recent findings of a wide ranging report released by Borden Ladner Gervais LLP (BLG)
, a Canadian law firm, half of the top ten legal risks affecting business in 2016 are cyber related.
Speaking to Insurance Business, Andrew Harrison, managing partner at BLG, said that: “More and more, the lines between work and personal technologies become so blurred that many employees no longer make a conscious distinction between work and personal.”
Of the various risks identified, Harrison notes that the average cost of a data breach is US$3.7m and larger organisations will be at the higher end of the scale. There is increasing fraud in e-payment systems; IT security failures due to people (mis)using workplace computer systems; and compliance risk. “Cyber has ramifications beyond the scope of the initial business in case of malware or a cyber breach, and one of the interesting things about the insurance business
is that it is so wide ranging in its scope,” Harrison said.
BLG found that there is a new trend in Canada towards privacy class actions being launched following a cyber security breach or an improper disclosure of personal information. Indeed, privacy class actions triggered by data breaches are growing in popularity in Canada, with between twenty and thirty privacy class actions currently pending or already certified.
These lawsuits follow either a cyber security or another similar data security breach, or the launch of a new privacy-sensitive product or innovative marketing program.
On the data security front, businesses, particularly small to mid-size entities, often lack breach response policies, proper governance tools, and employee privacy training programs to prevent or promptly respond to breaches. They lack cyber security preparedness, which makes them vulnerable to privacy class actions following a security breach involving personal information.
In this era of Big Data, new business models and marketing techniques are emerging, including facial recognition and personalization reaching new levels of sophistication, as well as dynamic pricing practices, to name but a few. Businesses need to consider whether personal information is properly “de-identified”, what type of information should be considered as “sensitive” in various contexts, how to obtain valid consent in compliance with the “reasonable expectations” of customers, and how to deal with technological innovation, shifting social norms, and building customer trust through proper privacy practices.
The advent of mobile and digital wallets coupled with contactless payment methods and the ever-increasing growth in on-line payments have made e-payments become ubiquitous and have increased the need to develop effective authentication protocols, technology, policies and procedures to mitigate and reduce the risk of fraud.
2015 saw a number of high-profile cyber-sex related security breaches. Most prominent in Canada was the Ashley Madison scandal, in which the personal details of over 37 million people were exposed. Worryingly for employers, many subscribers to the website had signed up using their professional email accounts.
“It’s worth pausing at the beginning of the year to work out what people need to be sensitive too,” said Harrison. “We’re not trying to be dramatic but ignoring these risks is not helpful either. Whenever there’s a risk there’s an opportunity for insurers, because often that’s a way of sharing risk.”
As the lines between work and personal use of increasingly prolific technology become more and more blurred, the exposure to risk, for businesses of all types, grows in parallel. According to the