Employers will have to show they prepared workers to avoid breaches, lawyer says
Employers would be well advised to equip and train their staff, working at home, to be vigilant against data breaches
TORONTO — Amid the mass transition to remote working as a result of the COVID-19 pandemic, most employers are likely focused on operational issues in order to get their employees up and running in their new home offices.
However, in addition to IT issues, experts say employers would be well advised to equip and train their staff to be vigilant against data breaches during this time, as periods of upheaval present a golden opportunity for cybercriminals looking for a way into a company’s network.
In most jurisdictions, a business is typically legally responsible for breaches caused by employees, contractors and service providers.
“Even if they screw up — even if they did something they weren’t supposed to do by accident — the employer is on the hook,” says Brent Arnold, a partner with Gowlings WLG.
Security experts warn that criminals can take advantage of the chaotic COVID-19 situation to trick people into downloading software that can be dangerous or disruptive.
For instance, ransomware can block access to information systems until a fee is paid, potentially shutting down the organization. Other malware may steal customer information or employee passwords.
Many organizations weren’t prepared to have so many employees suddenly work from home as part of government and corporate efforts to deal with the highly contagious COVID-19 coronavirus.
Under employment law, Arnold says, an employer is usually liable for their workers unless there’s actual fraud or the employee is “doing something their not supposed to be doing — on purpose.”
“You’ll see situations where somebody also sues the employee, but it’s generally recognized that it’s the company that’s ultimately liable for this.”
But Arnold says there’s an important distinction between being at fault for something going wrong and being legally liable for the consequences of the mess that follows.
“The fact that a company gets breached doesn’t mean they are liable,” he says. “They’ll be liable if they didn’t take reasonable measures to stop that from happening.”
Arnold says most courts don’t expect the precautions to be perfect “because medium and small businesses can’t afford to take all of the possible precautions.”
But he says organizations should be able to prove to a court or regulator that they’ve taken at least the basic steps — such as setting up security technology, procedures and training.
Similarly, Arnold acknowledges that an organization may be under pressure to compensate employees affected by such as breach — the loss of a computer, for instance, or leak of family information.
“If I’m the employee, I suppose the position that I take is: you put me at risk by requiring me to do this on my own computer, on my own equipment, in my own home, using my own WiFi and you didn’t give me adequate training to spot this sort of a thing.”
It’s not likely that employees would sue, Arnold says, but it’s more possible if there’s a written employment agreement
“And, interestingly, it’s not the rank-and-file employees that we see getting caught by these (scams) all the time. It’s often executives, people who are in a hurry. . . . They’re the ones, often, who are more likely to click on an email that they’re not supposed to.”
Chandra Majumdar, who leads the national cyber threat management practice for EY Canada, says there’s been exponential growth in phishing emails that tempt the reader to click on an attachment or web link that appears to be about COVID-19 or the coronavirus.
“What we’re noticing is that the majority of the attacks — more than 90% of the attacks that we’re seeing — (try to) steal your credentials, your personal information, using well-known botnets.”
Proofpoint executive vice-president Ryan Kalember says there are two known criminal groups — which he calls threat actors — dubbed TA564 AND TA542, that have been targeting Canada with emails that may look like information updates from their executive teams.
A Canadian example provided by Proofpoint shows a fairly clumsy attempt to make an email look as if it’s “Update #49984” from the Public Health Agency of Canada — a legitimate government organization — although the sender’s email address doesn’t belong to the government.
“We’re not necessarily as attuned as we ought to be to social engineering attempts (like this),” Kalember says. “Everyone is looking for information and updates. . . . to be communicated from the executives of their own company.”
Majumdar says that many companies weren’t prepared for the extent of the COVID-19 crisis but advises organizations to stick with the technology they already know if possible.
“It’s not a good idea to introduce critical changes at this point because people are not trained on this and this is how (organizations) open themselves up to being exploited by attackers,” Majumdar says.
As a lawyer, and leader of the Gowlings technology sub-group, Arnold says there may be ways for companies to protect themselves from fines and penalties by having good security practices in place for itself — but still get caught up with a breach at a smaller suppliers with less preparation in place.
Nevertheless, he says, both companies would be held accountable to privacy regulations and possibly litigation.
“The big company doesn’t get out of it by allocating the risk to the small company,” Arnold says.
“If I’m a customer who’s been affected by this, I’m probably going to sue both of them.”