CyberVoices

Co-authored by David Shipley, CEO, Beauceron Security and Robert Gordon, Strategic Advisor, Canadian Cyber Threat Exchange.

It only takes a few days after a cybersecurity breach headline hitting the airwaves in Canada, for the requisite class action lawsuit to be filed. You can almost hear the cash register cha-ching sound in the background as a news announcer gives the details of the latest cyber incident. 

The settlements usually involve some huge bills for firms in the millions, tens of millions or in some cases, hundreds of millions of dollars. Payouts to the actual people affected by a breach, well, turns out, not so huge. Paltry in fact.

Take the LifeLabs medical data breach. For those not familiar, the medical lab services firm was hit by an extortion gang in 2019 and notified privacy officials about the incident. With nearly half of Canada’s population living in provinces that contracted to LifeLabs, it remains to date the largest single breach of personal medical information in Canadian history. A $9.8 million class action lawsuit settlement was approved in 2023, with an estimated payout for affected individuals of around $150. However, by the time all claims had been received and processed in 2024, that amount dropped to a $7.86, which isn’t enough to buy a fast-food meal these days. 

Arguably, not exactly fair compensation for losing highly sensitive data that could reveal health conditions including highly stigmatized conditions such as HIV/AIDs, STI or other deeply personal medical information. 

The only ones making any real money off privacy breaches are criminals conducting extortion and law firms collecting fees from successful class action lawsuits. Despite the proliferation of both breaches and corresponding post-breach lawsuits, more and more Canadian organizations are being caught up in ever more increasingly damaging breaches ranging from data loss events to ransomware attacks that cripple hospitals for months. 

Canadian courts have consistently been making it more difficult to file such civil lawsuits to limit the deluge, however a quick google search shows more than a dozen are currently working their way through the legal system. 

While the threat of civil lawsuits has done little to nothing to improve the overall security investment of Canadians private and public sector organizations, it has had one specific negative impact on organizations that is causing continued harm to society. As a result of the threat of civil liability, many firms internal or external legal counsel, insurance or other risk professionals advise against firms’ voluntary cooperation with law enforcement during an active incident and post-incident.

This results in a huge gap in our collective security, as vital information on criminal or nation-state cyber activity, tactics, tools and procedures are buried behind a legal and risk wall that’s far more impenetrable than any cyber defense could ever hope to be. 

There is a better way forward. 

The Canadian government must create a national civil liability shield for organizations that proactively engage voluntarily  with law enforcement and federal cyber agencies in the active response, investigation and remediation of cyber incidents. Under such a regime, organizations would be positively incented to cooperate as a means of reducing civil liability costs. This proposal would not reduce any regulatory costs for cyber negligence in absence of a due diligence defence, nor would it apply to federal or provincial government agencies, who should be compelled through appropriate legislation towards cooperation with law enforcement as well as full public transparency as part of the sacred obligation between the governed and the government.

This should could also be extended to cover voluntary information sharing between organizations, which would aid quickly sharing vital threat information through industries as well as encourage the sharing of lessons learned and best practices with contextual information about attacks.

There is also precedent for this kind of liability shield. The US Cyber Incident Reporting for
Critical Infrastructure Act of 2022 includes important legal privilege and liability protections for organizations reporting cyber events to the Critical Infrastructure Security Agency (CISA), a part of the Department of Homeland Security. These new incident reporting laws in the US have led to significant new disclosures of previously hidden attacks and breaches.

Providing a voluntary civil liability shield to all Canadian private sector firms that goes beyond protecting what they’ve reported would complement mandatory cyber reporting for critical infrastructure firms as proposed in current Canadian federal legislation. Together, along with great public sector transparency and information sharing, this improved insight into cyber attacks within the Canadian private sector will lead to faster improvements to collective security and aid in government active cyber responses to hostile nation states and international organized cybercrime.