confidential corporate information, such
as salary schedules, unreleased movies and
movie scripts, were offered for free download
on peer-to-peer data-sharing networks.
The fallout for Sony was enormous: several
costly projects had to be abandoned,
several high-level executives had to publicly
apologize and social media erupted in negative
comments. Adding insult to injury, no
less than four separate class actions of disgruntled
employees have since been filed in
the U.S., causing a serious financial liability
to the company. Some of the allegations in
the lawsuits indicate that the company had,
in recent years, been breached several times
on a smaller scale and did not learn from
those experiences. No adequate changes had been put into place
– the information was not stored in a properly encrypted format;
too many people had access to confidential information; the passwords
of the employees were weak and stored in a list that was,
unsurprisingly, one of the first targets of the cyberattack.
Perhaps even more surprising is that the data breach at Sony
was not even the largest of 2014; it ranked a meagre 33rd. In May
2014, eBay suffered the biggest attack of the year: an estimated
150 million records were breached and placed online, including
the personal information (email, passwords, sales history) of all
eBay users.
PREVENTION IS KEY
The Internet, an undeniable asset in a globalized economy, poses a
serious risk to the companies that use it without care. As reported
by The Globe and Mail, in 2013, 36 per cent of enterprises in
Canada experienced at least one form of security breach. While it’s
the hacking of large companies that make the headlines, in reality
it’s small and medium enterprises of less than 50 employees that
are most vulnerable and most often fall victim to cyber-attacks. So,
what should a responsible company do to avoid data breaches in
the first place, and, once a breach is discovered, to limit the legal
and financial fallout?
The first step is simple: realizing that no matter how large or
small your company is, no matter the industrial sector you are active
in, the company is at risk. Public outcry is magnified through
social media, criminal capabilities grow and the legal ramifications
are potentially devastating. These issues cannot be seen as
just a problem for the IT department; it is a company-wide issue.
Simply put, it has become too risky and too costly to close your
eyes to the risk, and to clean up afterwards.
The second step is less self-explanatory: a robust IT and data
protection policy should be put into place no matter the size of the
company. While data encryption and firewalls should be among
your first investments, it cannot end there. As more and more
companies provide laptops, tablets and smartphones to their employees,
the loss of these devices poses an increasing security risk.
All employees should be made aware of the risks of using (and losing)
such a device, so that the company can take swift and decisive
action as soon as a potential breach is discovered.
INCLUDE EMPLOYEES IN FIGHTING
CYBER-ATTACKS
Your employees should be educated about what information
is confidential and why, and especially the potential fallout of a
breach of that confidentiality.
Recent studies indicate that only 60 per cent of Canadian enterprises
have a policy on data protection. This in itself leaves them
vulnerable. A company-wide confidentiality policy should therefore
be devised, emphasizing the necessity for employees to not
copy or use for personal purposes, or circulate confidential information
in any way (including on a social media platform) and to
limit the possibility of data breaches. As a result, the company as
a whole is made aware of the importance of cybersecurity and employees
will be well placed to recognize cyber risks and therefore
notify the company accordingly and promptly.
PRIORITIZE TIMELINESS
A responsible company should think of having a containment plan
in place, in case things do go awry. The risks of regulatory action,
class action suits and the preservation of the organization’s reputation
– and in extreme cases, the organization’s existence – all
depend on the steps taken in the very first few hours (not days) to
contain the situation, mitigate the damage that has been done, fix
the problem and get the organization up and running again. It is
therefore essential to have a containment plan and, where needed,
experts should be called in as soon as possible to minimize the
negative consequences of the data breach.
ARE YOU READY TO COUNTERATTACK?
It may seem impossible to prevent a massive cyber-attack or to ward
it off completely. Companies, even if they are aware of cyber risks,
are still reticent to deploy the much-needed investments. The reality
is that the companies’ budgets available for cybersecurity are lower
than what is actually needed to provide a robust responsiveness to
cyber-attacks. Budgets to prevent data breaches or to address their
fallout must not be neglected as, in the case of cybersecurity, the evidence
shows that prevention is a lot more cost-effective than cure. n
Justine Laurier is an associate at Borden Ladner Gervais LLP’s
Montreal office. Nils Goeteyn provided research for this article.
legal words
THE INTERNET, AN
UNDENIABLE ASSET
IN A GLOBALIZED
ECONOMY, POSES A
SERIOUS RISK TO THE
COMPANIES THAT USE
IT WITHOUT CARE.
14 ❚ MAY/JUNE 2015 ❚ HR PROFESSIONAL