Cybercrime Is Skyrocketing, but the Legal Profession Isn’t Keeping Up

Cyberattacks have increased dramatically over the past year, both in the number of attacks and the degree of harm they cause, and law firms and law schools need to up their game in training lawyers to deal with cybersecurity, says technology lawyer Sunny Handa.

Handa is one of the leaders of Blake Cassels & Graydon’s national cybersecurity practice and part of the team responsible for the firm’s newly released Canadian Cybersecurity Trends Study 2022.

“If you’re working at a law firm, this is now going to be part and parcel of life going forward for the foreseeable future, much in the same way that privacy law wasn’t a thing 30 years ago,” he told International.

Cybersecurity issues are now “woven into the fabric of legal practice,” but there are still only a handful of firms, in Canada anyway, that have the capacity and expertise to deal with cybersecurity and cyber-preparedness. The area is no longer the purview of only insurance lawyers, said Handa, but is now an integral part of mergers and acquisitions and other corporate law matters.

Questions have to be asked of all parties about their cybersecurity and whether they have had any breaches or unauthorized access to their data, he said.

“That linkage between cyber and M&A is definitely a must,” said Handa, “I don’t think the legal profession is there yet.”

Younger lawyers comfortable with technology and law school students, who should be taught more about cyber-preparedness and cybercrime, are needed to take on the increasing workload in this area, he said.

“But it’s going to take time,” said Handa. “You can’t snap your fingers and expect a bunch of lawyers who are skilled in this area to show up overnight.”

According to Blakes’ annual cybersecurity report, the “number and perniciousness of cyberattacks increased dramatically” in 2021. And over the past decade, the number of cybersecurity breaches reported under Canada’s federal privacy law has increased by more than 2,000%, the report said.

That only includes incidents affecting those required to report breaches, such as federal government agencies, railways, the postal service, airlines and banks. It does not apply to the majority of businesses in the country.

Handa said his team at Blakes dealt with more than 100 cyberincidents last year. He personally worked on 57.

“It is relentless,” he said “There are no vacations.” 

The report’s data was collected from publicly available information provided by companies listed on the Toronto Stock Exchange, as well as from Blakes’ internal data and other data sets the firm has access to, said Handa. The report’s data is “quite reflective” of what they’re seeing elsewhere in the world, he added.

He said the “game” is changing monthly in cases like ransomware—which made up 55% of cybercrime incidents, Approximately 25% of ransom payments exceeded US$1 million, the report said.

“If you went back three years ago, when you talk to anyone about multimillion-dollar ransoms, they would have laughed,” Handa said.

The report also showed that 83% of companies hit with a cybersecurity incident did not report it to the police. While privacy regulators require some mandatory breach reporting in federally regulated organizations such as banks and airlines, few provincial privacy commissioners have compulsory reporting requirements of privacy and data breaches.

Handa said “police reporting is going up, but that is still a woefully low number by anyone’s standard.” This is in part because many police forces don’t have the expertise or resources to deal with cybercrime but also because companies don’t want investigations or the publicity that frequently goes along with reporting cybercrimes to the police—particularly if they’ve paid a ransom.

But he said reporting to the police is valuable. Using the information, police can compile data internally and also share it with other police forces so they may also help catch “threat actors” down the road.

The Blakes’ report also highlights the rise in ransomware and hacking as a service and the increased use of “doomsday” clocks.

“Threat actors who had developed impressive platforms and tools to engage in their hacking exploits, in an effort to increase revenues, are moving to a licensing model,” which the report said “undoubtedly” has contributed to even more cyberattacks.

It also said the use of doomsday clocks as a pressure tactic is an “increasingly consistent approach” with cybercriminals. The groups post on the web fragments of data they have taken, threatening to publish all the victim’s data on the dark web when the clock runs out.