Employers will have to show they prepared workers to avoid breaches, lawyer says

Employers will have to show they prepared workers to avoid breaches, lawyer says

Employers will have to show they prepared workers to avoid breaches, lawyer says

TORONTO — Amid the mass transition to remote working as a result of the COVID-19 pandemic, most employers are likely focused on operational issues in order to get their employees up and running in their new home offices.

However, in addition to IT issues, experts say employers would be well advised to equip and train their staff to be vigilant against data breaches during this time, as periods of upheaval present a golden opportunity for cybercriminals looking for a way into a company’s network.

In most jurisdictions, a business is typically legally responsible for breaches caused by employees, contractors and service providers.

“Even if they screw up — even if they did something they weren’t supposed to do by accident — the employer is on the hook,” says Brent Arnold, a partner with Gowlings WLG.

Security experts warn that criminals can take advantage of the chaotic COVID-19 situation to trick people into downloading software that can be dangerous or disruptive.

For instance, ransomware can block access to information systems until a fee is paid, potentially shutting down the organization. Other malware may steal customer information or employee passwords.

Many organizations weren’t prepared to have so many employees suddenly work from home as part of government and corporate efforts to deal with the highly contagious COVID-19 coronavirus.

Under employment law, Arnold says, an employer is usually liable for their workers unless there’s actual fraud or the employee is “doing something their not supposed to be doing — on purpose.”

“You’ll see situations where somebody also sues the employee, but it’s generally recognized that it’s the company that’s ultimately liable for this.”

But Arnold says there’s an important distinction between being at fault for something going wrong and being legally liable for the consequences of the mess that follows.

“The fact that a company gets breached doesn’t mean they are liable,” he says. “They’ll be liable if they didn’t take reasonable measures to stop that from happening.”

Arnold says most courts don’t expect the precautions to be perfect “because medium and small businesses can’t afford to take all of the possible precautions.”

But he says organizations should be able to prove to a court or regulator that they’ve taken at least the basic steps — such as setting up security technology, procedures and training.

Similarly, Arnold acknowledges that an organization may be under pressure to compensate employees affected by such as breach — the loss of a computer, for instance, or leak of family information.

“If I’m the employee, I suppose the position that I take is: you put me at risk by requiring me to do this on my own computer, on my own equipment, in my own home, using my own WiFi and you didn’t give me adequate training to spot this sort of a thing.”

It’s not likely that employees would sue, Arnold says, but it’s more possible if there’s a written employment agreement

“And, interestingly, it’s not the rank-and-file employees that we see getting caught by these (scams) all the time. It’s often executives, people who are in a hurry… . They’re the ones, often, who are more likely to click on an email that they’re not supposed to.”

Chandra Majumdar, who leads the national cyber threat management practice for EY Canada, says there’s been exponential growth in phishing emails that tempt the reader to click on an attachment or web link that appears to be about COVID-19 or the coronavirus.

“What we’re noticing is that the majority of the attacks — more than 90 per cent of the attacks that we’re seeing — (try to) steal your credentials, your personal information, using well-known botnets.”

Proofpoint executive vice-president Ryan Kalember says there are two known criminal groups — which he calls threat actors — dubbed TA564 AND TA542, that have been targeting Canada with emails that may look like information updates from their executive teams.

A Canadian example provided by Proofpoint shows a fairly clumsy attempt to make an email look as if it’s “Update #49984” from the Public Health Agency of Canada — a legitimate government organization — although the sender’s email address doesn’t belong to the government.

“We’re not necessarily as attuned as we ought to be to social engineering attempts (like this),” Kalember says. ”Everyone is looking for information and updates… . to be communicated from the executives of their own company.”

Majumdar says that many companies weren’t prepared for the extent of the COVID-19 crisis but advises organizations to stick with the technology they already know if possible.

“It’s not a good idea to introduce critical changes at this point because people are not trained on this and this is how (organizations) open themselves up to being exploited by attackers,” Majumdar says.

As a lawyer, and leader of the Gowlings technology sub-group, Arnold says there may be ways for companies to protect themselves from fines and penalties by having good security practices in place for itself — but still get caught up with a breach at a smaller suppliers with less preparation in place.

Nevertheless, he says, both companies would be held accountable to privacy regulations and possibly litigation.

“The big company doesn’t get out of it by allocating the risk to the small company,” Arnold says.

“If I’m a customer who’s been affected by this, I’m probably going to sue both of them.”

This report by The Canadian Press was first published March 31, 2020.

David Paddon, The Canadian Press


Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Alberta’s chief medical officer of health Dr. Deena Hinshaw announced 16 additional deaths Thursday. (Photo by Chris Schwarz/Government of Alberta)
No easing of Alberta’s COVID-19 measures Thursday, 678 new COVID-19 cases

The province also hit 1,500 COVID-19 deaths since the beginning of the pandemic

Dean Olsen Missing Poster
Blackfalds RCMP seek public assistance to locate missing male

Dean Olsen was last seen on Jan. 20 in Red Deer County

Alberta Premier Jason Kenney said the Canadian government should consider sanctions on the U.S. if they refuse to reconsider the decision to cancel the Keystone XL Pipeline. (THE CANADIAN PRESS/Sean Kilpatrick
Keystone XL officially cancelled, Kenney vows to fight on

U.S. President Joe Biden cancelled the presidential permit for the pipeline on first day of office

Alberta’s chief medical officer of health Dr. Deena Hinshaw said province’s test positivity rate for COVID-19 is steadily declining. (Photo by Chris Schwarz/Government of Alberta)
669 new COVID-19 cases in Alberta, 21 additional deaths

COVID-19 test positivity rate down to 4.5 per cent

Kyla Gibson with her boyfriend Gavin Hardy. (Photo used with permission)
Sylvan Lake couple lose ‘fur babies’ to house fire

‘They were our world and nothing will ever replace them,’ Kyla Gibson said of her three pets

A scene from “Canada and the Gulf War: In their own words,” a video by The Memory Project, a program of Historica Canada, is shown in this undated illustration. THE CANADIAN PRESS/HO - Historica Canada
New video marks Canada’s contributions to first Gulf War on 30th anniversary

Veterans Affairs Canada says around 4,500 Canadian military personnel served during the war

Gov. Gen. Julie Payette takes the royal salute from the Guard of Honour as she makes her way deliver the the throne speech, Wednesday, September 23, 2020 in Ottawa. THE CANADIAN PRESS/Fred Chartrand
Gov. Gen. Julie Payette resigns, apologizes for ‘tensions’ at Rideau Hall

Payette, who is the Queen’s representative in Canada, has been the governor general since 2017

Grounded WestJet Boeing 737 Max aircraft are shown at the airline’s facilities in Calgary, Alta., Tuesday, May 7, 2019. WestJet will operate the first commercial Boeing 737 Max flight in Canada today since the aircraft was grounded in 2019 following two deadly crashes. THE CANADIAN PRESS/Jeff McIntosh
Passengers unfazed as WestJet returns Boeing 737 Max to service on Calgary flight

After a lengthy review process, Transport Canada cleared the plane to return to Canadian airspace

(Photo submitted)
Community Futures brings back Social Media Challenge for 2021

This time the challenge is for non-profits and community groups

Lucas Berg, left, with the backpacks filled with essential items he donated to the Red Deer Mustard Seed Jan. 19, 2021. (Photo submitted)
Central Alberta teenager donates filled 20 backpacks to Red Deer Mustard Seed

Lucas Berg, 14, of Ponoka County says he ‘just wants to help people’

A conveyor belt transports coal at the Westmoreland Coal Co.’s Sheerness mine near Hanna, Alta., on Tuesday, Dec. 13, 2016. Coal mining impacts are already occurring in Alberta’s Rocky Mountains even as debate intensifies over the industry’s presence in one of the province’s most beloved landscapes. THE CANADIAN PRESS/Jeff McIntosh
As Alberta debates coal mining, industry already affecting once-protected Rockies

UCP revoked a policy that had protected eastern slopes of the Rockies from open-pit coal mining since 1976

In this Dec. 18, 2020 photo, pipes to be used for the Keystone XL pipeline are stored in a field near Dorchester, Neb. TC Energy Corp. is planning to eliminate more than 1,000 construction jobs related to its decision to halt work on its Keystone XL pipeline expansion project. THE CANADIAN PRESS/Chris Machian /Omaha World-Herald via AP
TC Energy cutting more than 1,000 Keystone XL construction jobs as Biden pulls permit

Some 200 kilometres of pipe have already been installed for the expansion

Video of man doing backflip off Vancouver bridge draws police condemnation

Group says in Instagram story that they ‘don’t do it for the clout’

Most Read