Employers will have to show they prepared workers to avoid breaches, lawyer says

Employers will have to show they prepared workers to avoid breaches, lawyer says

TORONTO — Amid the mass transition to remote working as a result of the COVID-19 pandemic, most employers are likely focused on operational issues in order to get their employees up and running in their new home offices.

However, in addition to IT issues, experts say employers would be well advised to equip and train their staff to be vigilant against data breaches during this time, as periods of upheaval present a golden opportunity for cybercriminals looking for a way into a company’s network.

In most jurisdictions, a business is typically legally responsible for breaches caused by employees, contractors and service providers.

“Even if they screw up — even if they did something they weren’t supposed to do by accident — the employer is on the hook,” says Brent Arnold, a partner with Gowlings WLG.

Security experts warn that criminals can take advantage of the chaotic COVID-19 situation to trick people into downloading software that can be dangerous or disruptive.

For instance, ransomware can block access to information systems until a fee is paid, potentially shutting down the organization. Other malware may steal customer information or employee passwords.

Many organizations weren’t prepared to have so many employees suddenly work from home as part of government and corporate efforts to deal with the highly contagious COVID-19 coronavirus.

Under employment law, Arnold says, an employer is usually liable for their workers unless there’s actual fraud or the employee is “doing something their not supposed to be doing — on purpose.”

“You’ll see situations where somebody also sues the employee, but it’s generally recognized that it’s the company that’s ultimately liable for this.”

But Arnold says there’s an important distinction between being at fault for something going wrong and being legally liable for the consequences of the mess that follows.

“The fact that a company gets breached doesn’t mean they are liable,” he says. “They’ll be liable if they didn’t take reasonable measures to stop that from happening.”

Arnold says most courts don’t expect the precautions to be perfect “because medium and small businesses can’t afford to take all of the possible precautions.”

But he says organizations should be able to prove to a court or regulator that they’ve taken at least the basic steps — such as setting up security technology, procedures and training.

Similarly, Arnold acknowledges that an organization may be under pressure to compensate employees affected by such as breach — the loss of a computer, for instance, or leak of family information.

“If I’m the employee, I suppose the position that I take is: you put me at risk by requiring me to do this on my own computer, on my own equipment, in my own home, using my own WiFi and you didn’t give me adequate training to spot this sort of a thing.”

It’s not likely that employees would sue, Arnold says, but it’s more possible if there’s a written employment agreement

“And, interestingly, it’s not the rank-and-file employees that we see getting caught by these (scams) all the time. It’s often executives, people who are in a hurry… . They’re the ones, often, who are more likely to click on an email that they’re not supposed to.”

Chandra Majumdar, who leads the national cyber threat management practice for EY Canada, says there’s been exponential growth in phishing emails that tempt the reader to click on an attachment or web link that appears to be about COVID-19 or the coronavirus.

“What we’re noticing is that the majority of the attacks — more than 90 per cent of the attacks that we’re seeing — (try to) steal your credentials, your personal information, using well-known botnets.”

Proofpoint executive vice-president Ryan Kalember says there are two known criminal groups — which he calls threat actors — dubbed TA564 AND TA542, that have been targeting Canada with emails that may look like information updates from their executive teams.

A Canadian example provided by Proofpoint shows a fairly clumsy attempt to make an email look as if it’s “Update #49984” from the Public Health Agency of Canada — a legitimate government organization — although the sender’s email address doesn’t belong to the government.

“We’re not necessarily as attuned as we ought to be to social engineering attempts (like this),” Kalember says. ”Everyone is looking for information and updates… . to be communicated from the executives of their own company.”

Majumdar says that many companies weren’t prepared for the extent of the COVID-19 crisis but advises organizations to stick with the technology they already know if possible.

“It’s not a good idea to introduce critical changes at this point because people are not trained on this and this is how (organizations) open themselves up to being exploited by attackers,” Majumdar says.

As a lawyer, and leader of the Gowlings technology sub-group, Arnold says there may be ways for companies to protect themselves from fines and penalties by having good security practices in place for itself — but still get caught up with a breach at a smaller suppliers with less preparation in place.

Nevertheless, he says, both companies would be held accountable to privacy regulations and possibly litigation.

“The big company doesn’t get out of it by allocating the risk to the small company,” Arnold says.

“If I’m a customer who’s been affected by this, I’m probably going to sue both of them.”

This report by The Canadian Press was first published March 31, 2020.

David Paddon, The Canadian Press

Business

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Red Deer city councillor fears more vacant office space in the downtown

Frank Wong opposes more office/commercial space in Riverside Light Industrial Park

Central Alberta women’s shelter expansion gets initial rezoning approval from Red Deer city council

Some questions remain about the suitability of the site, which borders a creek

Central Alberta Pride Society celebrates Calgary’s conversion therapy ban

Central Alberta Pride Society celebrates Calgary city council’s ban of conversion therapy… Continue reading

VIDEO: Procession to honour Snowbirds Capt. Jennifer Casey comes to Halifax

Snowbirds service member died in a crash in Kamloops one week ago

Alberta government website has latest COVID-19 statistics

Red Deer Advocate readers can stay up to date on the COVID-19… Continue reading

David Marsden: Jason Kenney is all hat, no cattle

There are few character failings more unappealing than those of people who… Continue reading

Salmon expected to begin arriving soon at Fraser River landslide: DFO

Salmon expected to begin arriving soon at Fraser River landslide: DFO

Canadian Judicial Council won’t appeal harsh ruling of its investigation of judge

Canadian Judicial Council won’t appeal harsh ruling of its investigation of judge

Guy Laliberte wants to buy back Cirque du soleil, keep headquarters in Montreal

Guy Laliberte wants to buy back Cirque du soleil, keep headquarters in Montreal

Liberals, NDP work on sick leave to secure deal on future of Parliament

Liberals, NDP work on sick leave to secure deal on future of Parliament

Branson’s Virgin Orbit fails on first rocket launch attempt

Branson’s Virgin Orbit fails on first rocket launch attempt

In Bolsonaro’s Brazil, everyone else is to blame for virus

In Bolsonaro’s Brazil, everyone else is to blame for virus

Most Read