Stay informed about our most recent articles, training activites and job offers.

Therrien Couture Joli-Coeur Newsletter

Stay informed about our most recent articles, training activites and job offers.

Write us

By filling out this form, you enable our team to fully understand your needs and offer you the service best suited to your expectations. We thank you for your trust and promise to provide you with a follow up as soon as possible.

Intellectual Property

Cyber-Attacks, Personal Data and Your Business

  • Christopher Jackson
By Christopher Jackson Partner
Last Friday’s cyber-attack was a wake-up call for many businesses, individuals, and government institutions.

The initial attack of the “WannaCry” ransomware paralyzed computers in Germany’s national railway and Britain’s hospital network before spreading to computers across the world. It was reported that in China that 15% of the internet protocol addresses were attacked and there were collectively over 200,000 victims across the world.

The ransomware exploited a vulnerability in Microsoft Windows Servicer Message Block (SMB) protocol that allowed it to spread to any connected PC that had not been updated to protect against the attack. Once infected, the ransomware encrypted the data on the PC and prevented users from accessing it unless they paid a ransom. 

Ransomware is not new, and it seems that the method that was used to exploit the vulnerability in Microsoft Windows had actually been developed previously by the NSA.  Microsoft had even released a security patch last March to protect against the vulnerability the ransomware exploited, however, anyone who did not update their system, or had an unsupported system (ex. Windows XP), remained vulnerable.

While the attack was inadvertently stopped over the weekend by a 22-year-old cyber-security researcher , the aftereffects of the attack are still being felt by those unfortunate enough to have been affected. Friday’s attack shows the importance of being prepared for a cyber-attack, as it is not only frustrating to be a victim, it can also have important legal implications.

Most of those affected by the WannaCry virus were businesses and public institutions – organizations that quite often hold vast amount of personal private data. In Canada, businesses that hold private data have certain legal requirements with which they must comply. This involves taking certain precautions and adopting certain security measures in order to deter unauthorized access to the data it holds. If an organization does not comply and suffers from unauthorized access to its data, it can face severe legal consequences. Furthermore, these obligations do not only apply to the prevention of unauthorized access to data, but also the way a company handles, transfers and stores the personal information it stores. For example, if data is entrusted to a third-party (ex. stored in the cloud), businesses have additional obligations to ensure that their hosting providers offer similar protections to the personal data.

While it seems that Canadians were largely spared from the effects of the WannaCry attack, it is a perfect opportunity for businesses to reflect on their data handling and cyber-security practices. It is no longer a question of if a cyber-attack will happen and businesses need to be prepared and ensure they already have proper practices in place that comply with their legal obligations. This will help mitigate potential damages resulting from a cyber-attack and help the recovery process.