Canada: Practical Primer For Insureds And Insurers On Cyber Law

Key takeaways for the insured

Consider industry standards and best practices

• Identify company's legal obligations under federal and provincial privacy laws, securities laws, and policies and guidelines set out by industry regulators;
• Develop and test an incident response plan;
• Involve senior management, directors and officers, and legal counsel in creating the effective response plan for cybersecurity-related risks;
• Train employees and educate staff so they are aware of their legal obligations;
• Develop and enforce an information security policy; and
• Participate in cybersecurity information sharing programs.

Determine your exposure

• The most common attacks are social attacks (e.g., whaling), hacking and networking intrusions, and malware and end user attacks;
  • Social attacks are among the most common for senior business executives who have access to the company's funds; and
  • Directors and officers may be held liable in the event of a cybersecurity attack or data breach if they failed to oversee and implement reasonable cybersecurity measures for the company, or failed to comply with any disclosure requirements after a breach occurred. 

Obtain cyber insurance coverage

• Businesses should determine what risks are most relevant to their company and ensure they are adequately covered under their insurance policy. It is important to understand the full scope of the coverage, and identify any limitations or exclusions;
  • Losses resulting from cybersecurity attacks or data breaches are not typically covered under traditional insurance policies (e.g., property and casualty insurance, or commercial general liability insurance). This type of loss is only covered under specialized cybersecurity insurance products;
  • In a recent case, a third party tricked an employee by pretending to be another employee of the company, to diverge the company's funds. "File transfer fraud" was a coverage offered under their insurance policy, but it was denied on the grounds that the employee consented to the third party's transfer, and therefore, did not fall within the scope of the coverage (i.e., only applied when no consent was given). Even though the employee did not know it was fraudulent, the court held that it met within the original meaning of the word consent, and therefore, the insurance company was in its right to decline coverage. This is a warning to all companies to ensure that not only they have the appropriate coverages, but also fully understand the limits and scope of the coverage;
  • It is common for insurance companies to exclude losses resulting from a breach that arose out of an intentional act. This is a significant risk for businesses, as evidenced by the number of cases involving intentional privacy breaches by an employee; and 
• Insurance companies consider several factors when determining premiums for their cybersecurity insurance policies. A company's internal policies and procedures for managing cyber threats is one of them, and can significantly reduce a policy's premium.

Key takeaways for the insurer

Litigation trends

• In Canada, third party claims relating to cybersecurity attacks and data breaches have been on the rise. Consequently, there has been a significant rise in individual and class action lawsuits against companies who have suffered a breach. As insurance policies typically offer both first and third party coverage, insurers may see a rise in litigation costs;
• Damage awards for these third party claims are not insignificant, especially when the claims are aggregated in class actions; and
• Recent settlement in the US for a derivative action relating to cybersecurity could also affect litigation in Canada and encourage shareholders to pursue similar claims.

Educate clients

• Cybersecurity insurance products vary across carriers, and the lack of standardization can be confusing for potential insureds. Ultimately, this can deter them from buying the appropriate policy or a policy altogether;
• It is important for insurers to educate their clients on what cybersecurity insurance is, why it would be beneficial for them to have it, and to provide a detailed explanation about the coverage options available;
• Insurers should sit down with their clients and understand more about the client's business. Identifying what the company's top exposures are will ensure the client is protected properly, and they understand the value of the policy being purchased;
• Depending on the wording of the policy, insurers may deny coverage to a company that failed to implement necessary security measures or failed to take the proper steps to protect the company from a breach.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.