pay for companies to have a pre-emptive plan to cope with public relations fallout,” says Mazin.
Here are some tips to on how to mitigate risk:
Implement robust cybersecurity measures:
- Establish strong firewalls, encryption, and intrusion detection systems.
- Regularly update and patch software to address vulnerabilities.
Prioritize employee training and awareness:
- Provide comprehensive cybersecurity training to employees to avoid human error.
Develop and test an incident response plan:
- Create a well-documented incident response plan for cybersecurity breaches.
- Regularly conduct simulations and drills to ensure effectiveness.
Secure customer data and communication:
- Encrypt customer data.
- Develop clear communication protocols for timely and transparent disclosure of cyber incidents.
Regularly review and update policies:
- Review and update cybersecurity policies with evolving threats and regulations in mind.
- Collaborate with government and industry bodies to stay informed about cybersecurity guidelines.