Skip to main content

Brent J. Arnold and Christopher Oates are lawyers at Gowling WLG, whose practices focus heavily on technology- and privacy-related matters.

As businesses and public institutions increasingly become the targets of ransomware – malware that blocks access to computer systems or the information they contain until the user performs actions demanded by hackers – legal risks surrounding such headline-making attacks have come to the fore in Canadian corporate consciousness.

A January report by the Online Trust Alliance reveals that ransomware attacks aimed at companies are not only growing more prevalent, but they are also becoming more sophisticated. Today's hackers can custom tailor their demands according to the size and market value of their corporate mark. Making matters worse, last month Apple's iOS operating system was infected with ransomware for the first time.

Story continues below advertisement

Ransomware typically gains access to a computer system when a user clicks on unfamiliar links or strange attachments (although a growing number of programs are infecting computers via the download of ostensibly legitimate applications). In its most benign form, an infection could force employees to complete a survey; at its most malignant, it has strong-armed companies into paying actual ransoms (typically in the nationless and virtually untraceable currency of bitcoin).

Businesses that fail to comply face the destruction of client and proprietary data, and intellectual property – not to mention sustaining significant reputational damage and exposure to third-party lawsuits from clients and consumers (and there is never any guarantee that meeting hackers' demands will result in computers or data being unlocked).

Despite this growing threat, legal recourses for ransomware victims are slim. The activity is, of course, illegal and should be immediately reported to police (the RCMP also suggests reporting to the Canadian Anti-Fraud Centre). But despite the fact that such attacks have been reported for more than a decade, there are no documented cases of ransomware perpetrators ever having been prosecuted in Canada.

Given the often remote nature of the crime (the few attacks that have been successfully traced typically come from foreign countries), criminal and civil remedies may be unlikely to succeed. In the rare event that a cybercriminal is identified, civil proceedings against foreign nationals are most likely to result in default judgments that are difficult if not impossible to collect on.

While cybercriminals frequently avoid prosecution, their corporate victims may find themselves in the legal spotlight. Recent amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) will soon require companies subject to PIPEDA to alert the federal privacy commissioner, affected individuals and relevant organizations or government institutions following a breach of security safeguards that "creates a real risk of significant harm to the individual." This can include risk of economic loss by the person whose personal information is subject to the breach, as well as potential reputational harms.

While reporting obligations provide an important consumer protection and will be a legal necessity in certain cases (companies that fail to report where required by PIPEDA may be subject to fines of up to $100,000), they are nonetheless problematic for businesses – particularly those for whom data security is a critical component of their brand identity. Recent hacks have shaken consumer and shareholder confidence and resulted in both significant disruption for targeted businesses and resignations by top executives.

All indicators suggest ransomware will only become more vicious and prevalent in the foreseeable future. With added reporting pressure looming on the horizon, companies that fall prey may soon find themselves facing complex legal and reputational risks.

Story continues below advertisement

Report an error
Tickers mentioned in this story
Unchecking box will stop auto data updates
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter