CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

Transcription

1 CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison Gary Solway* Bennett Jones LLP The August release of the purported names and other details of over 35 million customers of Ashley Madison, an adulterous liaison website operated by a Toronto-based company, has once again brought home to Canada the risks in using computer networks to carry on business. The company's CEO has departed, and the company is reportedly involved with numerous class action lawsuits and regulatory and criminal investigations in Canada and the United States. According to purported s of the company's former CEO, which were also leaked by the hackers, the hack occurred as the company was attempting to undertake an initial public offering in London, England after other financing and sales efforts failed. For the directors of the company whose tag line is "Life is short. Have an affair" the days are now (likely) very long. The daily news reports of successful hacks of computer networks of notable organizations such as the U.S. federal government, the Canada Revenue Agency and SONY Entertainment have made it abundantly clear that no network is safe. While hacking is an important cyber security issue, recent studies have found that most cyber security incidents are not produced by hackers. Rather, they are "inside jobs" arising from deliberate attacks by disgruntled former employees, or they arise from the carelessness or inadvertence of current employees. The main takeaway for directors is that it is just a matter of time until an enterprise faces a cyber security incident. How well the enterprise responds to that incident * Mr. Solway is Managing Partner of the Technology, Media and Entertainment Group at Bennett Jones LLP. will be determined to a large extent by how well it prepares. This article will examine the board's role in an enterprise's preparation, monitoring and response to cyber security incidents. Preparation Directors have a duty of care, that applies to both "for profit" and "not for profit" enterprises in Ontario. The standard that directors must meet is "the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances."' Directors have unlimited personal liability. Consequently, directors who breach this duty of care have unlimited exposure. The duty of care inherently requires that directors identify and manage key risks facing the enterprise. Risks are commonly measured in terms of the potential for significant financial harm or physical damage, but the spectrum of risk also includes reputational risk, which does not have a precise financial cost. Cyber security is a major risk in terms of potential financial harm, physical damage and (especially) reputational damage. Cyber security is a business continuity issue, just like the risk of fire, and it needs to be treated in a similar fashion, with proper planning. The Ashley Madison hack is a very clear example of a business that is on fire (not in a good way). Cyber security preparedness begins with board oversight and the "tone at the top." Directors need to be engaged in understanding the risk and how the enterprise is managing it. The board may delegate aspects of its oversight role to a board committee such as the audit or risk committee. In its publication, Cyber-Risk Oversight,2 the U.S.-based National Association of Corporate Directors ("NACD") identified the following five 1 This standard is set out in the Canada Business Corporations Act, R.S.C. 1985, c. C-44 (s. 122(1)(b)), the Ontario Business Corporations Act, R.S.O. 1990, c. B.16, (s. 134(1)(b)) and the Canada Not-for-profit Corporations Act (s. 148(1)(b)). It will apply to Ontario's Not-for-profit Corporations Act (s. 43(1)(b)) when it becomes law (likely in 2016). The common law "duty of care applies under current Ontario not-forprofit legislation. 2 Director's Handbook Series 2014, National Association of Corporate Directors. 590

2 principles to define the director's role in cyber security. Principle 1 Directors need to understand and approach cyber security as an enterprisewide risk management issue, not just an IT issue. The director's role is an oversight role. The board needs to make sure all facets of the enterprise are involved. Cyber security is not solely an information technology ("IT") department, issue it involves many other issues. For example, if the enterprise needs to transact business online, the IT department needs to support those needs. It cannot simply say it is too dangerous. That process requires a dialogue between various departments within the enterprise so that business objectives and security objectives can both be satisfied as much as possible, based on the board's risk tolerance. The board needs to supervise the development of policies and procedures that will apply across the enterprise. All aspects of the enterprise need to be involved in their development. For example, the development of a proper Cyber Incident Response Plan may involve legal, financial, sales, marketing, communications, accounting and human resources aspects of the enterprise. The IT department will not be effective if it is isolated and left to its own devices. The board's role is to ensure that all relevant parts of the enterprise are involved and cooperating. All employees need to understand the importance of and embrace security, because one weak link (e.g., a weak password) makes the entire enterprise vulnerable. Principle 2 Directors should understand the legal implication of cyber risks as they relate to their enterprises' specific circumstances. The board should have a basic understanding of: (a) what data the business has; (b) why it has it; (c) where it is stored; (d) who has access to it; and (e) how it can be accessed. For certain types of information or certain industries (e.g., health or financial information), there may be applicable legislation that sets out special rules that govern how that information is to be handled (e.g., geographic rules, encryption rules, disclosure rules). Cyber risks can be external (e.g., hackers, malware) or internal (employees). With respect to internal risks, the board should consider what information employees are entitled to access and why they have or need that access. It may also be desirable to keep certain information (such as "crown jewels") offline altogether. Principle 3 Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. Boards are entitled to rely on experts to help the directors fulfill their duty of care.3 Directors are not expected to be experts on everything, but they are expected to inform themselves sufficiently to fulfill their oversight role. Boards (or board committees) conduct their work through meetings. Therefore, to fulfill the cyber oversight role, the board (or a committee) must meet to review these issues. Also, given directors' general lack of expertise regarding cyber security and technology, it may be helpful to recruit a director who is technology literate. If the board cannot or does not want to add a member with that expertise, they can consider having a technology consultant engaged by and reporting to the board to supplement their knowledge to the extent required. Hewlett-Packard's Cyber Risk Report concludes that the threat landscape is still populated by "old problems and known issues." Most of these issues can be addressed. For example, some can be addressed simply by applying patches provided free of charge by the software developers. Consequently, it is important to involve experts who know how to identify and deal with these issues. The board does not want to be embarrassed by a cyber 3 Canada Business Corporations Act, s. 123(5). Business Corporations Act (Ontario), s. 135(4). 4 HP Security Research, at

3 breach caused by "old problems and known issues." Mobile computing and the "Internet of Things" bring new challenges for the board to address. Expert advice is critical to assist the board in assessing the risk that the enterprise faces. Principle 4 Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. As noted, the board's role is an oversight role. Management, not the board, is responsible for developing and implementing the cyber security framework, including developing budgets, hiring and coordinating personnel (or third party service providers), and developing, implementing and monitoring policies, procedures and response plans. Management should report to the board regularly on cyber security so that the board is kept up to date at a high level. The board may determine that the enterprise does not have the appropriate personnel and systems and cannot afford them or does not want them. In that case, the board may decide to outsource cyber security. Outsourcing is acceptable, but the board needs to ensure that diligence is done on, and sufficient contractual commitments are made by, third party providers. Principle 5 Board and management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach. The board should understand what risks the enterprise is taking on.5 It may not be possible to address everything through security measures alone. Cyber insurance can help protect against deficiencies, although considerable expertise is required in procuring suitable cyber coverage (it is not a commodity and all programs are not created equal). 5 The board should have its directors' and officers' insurance policy reviewed to make sure there is no cyber exclusion even if the board has done nothing wrong, there could be defence costs if the enterprise does not have money to indemnify. The lawsuit against the directors of Wyndham Worldwide Corp,, 6 an international hotel chain, is an example of the exposure that directors face if they are perceived not to be fulfilling their duties to the enterprise. In that U.S. case, the Wyndham directors were sued by certain shareholders for failing to take steps to prevent recurring data breaches of hotel guest information. In its October 2014 decision, the Court concluded that directors had fulfilled their duty of care. The Wyndham board's actions are a good example of what responsible boards should do. The board discussed cyber security issues at every quarterly board meeting (14 of them), the audit committee had investigated the breaches, and the company had, under the board's direction, hired a technology firm to recommend security enhancements and begun to implement those enhancements. The Court was satisfied with the directors' efforts (although the U.S. Federal Trade Commission is continuing its own proceedings against Wyndham, initiated in 2012, challenging the adequacy of what the company has done). The Wyndham case is a reminder that directors will want to ensure that they have appropriate indemnification agreements and directors insurance in place so that they are protected from the defence costs and potential liability associated with any claims, whether or not the claims are meritorious. Part of that "insurance may involve the identification of and ready access to a skilled communications expert, who may help to mitigate the reputational damage that often ensues in these cases. Monitoring Once the cyber security plan is completed, the board needs to ensure that it is properly implemented, functioning and updated. The board should be receiving reports of any problems such as major cyber security incidents, elements of the plan that have not been implemented as planned, or problems in staff training. Cyber security should be a regular agenda item at board or committee meetings. Cyber security is not a one-time exercise it is ongoing because cyber security is evolving and the threat is constantly changing. 6 Palkan v. Holmes et al., No. 2:2014cv01234 (D.N.J. 2014). 592

4 Response A properly prepared cyber security plan will enable the enterprise to promptly respond. The plan will identify how to escalate an incident, including when to inform the board and what role the board will have in the response. There are many issues that need to be considered in a response plan such as: How does the enterprise know that there has been a breach and how serious it is? Who is on the crisis response team (internal and external)? Who is in charge of what when an incident occurs? How does the breach get fixed, if fixable? Who is responsible for informing the board, regulators, police, public, employees, customers, suppliers and insurers? What information will be communicated to each group? Is there any required reporting under applicable law? What can be done to limit liability? What records need to be maintained for court/regulatory proceedings and what will be protected by legal privilege? How should the investigation be conducted and who should conduct it (internal versus external)? Proper advance preparation is extremely important. There are a great number and variety of experts needed to respond to an incident, both internally and externally. They include the board, the CEO, the CFO, the CTO, the privacy officer, the risk manager, the human resources head, the internal communications team, heads of departments that use the network, third party service providers, internal and external legal advisors, external communications advisors, external cyber security consultants, external forensic investigators, insurance agents and insurers. The directors do not want the project team assembly exercise to start only after an incident has arisen. There is often no learning time available at time of breach because there is frequently a need to act immediately. The enterprise needs a team that is up to speed and ready to go, not busy chasing down contact numbers, clearing conflicts and sorting out retainer terms. If no plan has been prepared that is suitable for the type of cyber breach that has occurred, the board will have an ad hoc role, if it is informed about the breach. If the board has not let management know that it wants to know about cyber breaches, the board may not be informed until actions have been taken that the board may not like. A review of the numerous press releases issued by Ashley Madison in response to the hack highlights the myriad of issues and parties involved in responding to hacks of this sort. The website has attempted to fix the security lapse that allowed the hack, has hired experts to review and improve its security, and is cooperating with numerous police agencies in Canada and the U.S. in attempts to find and prosecute the hackers, including offering a $500,000 reward, while at the same time taking steps to assure its customers the site is now safe, and using the international publicity from the incident to promote its business. The website has not disclosed whether it had a suitable cyber incident response plan in place prior to the hack. It first learned of the attack on July 12, but no announcement was made until the hackers posted their threats on a website on July 19 announcing that they were giving Ashley Madison a month to cease operations or face disclosure of customer information. It is not yet known when the directors were informed of the hack and what steps they took during the week of July 12 to avoid disclosure of the hack. Also unknown is what steps the directors took to avoid disclosure of the hacked information in the following month. Given the litigation now underway, it is likely that all those details will be revealed in the coming months and years. Avoid Embarrassment or Worse Cyber security is not just an IT issue to be left to the IT department. It involves the entire enterprise and can only be effectively implemented if it is handled seriously from the board level on down. Directors do not want to be in the embarrassing position of having to reveal that they did not know enough to ask any questions or take steps to supervise the 593

5 implementation of appropriate cyber security measures. Nor do they want their enterprises to suffer the harm and financial and reputational liabilities that can arise from failing to take simple steps to fix known issues or apply free security patches to safeguard the enterprise's information. Given their unlimited personal liability, and their reputational exposure, directors should do what is necessary to ensure that they have fulfilled their duty of care to the enterprise. They should also have appropriate indemnities and liability insurance to protect them from the costs associated with claims that they failed to carry out their duties properly. 594