On November 2nd and 3rd, I was given the opportunity to attend the Canadian Technology Law Association (CAN-TECH) . , I learned more about the legal aspects of technological COVID-19 responses, proposed frameworks for digital identity, financing and start-ups in the current environment, working from home and its impact on diversity, and the latest legal developments related to privacy, cybersecurity, video games, and artificial intelligence. I particularly enjoyed the plenary session on “Cybersecurity: Shielding Your Clients from Expanding Threats” because of my interests in cybersecurity and privacy law.
In the cybersecurity plenary session, the experts discussed the recent cybersecurity threats in the midst of the COVID-19 pandemic. The global COVID-19 pandemic has been said to add “ to the threat environment leading to a drastic increase in the volume of cyberattacks and breaches during the past 12 months in Canada. In Canada, of businesses experienced a cybersecurity breach that negatively impacted their operations. For instance, refer to hackers infecting a computer or network with viruses that encrypt and hold the data “hostage” until a ransom is paid. Ransomware attacks cost Canadian companies around when downtime costs are factored in.
Moreover, hacking groups, like and , are increasingly conducting attacks where hackers exfiltrate and download sensitive data before launching a ransomware attack. The attackers can maximize their chance of getting the companies to pay the ransom by . Most of these cyber attackers demand the ransom in , making it very difficult for law enforcement agencies to track and investigate the crimes.
The attackers choose different sized businesses and organizations for various reasons. For instance, health care providers, law firms, government organizations and large companies are often targeted by (APT) attacks, which require the attackers to carefully research and choose their victims over a long period. Executing an APT attack usually than other attacks and is typically done by experienced and financially-backed cybercriminals. Cybercriminals might choose to attack to demand greater ransom payments.
Cybercriminals also choose small and medium-sized organizations and businesses because they are seen as soft targets who do not have . Moreover, small and medium-sized companies often outsource their IT needs to third parties, creating another cyber risk level for small-sized companies to mitigate. Consequently, small and medium-sized companies must get which will allow them to access resources that may otherwise not be accessible to them. Cyber insurance may also provide coverage and protection for liability regarding .
Though having cyber insurance is extremely important, cybersecurity risk mitigation and management practices are critical to minimize breaches' harm. It has been said that of successful breaches are initiated through phishing emails, malicious attachments, unpatched systems or “vulnerabilities,” or lack of two-factor authentication systems. To mitigate an attack, best cybersecurity practices, such as having a detection plan, threat intelligence, disaster recovery, training, fire drills and having sufficient back-ups, must be in place prior to the attack. Adopting and applying the best cybersecurity practices is incredibly important during the pandemic for those who in an environment that might not have the same formal cybersecurity protections and processes in place. This is true, especially for who have to meet their professional responsibilities such as the obligation of confidentiality, privilege, and the duty of technological competence. It is very important to know and meet these professional and ethical responsibilities even as a law student. Hence, I am very happy that I was given the opportunity to attend this conference, as it taught me a tremendous amount about the most recent and significant developments in Canadian and international technology law.
Written by Elif Babaoglu. Elif is a contributing IPilogue editor and an avid privacy and tech-law enthusiast with a particular focus on artificial intelligence.