Cyber Security: Top Legal Risk for Businesses in 2018

Cyber security and cyber compliance now leads the list for top legal risks for business in 2018. Though a data breach sounds like something only large companies need to worry about, it’s far more common and occurs frequently. With fines starting at $10,000 for even small infractions, bolstering your business’s cyber security and protecting against risk is an essential piece of any good business plan. 

cyber security

Listen to the episode here, or read below for full transcripts


Cyber Security, Cyber Awareness and Cyber Compliance

Paul Martin: Welcome to Risky Business, Commercial Insurance of Butler Byers. I’m Paul Martin the business commentator here on CKLM. You’ve heard me talking for a couple of years now about Butler Byers risk assessment system. Today, we continue that conversation and as always we’ve brought in our chief resource, that is Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers Commercial Insurance. We’re going to be talking about a topic we’ve touched on before a couple of times before, Colin, which is this whole notion of cyber security, and cyber awareness, cyber, cyber, cyber. The cyber word is getting to be quite important, but again, it’s surfaced to the top of the agenda in the sense that it’s been identified as something that businesses probably, well, they’re faced with some big challenges, but I would guess, just my conversations with business people, not top of the mind for them, although, it’s top of mind for your industry.

Colin Rooke: Yeah, and you’re exactly right Paul. It really isn’t top of mind enough with business owners. I think anyone in our industry finds the whole notion of cyber security and cyber insurance, it’s a tough sell. It’s a tough sell because, of course, those that are in the limelight, in the media, are always the very large organizations. What’s not discussed is the impact locally on smaller business. We have spent a lot of time on cyber crime. This show today, we’re going to dig deeper into the compliance side. We’ve touched on that. We’ve talked all about the nature of the risk. We’ve talked all about the coverages, what to took look for, what constitutes a breach. Today, I wanted to just dig deep, and say, look, there’s a big compliance component that’s also not getting discussed. We introduced it, I don’t know, six months ago. Since then, we’ve really dug deep into the subject. We’ve said, okay, we have to make this understandable and easy for our clients, and we’ve done that.

Paul Martin: Well, there was just this report that you flagged for me. It’s just come out in the top 1- legal risks for businesses in 2018. It sounds almost like one of those social media things, a top 10 list of whatever. This is an interesting one though. It’s the Top 10 Legal Risks for Business in 2018. Now, you’d think probably cyber might be in there something, but actually top of the list, right?

Colin Rooke: Yeah, not only is top of the list, it’s top of the list by far. So this list was derived by a third party, there’s no insurance angle. It wasn’t done by an insurer. It was created by one of the largest law firms in North America. This top 10 lists are risks that business are at huge risk for litigation, and cyber compliance is number one. These are everything from fines to court costs themselves, so what the legal community is saying, is that they are seeing a huge spike in costs to their clients, to the business community around this subject. Now, it’s not just a matter of understanding it, explaining the coverage, but also it’s costing clients money, and it’s on the rise. It’s growing at about 8% per year.

This top 10 lists are risks that business are at huge risk for, and litigation and cyber compliance is number one. These are everything from fines to court costs themselves, so what the legal community is saying, is that they are seeing a huge spike in costs to their clients, to the business community around this subject. Now, it’s not just a matter of understanding it, explaining the coverage, but also it’s costing clients money, and it’s on the rise. It’s growing at about 8% per year.

Paul Martin: All right. Here’s the legal perspective, the lawyers that are talking about it. Obviously, there are people in the IT world who are talking about it because they’re offering up fixes and protection. How does insurance figure into this? Why is Colin talking about this today?

Colin Rooke: Really good point. Really to explain, I guess our angle is, it all has to do with our approach to business. We understand cyber comliance is a growing concern, and we understand now, and of course, this report confirms that compliance is a huge risk. It’s a fast growing risk that’s going to impact every business, including our clients. We’ve really dug deep, as I mentioned earlier.

Colin Rooke: We looked into, what can we do to help, and it starts with explaining, I guess, the background in cyber compliance. I guess essentially, there’s amendments made to the Personal Information Protection and Electronic Documents Act, PIEPDA. Mouthful to say. They were done in 2015. They called this the Digital Privacy Act. Now, I guess the big thing in our world is, so the proposed changes in 2015, they’ve been working on those for two straight years, and in 2017, around the time we first introduced this topic, they made some regulations that are going to become law very shortly. Essentially, the background of it is, what are our clients, what are businesses required to do should they have a breach. Now, initially, those were guidelines or suggestions. I’ll say strong suggestions. They’re going to become law very shortly, and we said, okay, if we’re going to do what we say we do, we need to best prepare our clients, prospects, everyone we work with to explain what those changes are, and how they can prepare for them.

Paul Martin: Well, and this is just getting to be more and more common, right? It used to be a rare event that we had a breach, a cyber breach, or whatever. Now, I guess in your experience, you’re seeing it much more frequently?

Colin Rooke: Yeah. I mentioned earlier, there’s about an 8% per year increase in the cost of cyber crime. The real concern is, I guess, both increases in the severity and the frequency. When we first got on this topic, I think we had a handful of clients that would have had a breach, or brought up having a breach. We’re hearing about it now all the time, and if it’s not our client directly, it’s in the business community, so and so had a breach, or we were in a peer group and three of the five have had a breach. Still, again, this subject isn’t discussed enough. Again, if you talk to anyone in the IT world, they’re on top of it. Insurance brokers are on top of it, and now we have the legal community on top of it, which is why we said, okay, well, if we’re seeing an 8% increase every single year, and I did some digging, so data breaches have now cost the global economy in the last five years over two trillion dollars. This figure is rising every single year. It’s not expected to decrease or go away, so we really have to make sure that our clients are aware of the nature of the risk.

Paul Martin: You were talking about just awareness levels, that the legal community is on this, the IT community is on it. Interesting, I was speaking with an IT professional in Saskatoon the other day, and he actually eluded to our show, to you and I talking about this. He said, you’ve become kind of a proof of performance for him. He said, I will go to a client and say, we should talk about cyber security. And he’ll say, oh yeah, I heard Colin and Paul talking about that on the radio. I mean, it is starting, finally, to become part of the mainstream conversation, but those would just be forward thinking business people. You’re saying to the rest, I know you have a lot of stuff on your plate, but listen, don’t overlook this one.

Colin Rooke: Yeah, and the real challenge is, how fast cyber security is  growing, how fast it’s changing, but there’s also an opinion out there that, I don’t have anything that a hacker would want. Quite frankly, the answer is, you probably don’t, but if they get access to your system in any way, it doesn’t matter at that point. You are still required to notify your clients about this breach in cyber security. You’ll have a duty to notify them. You still have to notify the Office of the Privacy Commissioner of Canada. You still have to have reporting procedures. You still have to have a plan to mitigate any, not only the current breach, but any future breaches. There’s a lot of requirements on the business owner. I look at this like the federal government also acknowledging that the business community is not taking this seriously enough. They’re going to force you into it. They’re going to force you to look at this. They’re going to force you to prepare, to educate, to organize, to plan. 

Paul Martin: All right. We’ve got to take a little break. We’re going to come back after this one and pick it up. I want to talk more about cyber security and this, what you’ve just eluded to, the sort of new compliance rules that are going to be out there for businesses.

Paul Martin: You’re listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers Commercial Insurance. This is Risky Business Commercial Insurance with Butler Byers. We’ll be back in a moment to continue our discussion on cyber security. 

Responsibility on Business Owners for Cyber Security

Paul Martin: Well, welcome back to Risky Business Commercial Insurance with Butler Buyers, I’m Paul Martin and as always speaking with Colin Rooke the Commercial Risk Reduction Specialist with Butler  Byers Commercial Insurance. And just before the break Colin you were talking about how Ottawa’s notching things up a little bit and sort of putting more ownness on business owners to be just a whole lot more compliant with cyber security. There’re new rules and regulations coming in this year that I’m guessing most of us have no clue about. There’s just a whole lot of stuff happening on the cyber security front that the average business owner needs to kind of familiarize themselves with.

Colin Rooke: Yeah, exactly. And so, back around the subject, why are we talking about this today? Again, we identify that we need to deliver this information on cyber security in a way that will make sense to our clients that will reduce the anxiety around the whole topic, and make focusing on compliance easy. It all starts with education. So, when you hear the subject data breach, okay and now there’s some rules and regulations. Most will say, well what am I required to do? Well, the short answer is you have to have a written report to the privacy commissioner. You have to notify all the affected individuals and you have to keep and maintain records of every data breach. Now, for everyone out there that’s saying, well what is a data breach? That’s a really broad term. I’m not quite sure.

Paul Martin: Yeah, that means a hacker in some secret pavilion in Russia has attacked my system and locked me out or something.

Colin Rooke: Yeah. And people say, oh that’s not me. Well here’s the challenge. The definition of a data breach is a real risk of significant harm to an individual. Now, that’s a risk that’s not proof that’s a risk. And the challenge is the definition of significant harm is very broad, which it’s essentially easier to summarize and say, “If you’ve lost anything from your business that could identify someone you’ve done business with that is enough to constitute significant risk.”

Paul Martin: So you’re saying I have an email from a client on my phone, somebody sees my phone because the email address is there they could identify the client and now that’s a cyber security breach?

Colin Rooke: Absolutely.

Paul Martin: It’s that simple.

Colin Rooke: It’s that simple. We’re not talking about top secret documents. We’re saying someone else could have access to Paul Martin, Paul Martin did not provide authorization for that and I am responsible for that happening, and now we’re looking at a breach. Your cyber security has been compromised. 

Paul Martin: So let’s take this down to a more practical level for the average business owner. And this will lead to an interesting corporate policy question, but here’s a what if. One of my employees is out at the bar with their friends on a Saturday night, accidentally leaves the smartphone on the table and they go onto the next bar or back to a party, whatever. The fact that I am no longer attending that phone probably constitutes a breach?

Colin Rooke: I’ll even take it a step further, what if Paul, you leave the bar, 30 minutes later you realize you’ve lost your phone and in your drunken stupor you actually wipe the phone remotely. You have the wherewithal to do that, that 30 minutes where you did not know who had it and what they were doing with it, that is enough for a data breach. That is enough to compromise your cyber security.

Paul Martin: And now you have to report that?

Colin Rooke: You now have to report it or at least submit it and the commissioner will let you know if you have to take it a step further. And you’re going to have to document it.

Paul Martin: And you may well be notifying all of your clients because they’re likely, or anyone whose email was on your phone and you probably don’t remember who was on your phone so that means you gotta notify everybody.

Colin Rooke: To put this all into perspective, to quantify for anyone listening. The fines start at $10,000 per incident max out at about $100,000 per incident. Now, the definition of per incident also isn’t clear. So, if I lose Paul’s contact info is that one incident? And then if I lose 10,000 others at the same time is that multiple incidents or is it just one giant incident? It’s not clear. But in addition to those potential fines we’re talking about astronomical legal defense costs and we’re talking about ginormous reputation risk. So, as we move forward, as companies are required to document data breaches the litigation is going to go through the roof. If you’re not aware a company lost your data how are you going to alert your attorney that you’re going to seek compensation. Where if now they’re all public and you’re aware of that, it’s going to be your lawyer coming to you saying, your file along with 10,000 others were at risk, we should start talking class action, and we’re going to see that.

Paul Martin: And I alluded to this would lead to a policy question, a corporate policy question. This is something probably most business owners don’t talk about is the notion of having separation between a personal and a corporate smartphone. Do you give your employees their own smartphone that the company owns or do you use their personal one, or do they bring their personal one to work and just use it for? This brings us some really interesting questions because a company could say, “I’m going to give you a corporate phone and there should be no business stuff on your personal phone.” Now they’re carrying two, all kinds of implications.

Colin Rooke: Yeah, bring your own device is a big topic and there’s a lot of arguments even from a liability standpoint for and against if Paul looses his own personal phone does that constitute a breach? Does it need to be a company owned phone? What it really boils down to is a lot of the network company phones they’re issued for control and a lot of those phones will have access to the servers, etc. important documents, but what usually happens is Paul says, “I’m still going to have a personal phone and I’m probably going to have that personal phone with me when I’m not at work. That’s the whole idea of the personal phone. Would it be okay if I receive just my emails to my person phone? Because I want to stay connected if there’s something urgent I want to get to it in my personal time. And I don’t want to be carrying two phones.” Now we have a problem. Even though your personal phone may not have access directly to a server you do by way of email and you’re carrying the problem with you. And even further to that it’s very easy for an employee to set up email to their personal device without asking for access, without asking for authorization. And so again, you may have a problem and you’re not even aware of it.

Paul Martin: Right. We’re bumping up against time here and I guess the obvious question from this for people who want more information, you kind of learned it on this so they can just reach out to you and you’d be quite willing to walk them through it. We’ll pick this up in a subsequent show and continue to talk about it but Colin I need to thank you for this and the time just breezes by when you’re into a topic of this magnitude.

Paul Martin: So, you’ve been listening to Colin Rooke the Commercial Risk Reduction Specialist with Butler  Byers Commercial Insurance. Feel free to reach out to him on this topic of Cyber Security. Trust me, you’re going to hear a lot more about this as the time goes forward. My name is Paul Martin, you’ve been listening to Risky Business Commercial Insurance with Butler Buyers.