Cyberattacks have increased dramatically over the past year, both in the number of attacks and the degree of harm they cause, and law firms and law schools need to up their game by training lawyers to deal with cybersecurity, says tech lawyer Sunny Handa.
Handa is a national cybersecurity practice leader at Blake Cassels & Graydon and part of the team responsible for the company’s new release. 2022 Canadian Cybersecurity Trends Study.
“If you work in a law firm, it’s going to be a part of life now for the foreseeable future, in the same way that privacy law didn’t exist 30 years ago,” he said. he told Law. .com international.
Cybersecurity issues are now “woven into the fabric of legal practice”, but there are still only a handful of firms, in Canada at least, that have the capacity and expertise to deal with cybersecurity and cyber preparedness. The field is no longer the purview of insurance lawyers alone, Handa said, but is now integral to mergers and acquisitions and other corporate law matters.
Questions should be asked of all parties about their cybersecurity and whether they have had any breaches or unauthorized access to their data, he said.
“This link between cyber and M&A is definitely a must,” Handa said, “I don’t think the legal profession is there yet.”
Young, tech-savvy lawyers and law students, who should be better informed about cyber preparedness and cybercrime, are needed to handle the growing workload in this area, he said.
“But it’s going to take time,” Handa said. “You can’t snap your fingers and expect a group of competent lawyers in this area to show up overnight.”
According to Blakes’ annual Cybersecurity Report, “the number and perniciousness of cyberattacks increased dramatically” in 2021. And over the past decade, the number of cybersecurity breaches reported under federal law on Canada’s privacy has increased by more than 2,000%, according to the report.
This only includes incidents affecting those who are required to report violations, such as federal government agencies, railroads, postal service, airlines and banks. It does not apply to the majority of businesses in the country.
Handa said his team at Blakes handled more than 100 cyber incidents last year. He personally worked on 57.
“It’s relentless,” he said. “There are no holidays.”
The data for the report was gathered from publicly available information provided by companies listed on the Toronto Stock Exchange, as well as internal data from Blakes and other datasets to which the company has access, Handa said. The data in the report is “fully representative” of what they see elsewhere in the world, he added.
He said the “game” was changing every month in cases like ransomware, which accounted for 55% of cybercrime incidents. About 25% of ransom payments exceeded $1 million, according to the report.
“If you went back to three years ago, when you were telling someone about multi-million dollar ransoms, they would have laughed,” Handa said.
The report also showed that 83% of businesses affected by a cybersecurity incident did not report it to the police. Although privacy regulators require certain mandatory breach reporting in federally regulated organizations such as banks and airlines, few provincial privacy commissioners have reporting requirements. mandatory privacy and data breaches.
Handa said “police reports are going up, but it’s still a terribly low number compared to anyone.” That’s partly because many law enforcement agencies don’t have the expertise or resources to deal with cybercrime, but also because companies don’t want the investigations or the publicity that often accompanies the reporting cyber crimes to the police, especially if they paid a ransom.
But he said reporting to the police was valuable. Using the information, the police can compile data internally and also share it with other police forces so that they can also help catch “threat actors” on the road.
Blakes’ report also highlights the increase in ransomware and hacking as a service and the increased use of “doomsday” clocks.
“Threat actors who had developed impressive platforms and tools to indulge in their hacking exploits, with the aim of increasing their revenue, are moving to a licensing model,” which the report says has “undoubtedly” contributed to even more cyberattacks.
He also said using doomsday clocks as a pressure tactic is an “increasingly consistent approach” with cybercriminals. The groups are posting snippets of data they have taken on the web, threatening to release all of the victim’s data on the dark web when time runs out.