Ajax Privacy and Cybersecurity Lawyer, Rajen Akalu, of Akalu Law P.C., provides an outline of his academic research on Assessing the impact of lawyer-led cyber security breach response in ransomware attacks
In the event of a ransomware attack, lawyers are engaged at an early stage. Lawyers provide strategic advice on how to respond to the breach and meet the organization’s compliance obligations. A key advantage of using lawyers is to gain the benefit of legal privilege. Privilege provides special protection that exempts certain documents and other forms of communication that are adverse to the organization’s case from having to be disclosed in legal proceedings. Law firms will typically hire forensic consultants and their reports if made in the contemplation of litigation will be similarly exempt. The breach response is typically underwritten by insurers who rely on the established networks that law firms have with related cybersecurity companies to set their premiums for the insured victims of a cybersecurity breach.
While the involvement of legal counsel at the outset of a cybersecurity breach may immediately benefit the organization that was breached, there is little incentive to share the insights gained from responding to the breach with the wider community of security professionals. Moreover, forensic reports directed by lawyers typically provide as little detail as possible to mitigate the possibility that adverse information will have to be produced during the discovery process if the matter is litigated.
Canada has implemented mandatory breach reporting in some circumstances, and has proposed further mandatory reporting in others. Where personal information of individuals has been exposed, organizations are required to report to both to the Office of the Privacy Commissioner of Canada and to affected individuals, where it is reasonable to believe that the breach of security safeguards creates a real risk of significant harm (RROSH) to an individual. The “significant risk” assessment hinges on the sensitivity of the personal information that has been exposed, and the likelihood of misuse, which, in a ransomware attack would be presumed to be high. Further, while Bill C-26, the Critical Cyber Systems Protection Act, died on the order paper when Parliament was prorogued in January 2025, it may well be re-introduced in its current form when Parliament reopens, as it had concluded passage through the House of Commons and Senate. This Act would require reporting to the Communications Security Establishment and notification to the relevant regulator for organizations that own, control or operate critical cyber systems. The Act would also require these organizations to establish and implement a cyber-security program and mitigate supply-chain and third-party risks. Again, lawyers will be involved in advising organizations based on their interpretation of these requirements. However since regulatory commissions do not make detailed findings public, the security community loses the opportunity to learn about root causes and corrective actions that could have prevented similar incidents or what additional tools are needed to detect, analyze and mitigate future incidents.
This project thus focuses on the following three research questions:
- What are the key cybersecurity objectives following a ransomware attack?
- How can security professionals best learn from the experiences of ransomware attacks when the breach response is led by lawyers?
- How can lawyers prioritize cybersecurity objectives in breach response in a way that does not increase litigation, reputation or regulatory risk?
Project Outcomes and Benefits
- Increased understanding of the relationship between law firms, technical practitioners and insurers concerning cyber-security breach response.
- The development of guidance for law firms involved in cyber breach response.
- The development of processes for extracting lessons learned when incidents occur.
Rajen Akalu
647 299 5079
rajen@akalulaw.com
