Cyber-Attacks, Personal Data and Your Business | Therrien Couture

Cyber-Attacks, Personal Data and Your Business

Intellectual propertyChristopher Jackson

Last Friday’s cyber-attack was a wake-up call for many businesses, individuals, and government institutions. The initial attack of the “WannaCry” ransomware paralyzed computers in Germany’s national railway and Britain’s hospital network before spreading to computers across the world. It was reported that in China that 15% of the internet protocol addresses were attacked and there were collectively over 200,000 victims across the world.

The ransomware exploited a vulnerability in Microsoft Windows Servicer Message Block (SMB) protocol that allowed it to spread to any connected PC that had not been updated to protect against the attack. Once infected, the ransomware encrypted the data on the PC and prevented users from accessing it unless they paid a ransom. 

Ransomware is not new, and it seems that the method that was used to exploit the vulnerability in Microsoft Windows had actually been developed previously by the NSA.2 Microsoft had even released a security patch last March to protect against the vulnerability the ransomware exploited, however, anyone who did not update their system, or had an unsupported system (ex. Windows XP), remained vulnerable.

While the attack was inadvertently stopped over the weekend by a 22-year-old cyber-security researcher3, the aftereffects of the attack are still being felt by those unfortunate enough to have been affected. Friday’s attack shows the importance of being prepared for a cyber-attack, as it is not only frustrating to be a victim, it can also have important legal implications.

Most of those affected by the WannaCry virus were businesses and public institutions – organizations that quite often hold vast amount of personal private data. In Canada, businesses that hold private data have certain legal requirements with which they must comply. This involves taking certain precautions and adopting certain security measures in order to deter unauthorized access to the data it holds. If an organization does not comply and suffers from unauthorized access to its data, it can face severe legal consequences. Furthermore, these obligations do not only apply to the prevention of unauthorized access to data, but also the way a company handles, transfers and stores the personal information it stores. For example, if data is entrusted to a third-party (ex. stored in the cloud), businesses have additional obligations to ensure that their hosting providers offer similar protections to the personal data.

While it seems that Canadians were largely spared from the effects of the WannaCry attack, it is a perfect opportunity for businesses to reflect on their data handling and cyber-security practices. It is no longer a question of if a cyber-attack will happen and businesses need to be prepared and ensure they already have proper practices in place that comply with their legal obligations. This will help mitigate potential damages resulting from a cyber-attack and help the recovery process. 

If you have any questions about your obligations in regards to the personal data your business holds, please do not hesitate to contact us. 



Please rate this article
Rating successfully submitted
An error occured
Results1 - 10of1000

Your team in Intellectual property