Cyber security and cyber attacks may seem like issues that only affect governments and large businesses. After all, there is always a news story about a notable company dealing with a ransomware attack. However, according to a study by Cybersecurity Magazine, 43% of all cyber attacks involve a small- or medium-sized business. The main form of attack on small businesses is done by phishing. Surveys suggest that there is a huge gap between the cyber security threats that companies face and the proactive steps that companies take to prevent such cyber attacks.

Cyber security is an employment law issue. Employees tend to be the weakest cyber link. Employers will likely want to ensure that their employees are not losing or stealing important company data. Though these issues may seem new, they are heavily tied to existing employment law issues. Though a multi-disciplinary approach is the best way to improve a company's cyber security, looking at a company's employees is a great place to start. Employees can be the effective first line of defence against cyber attacks.

Cyber security law in Canada is hard to follow

No one piece of legislation sets out the cyber security rules for every employer. It can be complicated to find a particular sector's cyber security requirements without a lawyer who is knowledgeable about the legislation in that field. Indeed, the government tends to only write cyber security legislation that is very targeted. For example, recently, the federal government tabled Bill C-26 which, if passed, requires key enterprises in the banking and telecommunications industries to improve their cyber security and report digital attacks.

The Personal Information Protection and Electronic Documents Act (PIPEDA) indirectly sets cyber security requirements that employers must follow. PIPEDA applies to all federally regulated organizations and organizations that do not have substantially similar legislation. Currently, only Alberta, British Columbia, and Quebec have substantially similar legislation. Under PIPEDA, employers must put security safeguards to protect personal information, which includes employees' personal information. PIPEDA requires businesses to report the breach of personal information to the Office of the Privacy Commissioner of Canada (OPC). Failure to report such a breach to the OPC can result in a fine of up to $100,000.

If an employer is in the medical field or collects medical information, they may have further obligations to protect data. In almost every jurisdiction in Canada, there is specific legislation that governs the protection of personal health information.

Legislation also provides very little recourse after a business is hit with a cyber attack. Though the Criminal Code prohibits most cyber attacks, it is unlikely to provide any recourse, as most cyber criminals live outside of Canada and are thus beyond the courts' reach.

Employee mismanagement of personal information can lead to costly class-action lawsuits

Though there is little Canadian case law on class-action lawsuits when an employee creates a digital breach of personal information, there are many cases when an employee mismanages personal information. Simple employee errors have caused class-action lawsuits:

  • In Condon v Canada (2015 FCA 159) the Federal Court of Appeal permitted a class action lawsuit to proceed in a case where an employee of Human Resources and Skill Development Canada lost an unencrypted external hard drive that contained the personal information of approximately 583,000 people who participated in the Canada Student Loans program.
  • In John Doe v Canada (2015 FC 916) the Federal Court approved a proposed class action where approximately 40,000 participants in the Marihuana Medical Access Program were identified by the federal government when they were sent letters in oversized envelopes with the return address being the Marihuana Medical Access Program.

There have also been class-action lawsuits following the intentional disclosure of personal information by employees:

  • In Hopkins v Kay (2014 ONSC 321) the Ontario Superior Court dismissed a motion to strike the statement of claim (dismissing the action). In this case, 280 personal health records were alleged to have been accessed by Peterborough Regional Health Centre employees without client consent.
  • In Evans v The Bank of Nova Scotia (2014 ONSC 2135) the Ontario Superior Court certified a class-action lawsuit where an employee allegedly shared confidential customer information with his girlfriend who then disseminated the private information to third parties for fraudulent and improper purposes.

What employers can do to protect cyber security in the workplace

Employers can take several steps to improve cyber security in the workplace. To ensure maximum protection, employers will want to connect with multiple experts from employment lawyers to cyber security experts. The best course of action is often determined after completing a cyber security threat assessment. There are resources on how to properly do a cyber threat assessment online. However, there are steps employers may want to take to prevent successful cyber attacks regardless of the results of such an assessment.

Employers should implement a cyber security policy that applies to all employees regardless of their technical proficiency. A typical cyber security policy will start by describing the general cyber security expectations, roles, and responsibilities in the organization. The cyber security policy could then set specific practices on things such as:

  • Rules for using email encryption
  • Steps for accessing work applications remotely
  • Guidelines for creating and safeguarding passwords
  • Rules on handling sensitive data
  • Rules on the use of social media
  • Penalties for violating the policy

A cyber security policy can go even further, especially with larger organizations. A policy can set out a planned cyber incident response. However, some larger organizations may choose to have a separate cyber incident response plan. These plans tell employees what to do in the case of a cyber attack when systems have gone down. To ensure that the policy and incident response plan is working, it is suggested that they are tested and updated frequently.

Employees should get comprehensive cyber security training. This training can help all employees identify common cyber criminals' tactics. For example, the training could help employees identify signs of a fishing email. Unfortunately, Suzanne Desrosiers Professional Corporation does not provide cyber security training. However, when employers are looking for cyber security training for their employees, they should find a course that does not rely solely on dry technical terms. Employees tend to better retain cyber security information when it engages them and speaks to how bad cyber security and cyber culture can affect them personally. A properly trained employee could prevent a costly phishing or ransomware attack.

How Suzanne Desrosiers Professional Corporation can help

Suzanne Desrosiers Professional Corporation can help write cyber security policies that are tailored to your business. We can also help update cyber security policies so that they meet modern standards and follow applicable legislation. To make such changes with your cyber security policy you can reach us by calling us at 705-268-6492 or by emailing us at info@sdlawtimmins.com.