Do your clients have a plan that identifies and addresses cross-border cyber-risks in their businesses? If not, are they OK with being excluded from certain markets due to the cyber-risk they pose?
In today’s world, it is a question of when — not if — an organization will face a cyber-incident, says Wendy Hulton, partner at Dickinson Wright LLP and chairwoman of the Canadian interdisciplinary data privacy and cybersecurity team at the firm.
“The reality of business these days is it’s virtually all cross-border,” Hulton says. “Cybersecurity is inherently global — it’s multi-jurisdictional even if you think you’re a domestic company … so you have to take this into consideration when you’re putting your plans in place.”
Hulton says subpar cybersecurity standards or practices are an issue she sees in the mergers and acquisitions world right now, where “people are pushing back from the table because when they do their due diligence on the cybersecurity, they go, ‘This is going to be too much work for me. I’m going to go shop elsewhere.’”
“Definitely, the cross-border issue is a live one in many situations and a difficult one to navigate — and sometimes possibly a barrier,” says Katherine Kolnhofer, partner at Bell Temple LLP who, along with associate Brenda Cuneo, works in a privacy and access to information practice group with a focus on cybersecurity and data breach management.
Kolnhofer, whose group takes on the role of a risk coach or data breach coach, says most clients these days have intentions to do cross-border business, whether they’re in the process of doing it or it’s part of the eventual plan. She says finding out what systems vendors or other businesses with which clients are entering into contracts have in place to ensure privacy is becoming more and more standard.
Kolnhofer recommends clients look into insurance for their business, which can be designed to cover them in other jurisdictions. While not mandatory at the moment, it’s “definitely coming more to the forefront in terms of [being] required,” she says.
“Brokers are having more and more discussions with their various clientele about needing those kinds of policies,” Kolnhofer says, adding many also provide a consultative layer that can provide the insured with legal or IT advice both from a preventive perspective and in the event of an attack.
“The appropriateness will depend on the size of the client and insurers will work with clients in terms of what they need for their particular size or risk.”
When it comes to developing cross-border breach response plans, Hulton strongly recommends clients don’t wait for the “ultimate stress test” of an actual incident.
Hulton and her team help clients develop breach response plans, educate general counsel on best practices and provide counsel in the case of an actual breach. Though “the uptake varies across the board,” Hulton says her team is constantly preaching the proactive approach to clients and recently more are on board, which she calls heartening.
This blog was based on an article written by Mallory Hendry, associate editor for Canadian Lawyer magazine.
You can read the full article in the latest issue of Canadian Lawyer magazine.