Kelly Friedman, partner in DLA Piper (Canada) LLP’s Toronto office, is an experienced commercial litigator with unique expertise in electronic information issues, including electronic discovery, data security and privacy. She also serves as an expert advisor to Standards Council of Canada, Canada’s member body in the International Organization for Standardization (ISO), advising and negotiating with respect to international standards on information technology security and e-discovery. Kelly will be speaking at chapter events in Toronto (February) and Ottawa (May).
The Crucial Role of the CIO in Mitigating Data Breach Risk and Fallout
The removal of many computing functions from the company’s IT department and into the cloud has not diminished the need for the CIO. Quite the opposite: our economy is now driven by technology. To be successful today, companies need business technology vision and strategy. This need provides exciting opportunities for CIOs to be key players in their organizations. One significant role for the CIO is in the development of overall risk mitigation strategy. This article highlights two ways in which the CIO can partner with specialists outside of IT to reduce the risk of data breach and the litigation fallout if a data breach occurs.
Safeguarding information assets is about cybercrime, but not only about cybercrime. Intellectual property, commercially sensitive data, personal information and other valuable information can also be accessed or lost due to bugs, employee carelessness, misinformation or lack of training, loss or theft of a device or computer hardware, or because of a natural disaster. Consequently, information security is not simply about technology. It is a comprehensive enterprise risk management problem that requires thoughtful integration of various kinds of expertise, including IT, Human Resources, and Legal.
The CIO as Educator
This brings me to the educational role of the CIO. Most likely, the rest of the organization, including Human Resources and Legal, believes that a data breach is solely about technology. As CIO, you have to explain why this is not the case.
The failure of employees to protect encryption keys, passwords and hardware have led to the greatest percentage of data breaches in the past 10 years. This is a problem with people, not technology. No access control policies put in place by the CIO are going to help if employees are permitted to leave their log-in credentials on a post-it note on their desk. Legal and Human Resources must ensure access control policies are enforced, and senior management from all operational areas must emphasize the importance of continuous training. The CIO should educate the senior management team on these important issues and take a major role in designing training sessions and communications about access and authentication procedures.
CIOs should also educate the senior management team about IT security standards. CIOs are familiar with industry, national and international standards for information security management systems, such as ISO/IEC 270021 or NIST Cybersecurity Framework2, but most other members of the senior corporate team, including the lawyers, are not.
The purposive implementation of IT security standards will not necessarily prevent a data breach, although it may reduce the likelihood and scope of a breach. Further, there is a crucial link between the implementation of standards and the prevention of a finding of liability on the part of the company after a data breach. The link lies in legal concept of “the reasonable person”, which is the foundation of negligence law.
The CIO as Champion of Standards
Standards are voluntary, but can become legally binding on companies to the extent they are incorporated into the terms of a contract or when they are incorporated into statutes.
In Canada, published standards can be incorporated into federal or provincial legislation or regulations, and in that way, become binding on those doing business or subject to law in that Canadian jurisdiction. There are many examples, from different industries. A regulation under Ontario’s Farm Implements Act3 provides that tractor dealers must comply with specific ISO standards regarding testing for the safety of rollover protective structures on tractors4. Under The Highway Traffic Act of Manitoba5, a regulation provides that mobility aid securement devices (aids for handicapped persons) must comply with one of four standards, two of which are international standards, one of which is a National Standard of Canada and the other is an American National Standard6. Under the federal Canada Agricultural Products Act7, a body can only become accredited to certify food as organic if it meets the requirements of an international standard setting out the requirements for bodies certifying products, processes and services8.
In a more subtle fashion than direct incorporation by reference into a contract or statute, the content of a standard can be relevant to a company’s legal position in court. This is of great importance, but is often overlooked by the senior management team.
Courts and tribunals in Canada regularly assess the behaviour of actors before them by comparison to the behaviour one would expect of the “reasonable person”. The decision-maker decides whether the behaviour sufficiently deviates from the standard of conduct set by the hypothetical “reasonable person” to determine whether the behaviour warrants a finding of fault, to determine a legal dispute or to assess criminal responsibility.
The “reasonable person” test is at the core of the law of negligence in Canada. Conduct is negligent if it creates an objectively unreasonable risk of harm. To avoid liability, a person must exercise the standard of care that would be expected of an ordinary, reasonable and prudent person in the same circumstances. The measure of what is reasonable depends on the facts of each case, including the likelihood of a known or foreseeable harm, the gravity of that harm, and the burden or cost which would be incurred to prevent the injury.
Compliance with a published standard is certainly not determinative of reasonable behaviour by the court. That being said, decision-makers in Canada do refer to published standards as evidence of what constitutes reasonable behaviour. A published standard which has gone through a rigorous, consultative and consensus-building process with broad participation is arguably objective, or at least more objective than the view of any one particular expert, series of experts, or witness as to reasonable and prudent behaviour, and therefore can be powerful in litigation.
For example, Canadian Standards Association (“CSA”) standards have been used in a variety of negligence cases in Canada to test the reasonableness of behaviour. For example, in a case involving a house fire allegedly caused by a defective fan, the manufacturer of the fan successfully escaped liability by proving that the fan complied with CSA standards9. CSA standards have also been used to help establish negligence. In a case alleging the improper installation of windows, the plaintiff was successful at establishing negligence where the court found that “the installation does not comply with the Canadian Standards Association A440.4.98 Window and Door Installation in any respect”10.
International standards are similarly referenced in Canadian courts. An ISO Standard was considered by an Ontario court to determine whether a manufacturer was negligent in its design of mechanical prosthetic heart valves and annuloplasty rings11. In a Nova Scotia trip and fall case, an expert for the plaintiff performed testing to find the co-efficiency of friction between two surfaces. To put these test results into context, the expert drew comparisons with standards for flooring prepared by the American Society for Testing and Materials (ASTM), the British Standards Institute (BSI) and the ISO12.
CIOs know information security management system standards and have the training to understand them. If they do not know precisely how to implement every control that is required, they know where to find the external expertise. But, the CIO needs the funding and firm commitment to implement any chosen standard. Perhaps by understanding the crucial role of standards in litigation risk mitigation, the CIO can partner with the legal team to persuade the other c-suite executives and board of directors that the enterprise should prioritize the implementation of recognized IT security standards.
The CIO as educator and as champion of standards are only two of the ways that CIOs can make a difference in their companies in the age of cloud computing, big data, and the internet of things. These are exciting times for business people, but they need the help of strategic CIOs if they are going to undertake an acceptable level of risk to be successful.
1. The International Organization for Standardization (“ISO”), Information Technology – Security Techniques – Code of practice for information security controls is found here .
2. Click here.
3. Revised Statutes of Ontario 1990, chapter F.4.
4. Revised Regulations of Ontario 1990, Regulation 369.
5. Continuing Consolidation of the Statutes of Manitoba, chapter H60.
6. Standards for Mobility Aid Securement Devices and Occupant Restraint Systems and Related Exemptions Regulation, Regulation 182/2015.
7. Statutes of Canada 2001, chapter 4.
8. Organics Products Regulations, 2009, Statutory Orders and Regulations 2009-176.
9. Dickson v Broan-NuTone Canada Inc.,  O.J. No. 5114, aff’d 2008 ONCA 734 (CanLII).
10. Alexandru v Century Windows and Doors,  O.J. No. 2274.
11. Andersen v St. Jude Medical, Inc., 2012 ONSC 3660 (CanLII).
12. Corbin v Halifax (Regional Municipality), 2003 NSSC 121 (CanLII).
Upcoming Chapter Events: Click here to get to the event calendar, or on the event to go directly to registration.
Vancouver: Monday, January 25, BC Aware Campaign Kick-off Panel -Cybersecurity: Whose Job is it Anyway?
Toronto: Thursday, January 28, IDC 2016 Predictions
A variety of informal gatherings are hosted by different chapters. Details are available in the Event Calendar.