Brent J. Arnold and Christopher Oates are lawyers at Gowling WLG, whose practices focus heavily on technology- and privacy-related matters.
As businesses and public institutions increasingly become the targets of ransomware – malware that blocks access to computer systems or the information they contain until the user performs actions demanded by hackers – legal risks surrounding such headline-making attacks have come to the fore in Canadian corporate consciousness.
A January report by the Online Trust Alliance reveals that ransomware attacks aimed at companies are not only growing more prevalent, but they are also becoming more sophisticated. Today's hackers can custom tailor their demands according to the size and market value of their corporate mark. Making matters worse, last month Apple's iOS operating system was infected with ransomware for the first time.
Ransomware typically gains access to a computer system when a user clicks on unfamiliar links or strange attachments (although a growing number of programs are infecting computers via the download of ostensibly legitimate applications). In its most benign form, an infection could force employees to complete a survey; at its most malignant, it has strong-armed companies into paying actual ransoms (typically in the nationless and virtually untraceable currency of bitcoin).
Businesses that fail to comply face the destruction of client and proprietary data, and intellectual property – not to mention sustaining significant reputational damage and exposure to third-party lawsuits from clients and consumers (and there is never any guarantee that meeting hackers' demands will result in computers or data being unlocked).
Despite this growing threat, legal recourses for ransomware victims are slim. The activity is, of course, illegal and should be immediately reported to police (the RCMP also suggests reporting to the Canadian Anti-Fraud Centre). But despite the fact that such attacks have been reported for more than a decade, there are no documented cases of ransomware perpetrators ever having been prosecuted in Canada.
Given the often remote nature of the crime (the few attacks that have been successfully traced typically come from foreign countries), criminal and civil remedies may be unlikely to succeed. In the rare event that a cybercriminal is identified, civil proceedings against foreign nationals are most likely to result in default judgments that are difficult if not impossible to collect on.
While cybercriminals frequently avoid prosecution, their corporate victims may find themselves in the legal spotlight. Recent amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) will soon require companies subject to PIPEDA to alert the federal privacy commissioner, affected individuals and relevant organizations or government institutions following a breach of security safeguards that "creates a real risk of significant harm to the individual." This can include risk of economic loss by the person whose personal information is subject to the breach, as well as potential reputational harms.
While reporting obligations provide an important consumer protection and will be a legal necessity in certain cases (companies that fail to report where required by PIPEDA may be subject to fines of up to $100,000), they are nonetheless problematic for businesses – particularly those for whom data security is a critical component of their brand identity. Recent hacks have shaken consumer and shareholder confidence and resulted in both significant disruption for targeted businesses and resignations by top executives.
All indicators suggest ransomware will only become more vicious and prevalent in the foreseeable future. With added reporting pressure looming on the horizon, companies that fall prey may soon find themselves facing complex legal and reputational risks.