CYBER LIABILITY CLAIMS

CYBER LIABILITY CLAIMS

TRENDS AND DEVELOPMENTS IN THE U.S. AND CANADA

Animateur / Moderator:

 Daniel Desjardins, Senior Director Global Risk Management &

Insurance, Bombardier Inc.

Conférenciers / Speakers:

 Carolena Gordon, Senior Equity Partner, Clyde & Co Canada

LLP

Agenda



Introduction



Legislative Overview U.S. and Canada



Present and future trends



Risk Manager takeaways

Legislative Overview

A) United States

No Overarching Federal Law and 47 State Laws

 Federal Laws: HIPAA/HITECH (Healthcare); GLBA (Financial

Entities); FERPA (Education)

 State Laws: laws are not uniform and vary regarding what

constitutes PII, what constitutes a “data breach”,

requirements/timing for notice, whether state regulators must be notified, and exemptions

Legislative Overview

Regulatory Investigations & Penalties

FTC, SEC, State AG’s, OCR, DOE

- Increasingly Active



Investigations can go on for several years and

oftentimes expand beyond the reported breach



Largest penalty to date: $4.8M OCR penalty – less than

7,000 records involved

Legislative Overview

Class Action Lawsuits



Until 2014, trend was no standing to sue for tort;

however courts recently have started to find standing



Plaintiffs continue to focus on statutory claims (FCRA,

CMIA, SCA) – Supreme Court’s ruling in Spokeo will be

key



If a court finds standing, lawsuits quickly settle – there

Legislative Overview

B) Canada

Legislative and Regulatory Framework: Canada:

 Canada currently has a patchwork of laws regarding personal information at the Federal and Provincial levels. In addition, there are privacy commissioners in every province, and also a federal privacy commissioner.

 Personal Information is defined as “information about an

identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.”

Legislative Overview

Canada:



At the federal level, the Privacy Act applies only to

federal government entities.



However, the federal Personal Information Protection

and Electronic Documents Act (PIPEDA) establishes a

framework for the private sector's collection and use of

individuals' personal information across Canada.



The only provinces that have substantially similar

generally applicable laws in place are Québec, Alberta

and British Columbia. Alberta and BC's privacy laws also

apply to employee information.

Legislative Overview

Québec:



In Québec, however, while compensable damages are

still required to ground a claim, a request for punitive

damages under ss 4, 5, and 49 of the Québec Charter

could ground a claim where no damage was suffered but

the breach resulted from reckless protection of data by a

business.



The requirements for claiming punitive damages under

the Québec Charter would in fact greatly resemble the

test for intrusion upon seclusion.

Legislative Overview

Québec:



Québec's Act respecting the protection of personal

information in the private sector (PPIPSA) was

Canada's first such privacy protection law and has been

deemed substantially similar to PIPEDA.



However, privacy is enshrined in the Québec Charter of

Human Rights and Freedoms (Québec Charter) at

article 5, as well and in the Civil Code of Québec at

articles 3, 35-41.

Legislative Overview

Québec:



Other provisions affecting the private sector's use of

personal information are contained in the Act to establish

a legal framework for information technology (Québec IT

Act). Thus, personal data in Québec is highly-regulated.

Present and future trends in U.S.

Risk Manager Takeaways

 Cyber insurance has a role to play in securing companies against the risks outlined above.

 It is now clear that traditional policies may not cover the costs involved in a cybersecurity event. Many even have exclusions related to cybersecurity claims.

 While cyber-liability insurance can certainly help mitigate some

risks, it’s important to remember that purchasing a policy won’t stop hackers or data breaches from occurring.

Risk Manager Takeaways

 For example, CEOs must recognize (and act on) the

importance of investing in proper security technology, training for staff about safe ways of using technology, and mitigating risks through the implementation of internal cyber-security reporting and controls. All companies should prepare and maintain written cyber-security policies and adopt standards and practices, including a data breach policy.

 Larger entities should hire a chief information security officer in addition to a chief privacy officer and ensure these

individuals meet and liaise regularly with their boards of directors. Additionally, boards should establish a high-level privacy/security committee to oversee these corporate

Risk Manager Takeaways

• Internal legal counsel should keep up to date on key liability developments and ensure detailed

cyber-security/privacy requirements are routinely included in all their contracts with third-party vendors.

Risk Manager Takeaways

Contributing to the potential for a data breach are the following other risks:

 Cybersecurity experts often contend that people are the weakest link in cybersecurity. Consumers choose weak passwords; employees make bad decisions about storing

USB keys or files containing sensitive information; healthcare workers access health records without justification; social

media users expose their personal information and that of others in photos or status updates.

Risk Manager Takeaways

Contributing to the potential for a data breach are the following other risks:

 Cyberterrorism is a growing threat. Sometimes,

cyberterrorists do not even need to hack a network to cause a disruption: the perpetrators of the PlayStation DDoS attack also tweeted a bomb threat that caused a plane carrying

Sony Online's CEO to be grounded – and this months before the DDoS attack.

 Cybercrime such as cyber-extortion expenses (the costs

associated with paying experts to retrieve compromised data and/or negotiating and paying a ransom demanded by an extortionist)

Risk Manager Takeaways

Contributing to the potential for a data breach are the

following other risks:

• State surveillance is of grave concern to many civil liberties advocates. After Edward Snowden revealed the extent of the NSA's spying efforts, many felt their worst fears about state surveillance had been realized. But in addition to actions undertaken solely by the state, businesses may be

accessories to violations of civil liberties and the Charter by cooperating in handing over client information without the state producing a warrant.

Questions: