Into the Breach

As advances in technology have made it easier to move information around, a data or information breach has become one of the most important risks for any firm to consider, contain, mitigate and manage. Emails, instant messaging and social media have opened up the channels now in use and have changed how information is moved – between companies and individuals alike.

While it is very difficult to control this flow of data and information, there is no excuse for not doing whatever can be done to protect the information. There is even less excuse for not recognizing the need to respond immediately once a breach has been reported or identified. In January 2012, a Bloomberg article described how China-based hackers tried more than a year earlier to derail a $40-billion acquisition of the world’s largest potash producer, Saskatchewan’s PotashCorp, by an Australian mining company, by targeting the downtown Toronto offices of Canadian law firms managing the deal. (It was reported that seven different Canadian law firms were breached as well as the federal Department of Finance and the Treasury Board of Canada.) Breaches and leaked information can have a drastic impact on negotiations and, worse, actual outcomes. Information landing in the wrong hands can potentially lead to catastrophic damage amounting to millions of dollars, as well as crippling damage to the reputations of and consumer trust in any organizations involved in the breach.

New Risk

Lawyers may be among the most educated purchasers of insurance, yet most law firms are without protection from one of the most pertinent risks related to their profession: protection of “client” information. The ability for hackers to wreak havoc, even breaching technology-savvy firms such as Sony, is no longer merely a threat; it is a reality. Given the highly sensitive nature of client-lawyer relationships, law firms need to recognize that the portability of information in channels outside of their control is a risk that can come home to roost.

Consider the tools of the modern-day businessperson: laptops, USB drives, smartphones and tablets are used for conducting business more than ever before. Couple that with increased workloads and greater work pressure, professionals are increasingly relying on the ability to take work home with them.

Content resides on devices more than ever before and the associated security in most cases is wanting. Despite efforts by organizations to protect, secure and manage business data and content, human behaviour is presenting a challenge to strict security. For example, findings from a survey on USB security out of the United Kingdom, conducted by the Ponemon Institute in 10 European countries, indicate that 72% of those who lose or misplace a USB that contained company information do not report the breach or notify the appropriate authorities. The risk of devices being lost or stolen – and, along with them, their content – in transit is significant.

In an age where companies are pushing “paperless” working environments, organizations are effectively encouraging use of tools often without appropriate governance or adequate terms of use to provide guidance. By not doing so, organizations are inadvertently putting at risk their intellectual capital, their corporate reputations and their competitive intelligence.

Nightmare Scenario

A junior partner is working late to add the finishing touches to an aggressive takeover bid. He places the presentation and supporting financial reports on a USB drive so he can access the information from the client’s boardroom. He also adds to the drive the revenue forecast and penetration analysis he has been working on over the past couple weeks so that it will be on hand should any questions arise with regard to the sustainability of his recommendations, and whether or not report numbers can be substantiated.

There are three other organizations involved in the takeover bid. The junior partner packs up and hurries to catch the train. Upon arriving at his home station, he takes a cab home. At home, he leaves his briefcase by the door. The following day, he arrives at the office early to prepare for the presentation, empties his briefcase and cannot find the USB drive.

Frantic, he calls the train station to see if anyone turned in the drive, but has no luck. He calls the cab company, but unable to recall the taxi number or driver, is told they will let him know if anything turns up. When his boss walks in and asks for the USB to share the presentation material with the other organizations involved in the bid, he can only say the firm’s information (and theirs) has been lost. A June 2011 report from NetDiligence notes that 15% of breaches occurred as a result of lost or stolen devices, 36% were caused by hackers and 19% were the result of actions by rogue employees. Many insurers offer cyber risk coverage, although only a handful seem to address one of the most important aspects of managing the risk: a response protocol to address the time immediately following the breach, and the potential damage to the organizations and individuals compromised by the breach. In many cases, the actions taken within the first 24 hours of a breach can go a long way toward gaining control of the situation, by initiating corrective measures and starting the notification process. An insurance partner should be able to offer the support needed should such events occur.

The Response

The junior partner reports the loss of information to his firm’s senior counsel who, in turn, informs the risk manager. The firm’s appropriate cyber risk policy is located and the 1-800 response line is called to initiate the emergency response scenario. The process can begin with just the names and contact information of those compromised; the nature of the content does not need to be disclosed or shared in any way, meaning that solicitor-client privilege will not slow the process. A call centre is standing by to begin notifications before close of business day. Within hours, the firm’s insurance carrier and response team have responded with legal, public relations and claims specialists who have begun the process of determining the potential scope of the damage, have identified what information has been compromised and have started to prepare statements for the media. Managing any impact on the reputations of the organizations involved is critical. In addition, any potential business interruption is evaluated and mitigation strategies are immediately implemented. The lost USB drive has not yet been recovered, but the organization has nonetheless initiated its emergency response protocols, and the insurer’s claims and crisis communications team has already made significant strides to minimize the breach’s impact and started to mitigate potential exposure.

Looking Forward

Privacy legislation is changing rapidly. For example, there have been changes in Ontario and federal amendments tabled, namely Bill C-12, An Act to amend the Personal Information Protection and Electronic Documents Act, more than a year ago. As insurers work to keep up with the fast-changing nature of legislation in the cyber world and introduce new products to protect firms caught by the flow of data, there are a few important things to bear in mind. The responsive aspect of the coverage is critical – claims and response teams need the knowledge, experience and support personnel in place to quickly and efficiently respond to a breach as soon as it has been reported. With a number of cyber products in the marketplace, underwriting knowledge is key – inexperience or lack of knowledge in this area can leave an organization exposed because of inadequate coverage related to the class of business. Premium indications also may be slightly skewed based on improper ratings of exposures.

The ability of an insurer to protect an organization’s data (or that of your clients) globally must also be a consideration since emailed attachments can r
each other countries as quickly as someone sitting in the same office. When talking to the insurance broker, ask for an underwriter who has comprehensive coverage, experience and claims capability for cyber and data security. Safeguarding the integrity of clients or organization data and information is the first step in mitigating the broader risk to reputation, sustainability and trust. Specify the need for a response component to the cyber policy to ensure coverage provides the capacity, capability and expertise to respond quickly, which can have a significant impact on the end result.