Bay Street News

VTech – Privacy and Data Breaches: A Wake Up Call and Unfolding Massive Legal Issues From This Legal Expert.

TORONTO, Dec. 4, 2015 /CNW/ – “Toymaker VTech says data on over 6 million children taken in cyber-attack”, Globe and Mail headline, December 1, 2015. VTech Holdings, based in Hong Kong stated said the children’s profiles include name, gender and birth date were affected. Stolen data on their parents of approximately 5 million included name, mailing address, email address, secret question and answer for password retrieval, IP address, download history and encrypted password  housed on the “Learning Lodge” app store database remains a big concern. VTech Holdings Limited, based in Hong-Kong, stated that an unauthorized party accessed VTech customer data.

The VTech massive breach has affected approximately 300,000 Canadian parents and children.  Ravi Shukla, Partner and leading Internet and Information Technology expert at Fogler Rubinoff LLP, a Toronto-based law firm says “At this time, it is unclear if the Canadian Federal Privacy Commissioner intends to become involved. That position will depend upon, firstly, what the contractual arrangements between the affected parents and the company are, as parents could have agreed to have their relationships with VTech governed by the laws of a foreign jurisdiction and, secondly, the overall application of the established “real and substantial connectiontest for exporting Canadian laws. The analysis of real and substantial connecting factors require a flexible, contextual approach on a case by case basis – the subject matter of the complaint and Canada.”  From a legal perspective, Ravi Shukla points out that “PIPEDA may cover organizations based outside Canada. A variety of factors may be explored to determine if PIPEDA applies including location in which the activity complained of takes places; location to which information and profits flow; location of preparatory activities; residency and/or location involved including end users, intermediaries, content providers or host servers; location of contract; location of any potential related proceedings; jurisdiction where promotional efforts are primarily targeted“.

Meanwhile, Learning Lodge and sleepybearlullabytime.com along with their 12 other V-Tech websites have announced that these websites have been suspended and hired Mandiant, a forensics unit organization to assess and review. Ravi Shukla says; “In Canada, PIPEDA makes it clear that organizations need to protect information on a sliding scale basis. It is widely understood that information pertaining to children is to be treated as highly sensitive and protective technological and other measures need to be deployed.” Ravi Shukla and other security and privacy experts argue that it is more about arming criminals with information about identity that makes victimization a crucial matter.  They further surmise that VTech did a poor job securing childrens’ data and keeping personal data safe and secure.

As for VTech, the breach will have a significant business impact with holiday-shopping customers.   Furthermore,  a 2014 risk survey of 1,500 Canadians provided some key insight on what’s at stake for organizations. Fifty per cent of respondents indicated they would likely do business with an organization that had above-average IT security, while more than 83 per cent of respondents indicated they would likely or very likely switch to a competitor if that organization experienced a data breach where personal information was lost or compromised. According to Ponemon Institute [which conducts independent research on privacy, data protection and information security policy] earlier this year on a study that examined the cost of data breaches in Canada, found that the average per capita cost of a data breach is $250 and the average total organizational cost is $5.32-million.  The industries with a per capita data breach of substantially more than $250 were financial, services, technology and energy.

Ravi Shukla cautions senior decision makers on the need to be proactive, “Hope is not a strategy and on a weekly basis the facts show clearly that the time for taking serious protective counter-measures is upon us.  The legal requirements to do so, have been in place for some time.  The alternative is to expect the pattern of ever increasing size and sophistication of breaches to continue. While the stories of enterprising external criminals brazenly exploiting human and technological weaknesses naturally gain the most public attention, the bulk of Canadian class action lawsuits based on allegations of privacy breaches are rooted in employee malfeasance or negligence. The internal risk is still greater than the external risk.

The question widely being asked is: Are Canadian companies protecting themselves enough? While the standard to be met is not perfection, a failure to meet ever evolving best practices based industry standards will result in serious consequences, destructive outcomes, exorbitant and rising costs of data and privacy breaches will permeate into a company’s operational structure for years well after the cyberattack and subsequent data and privacy breaches with accompanying lawsuits. The legal crisis list is long and severe: Class-action Suits in the Thousands, Investigations and Regulatory actions by the Privacy Commissioner, Courts Now Awarding Significant Damages, in addition to Insurance Premium payouts.

Ravi Shukla poses the thought-provoking question to Canadian corporate leaders about their need to evaluate their own complacency and a potential mindset of a false sense of security combined with a misguided focus on “penny-wise-pound foolish” cost reductions where digital personal identities of customers and employees are vulnerable. Cyber criminals are accessing systems using cloud computing to launch bot nets on a corporation’s computers to spread viruses, install malware and deliver spam without the company being aware of it. 

It’s a legal problem as equally as a technical problem.  Class action suits with customers and class action suits against boards directors personally for failing to protect the company. How risk is being managed has become a matter of disclosure for publicly traded companies, in addition to boards and c-suite executives considered as part of the board’s oversight. Operating system vulnerabilities will continue to exist, despite best efforts. Canadian organizations must be vigilant in assessing existing security protection and invest smartly, react quickly, embrace a higher level of proactive-ness to manage business risk, cyber security threats and security losses, in addition to reputational loss from aggrieved customers. If it becomes public the retaining public trust will be ferocious.

Canadians do have reasons to be somewhat optimistic. The federal private sector privacy legislation PIPEDA was promulgated back in 2000 and has given rise to several provincial counterparts.  Those pieces of legislation place significant legal obligations on the custodians of personal information.  Activist Canadian courts have increased pressure on organizations to take the appropriate measures to secure information. Notably in 2012 , the Ontario Court of Appeal created a new common law cause of action for breach of privacy in Ontario.  The new tort of intrusion upon seclusion may also apply in Alberta, Nova Scotia, New Brunswick and Prince Edward Island.

The natural tendency is to defer to the views of knowledgeable I.T. department representatives, however, cyber security and privacy protection issues should be at the top of agendas of c-suite executives and boards.  Taking action to make sure data assets are adequately protected and getting the proper legal advice includes the steps of network and information mapping, conducting vulnerability assessments (which will extend to evaluating the risks associated with third-party vendors), developing an incident response plan, assessing insurance coverage evaluation, evaluating compliance obligations imposed by regimes such as PIPEDA or PCI-DSS and setting an overall information risk management strategy.

About Ravi Shukla

Ravi Shukla is a business lawyer specializing in Internet and Information Technology law.  He regularly advises on a range of commercial, computer, intellectual property, information security (including cybersecurity), regulatory, governance and privacy rights issues.  With 25 years of legal experience along with an engineering background, Ravi Shukla is technically-savvy, strategically sound and has  sophisticated expertise of advancing issues regarding data, security and privacy issues affecting Canadian organizations. He provides a balanced, well-informed point of view for Canadian companies and government organizations.

About Fogler Rubinoff

Fogler, Rubinoff LLP is a full-service law firm with offices located in Toronto and Ottawa, Ontario, Canada. Established in 1982, they provide high-quality legal services and advice to both established and emerging businesses as well as individuals. Fogler, Rubinoff LLP, one of the 20 largest law firms in Toronto, is one of Ontario’s top ten regional law firms by Canadian Lawyer Magazine. They are also a member of the International Lawyer’s Network. This association, with over 90 law firms located throughout more than 66 countries worldwide, allows them to offer a significant strategic advantage to their clients with a global presence. Fogler, Rubinoff LLP prides themselves on trust, experience, sound judgement and results.

SOURCE Fogler, Rubinoff

PDF available at: http://stream1.newswire.ca/media/2015/12/04/20151204_C8299_PDF_EN_558640.pdf

PDF available at: http://stream1.newswire.ca/media/2015/12/04/20151204_C8299_PDF_EN_558638.pdf

PDF available at: http://stream1.newswire.ca/media/2015/12/04/20151204_C8299_PDF_EN_558634.pdf