Cybersecurity Disclosure …………… No, Not Canadian Specific Guidance

November 28, 2011

 

Here is the Cybersecurity disclosure guidance being provided by the Division of Corporate Finance of the Securities and Exchange Commission.

The good part is they don’t require disclosure that could act as a “roadmap” to infiltrate the registrant’s network security. And, in case you didn’t know your loss exposure, they provided a non-exhaustive list including, 1) repair and remediation costs, 2) incentives to repair relationships with customer or other business partners, 3) increased security protection and training, 4) lost revenue directly from downtime, and lost customers/prospects, 5) liability and other litigation costs, 6) reputational damage with customers and investors, and, 7) financial statement hits (warranty liability, product returns, capitalization of software costs, inventory write-downs.)

As for actual disclosure, the guidance points to specific forms (Form 6-K or Form 8-K to disclose the costs and other consequences of material cyber incidents – see Item 5(a) of Form F-3 and Item 11(a) of Form S-3) and they remind registrants of the materiality clauses (Securities Act Rule 408, Exchange Act Rule 12b-20, and Exchange Act Rule 14a-9) and the “substantial likelihood that a reasonable investor (note, not reasonable tech geek) would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.”

The “materiality” issue is still developing in Canada, and (no surprise) there are conflicting decisions and hotly debated arguments. Here is a recent Ontario Securities Commission case that draws some light on the subject (and here is an older one.)

Issuers do not have present risks “that could apply to any issuer or any offering.”

The key concern is that disclosure decisions must consider “risk” not just loss or actual incidents or threatened attacks. However, as will all disclosure advice, “boilerplate” language will be looked on unfavourably. Registrants need to evaluate their cybersecurity risk considering prior incidents, potential for reoccurrence, experience of competitors and other industry participants, magnitude of potential loss, and adequacy of loss control activities.

A further disclosure requirement is discussion regarding the effectiveness of policies, procedures and controls surrounding cyber incidents and the disclosure process itself.

Cyber Risk is a very new and developing field. Therefore, available guidance is not very specific. This risk will have to be treated like every other business risk. There are good insurance companies and good insurance products available to accept risk transfer of some, but not all, potential cyber losses. But, like every other specialty line of insurance, there is no standard or regulated policy wording or premium calculation. And, to make things more challenging, cybersecurity insurance policies can be of a rare breed of hybrid “first party” and “third party” coverage, with potential for “claims-made” and “occurrence” responses.

Greg Shields is a D&O, Professional Liability, CyberRisk, Employment Practices Liability, Fiduciary Liability, Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at gshields@mitchellsandham.com,  416-862-5626, or Skype at risk.first.

CAUTION: This article does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.


Value of Communities and other Social Media, and Media / Advertising Risk

October 3, 2010

 

The value of Canadian electronic communities and other social media may be going up soon. The proposed legislation in Bill C-28 – the Fighting Internet and Wireless Spam Act (FISA) – will make some significant changes to the law. It will require consent for any email or text messages. Senders of electronic messages will be required to identify themselves, provide contact information and include an unsubscribe feature. Consent will be required for any software or program installation and the consent feature must first disclose any undesirable functions, including the collection of personal information. The FISA will prohibit alteration of data or the diverting of messages to an unintended destination.

The risks to electronic advertisers and media companies will also increase, because the Office of the Privacy Commissioner (OPC), the CRTC and the Competition Bureau will have new powers to share information and evidence with foreign counterparts to pursue violators outside of Canada, and therefore purse Canadians violating our laws in other countries. Penalties of violation of the FISA can be up to $1 million for individuals and up to $10 million for businesses. The Competition Act will be extended to false or misleading marketing in electronic messages. Certain exceptions within the Personal Information Protection and Electronic Documents Act (PIPEDA) will be restricted. And a private right of action will be extended to consumers and businesses to allow lawsuits for violation of FISA. The suggested damage awards are fierce, including $200 per violation to a maximum of $1 million per day, and actual loss, damages and expenses. And, if the Consumer Protection Act can be brought into play, the  recent Appeals Court decision in Riendeau v. Brault & Martineau (a great description of the risk was presented in an article No Crime, Lots of Punishment, here, available in Mondaq, by Donald Bisson and Shaun Emery Finn, of McCarthy Tetrault, here,) could mean substantial punitive damages, even without compensatory damages, and Class Action exposures. (The insurance aside to this is that many Professional Liability and D&O policies can only be triggered based on ‘compensatory’ damages, and if this portion of potential loss is not triggered then there might be no defence costs available from the policy.) There is a great article by Arnold Ceballos, here, in Lawyers Weekly, here, provides much better description of bill C-28.

The intent of most evolving legislation on electronic communication is to deter spyware, malware, phishing and the other vehicles used for theft of private information, identity or direct money. FISA might not accomplish that on its own, but it looks like it is going to make waves. The promotion on this bill suggests it is focused on ‘criminal spammers’ and that taking the ‘pro-spam’ side could be political suicide. However, I am sure the law of unintended consequences (are they really unintended by everyone?) will apply and the bill could significantly alter the way legitimate businesses operate, and it could very likely increase the current cost and risks of doing business.

When we think of Social Networks, we think of Facebook and Twitter, but there is a universe of ‘electronic communities’. Message boards, interactive blog sites, membership based information providers, are all communities based on ‘opt-in’ or ‘consent’ based interaction, even if some privacy aspects were not fully understood or communicated. If FISA is farther reaching than criminal spamming and has the affect of stopping other legitimate unsolicited contact, opt-in communities might be the only way to legally reach a large audience. However, the use of a community for distribution has risks. If you want to avoid the direct advertising costs to reach the members of a community, you will have to go through the slow and painstaking task of building your own membership within each community by producing content that is attractive to users. Some companies might urge employees to help with this new method of distribution by building their individual social networks to help promote the company. The result is a lack of control and oversight or what is legitimately considered media and advertising activity.

It was not that many years ago that it was impossible for the average person or small company to reach a very large audience with any message. Now, one blog comment, tweet or video can ‘go viral’ and be viewed by millions of people within minutes. A few weeks ago I was sitting in my office, looking South down University, and could see a mass of black smoke billowing from a high-rise. I could not tell which building or the location, so I searched a number of different main-stream media sites, and could not find any information. It took them at least ten minutes to report on the story, but I had already gone to twitter and viewed multiple pictures from different angles, and knew the exact building and location of the fire, all within 60 seconds of seeing the smoke. One tweet about beg-bugs in a movie theatre is seen by millions of people and immediately broadcasted on mainstream media.

Many companies seeking to get that ‘viral’ hit for free corporate publicity will have almost no media experience and have few or no controls regarding copyright (music, art, video, image or print), libel, slander or defamation, and no planned response to a publication crisis. Many will say “there is no bad publicity” or “I will worry about that after I am able to reach 6 million people.” The problem is that electronic media cannot be controlled, it can’t be erased or deleted, and even an effort to mitigate a loss by ‘printing a retraction’ will not have the same affect because there is no chance the retraction will reach the same audience.

We have incredible opportunity to share information and promote ourselves and our businesses, but it does not come without risk. Legislative changes, like the proposed Bill C-28, PIPEDA and many others, might reduce annoying, invasive or even harmful electronic communication; might reduce the current level of disruption of online commerce; might increase consumer confidence and the electronic marketplace; but it won’t do any of this with risk.

Greg Shields, Partner, Mitchell Sandham Insurance Brokers, 416 862-5626, gshields@mitchellsandham.com

CAUTION: The information contained in the Mitchell Sandham website or blog does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decision. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this site from any external website must seek the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.