CEOs, not chief information officers (CIOs), should be making the call on whether to report a data breach when a company falls victim to a targeted cyberattack, a former privacy commissioner told a cyber loss management seminar organized by Crawford & Company (Canada).
While some companies may have their CIOs making such a determination, the responsibility properly lies with the CEO, said Chantal Bernier, who served as assistant and interim privacy commissioner at the Office of the Privacy Commissioner of Canada for six years between 2008 and 2014.
“Why should it be on the CEO’s desk, instead of the CIO?” asked Bernier, currently counsel at Dentons LLP. “The reputational status, the financial status of an organization is too significant for it not to be a decision of the CEO.”
Mandatory data breach reporting under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires an organization to report a data breach if it poses a “real risk of significant harm” to any individual whose information was involved in the breach. A risk assessment must consider the sensitivity of the information involved, and the probability that the information will be misused.
Organizations that knowingly fail to report to the Office of the Privacy Commissioner or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches, could face fines of up to $100,000.
A company should have criteria in place to determine what a “real risk of significant harm” would be, Bernier said Thursday. Also, a decision tree should be in place to define everyone’s responsibilities in the event of a cyber breach.
“You will not be judged as quickly for when you have been breached or not,” said Bernier, offering her opinion on how regulators might respond to companies after a cyberattack. “You will be judged as to whether you were diligent in avoiding such a breach, and whether you were accountable if you hadn’t stopped a breach.”
Bernier’s keynote speech kicked off a hypothetical case scenario, developed by Crawford, in which ‘The Grinch’ launches a holiday season cyberattack against Best Property Management Enterprises, a fictitious supplier of outsourcing services. The Grinch demands $1 million from the company payable within 48 hours, followed by $500,000 every 24 hours after that if no payment is made. Meanwhile the hacker threatens to shut down HVAC and security systems to the insured’s clients.
The case study featured a video presentation of a company CEO bumbling through the crisis, making one mistake after another — including suppressing all communication of the event for five hours until the IT department had a chance to work it out, and telling a reporter that the breach never happened. Seminar speakers observed that the CEO “improvised” his way through the crisis, because the company did not have a proper plan in place for dealing with a cyberattack.
“From a legal perspective, the increase in frequency and severity of the events, coupled with the strength of regulatory frameworks, will end the improvisational era,” Nathalie David, partner at Clyde & Company, told the seminar.
In a February 2017 report, IT and business consultant Scalar Decisions Inc. said Canadian companies are at an increased risk from such attacks, with the number of cyberattacks rising to 44 confirmed attacks per year.
A separate Scalar study in 2018 suggests that the average Canadian business faces $3.7 million in cyber exposure, including direct and indirect costs per organization, in addition to network down time, employee work days, lost files and compromised information.