By Lucy Saddleton, Managing Editor, ADB Insights
Legal leaders are grappling with heightened digital risk as emerging technologies increase fears of cyber crime, intellectual property theft, ransomware, phishing attacks and reputational threats.
Attendees at the fifth annual Legal Innovation Forum in Vancouver learnt from our expert panelists how to best prepare for emerging risks – and how to take advantage of the digital environment to seize opportunities for innovation and growth.
Businesses must take a holistic approach when developing a strategy for digital risk management, as it goes far beyond a simple incident response plan, and involves participation from every department – not just legal.
Ram advises keeping a business mindset while creating a digital risk strategy, and considering how it works for your specific business, and how you can engage stakeholders to ensure risk is being managed at all levels. Continuous improvement of the plan is also important, Ram noted.
TELUS Communications boasts a robust, mandatory training program for all employees which ensures that each employee knows what happens in the event of a cybersecurity breach, and that digital literacy spans the entire organization.
The telecoms giant also offers compliance programs relating to different regulatory frameworks including data breaches and privacy as well as everything from anti-spam legislation, to telecommunication rules and broadcasting rules.
“There is a privacy related framework in so many different legislations,” said Leena Khawaja, senior regulatory legal counsel at TELUS. “Our compliance programs have to capture all of them because we have to report these federally or provincially, so training and compliance is very big at TELUS. That’s how we succeed in mitigating a lot of risks.”
The company also has very robust security infrastructures and a strong focus on transparency and self-regulation. With respect to technology, for example, TELUS was the first telecom company in Canada to sign the Government of Canada’s voluntary code of conduct for generative AI, and it was the first company in the world to get an ISO certification for its AI customer support tool.
“This self regulation builds trust, not just with our customers, but also within the organization that we stand behind our products,” said Khawaja.
LIABILITY INSURANCE
Candace Pietras, professional liability leader at Purves Redmond Ltd spoke about the importance of purchasing liability insurance. Firms should research their insurance options before purchasing cyber insurance, as failure to be adequately insured is often due to budget or simply not knowing what options are available, Pietras said.
“You’ve got AI coverage now until there’s a major claim, and then every insurer is going to panic and add an exclusion, much like they added the pandemic exclusion to CGL {Commercial General Liability} policies a few years ago,” said Pietras.
When negotiating with suppliers, law firms should ask to see their insurance certificate to understand what type of insurance they have, Pietras advised. This in turn will prompt a discussion about what’s available.
AI insurance is likely to become increasingly common, she added.
“Two years from now, at this conference, maybe half of you will have this insurance, because at the end of the day, it’s going to take a big event to trigger the exclusions, but it’s coming, because everyone’s using AI and I don’t know if the E&O {Errors & Omissions} policies were designed to respond to these types of risks,” said Pietras.
When seeking cyber insurance, be prepared for insurance companies to ask about multi-factor authentication, Pietras noted. While some plans may be easily available online, it is always preferable to seek more robust coverage.
SECURITY MEASURES
Our speakers discussed different types of security measures being used by firms and organizations to address cyber risk – and new AI risks.
Simply buying the most expensive antivirus software available is not a good approach, according to Travis Kelly, director, corporate legal at GeoComply, a Vancouver-based fraud prevention and cybersecurity solutions provider.
“There is no sort of technology out there that’s all encompassing; there is no one-stop magic bullet that’s going to protect your firm,” said Kelly. Instead, he recommends adding layers of protection across the enterprise, and conducting a risk assessment with the help of service providers and insurance providers.
When bringing in a new AI tool, it is important to consider the risk perspective and to negotiate contractual indemnities and confidentiality protections in the agreement, Kelly noted. Training is also critical.
“Unfortunately, your employees are probably your weakest link,” said Kelly. “You can have the best AI policy, and you can have the best data retention governance policies in place, but if you’re not training, and if your employees don’t know what these policies say, then really they’re not worth the paper that they’re written on.”
Seminars can be a useful training tool, to avoid fatigue from online training platforms, for example. Kelly also recommends doing a cost benefit analysis to determine the risk tolerance of the firm or organization, which will help to determine how much should be spent on external insurance.
Khawaja noted that it is critical to invest in the right people to build security systems and do cross-functional testing, which may include software engineers, data scientists and ethicists.
“At TELUS, we’ve invested a lot in the people as well as in the technology, and we do a lot of cross functional training and testing,” said Khawaja. TELUS also has a very rigorous process for launching new products or services that disclose data, which includes a thorough risk assessment.
“We’re never entirely risk proof, but at least we’ve done our due diligence, we have documented it, it is a repeatable process, and we can stand behind it,” said Khawaja.
Ram added: “Gone are the days that you do an incident test once a year. It’s continuous, and it’s with different stakeholders within the business.”
Ram also noted that the incident response plan needs to be available in the form of a physical document in case computer systems have crashed. It also needs to be easy to understand, and a crisis coach can be also a valuable tool, she added.
THE ETHICAL & REGULATORY LANDSCAPE
While technology is rapidly evolving in Canada, legislation surrounding its use continues to lag behind. With Bill C-27 – the Digital Charter Implementation Act – still not passed, organizations have challenges and opportunities to self regulate.
“We already have a chance to be proactive in our knowledge of where the regulatory framework is headed,” said Khawaja. For example, the government’s focus in the pending bill will be on transparency, on protecting minors, and on consumer rights with respect to their private information, among other points. Khawaja also advised attendees to examine the EU AI acts to see what is happening internationally.
“Have your regulatory experts review all these pieces of legislation, which should help you be ready, actually, for what is going to come eventually down the pipeline,” said Khawaja. She also recommended having your AI models certified, and consulting with regulators.
Although the onset of AI will inevitably lead to some job losses, panelists agreed that the benefits far outweigh the difficulties, noting that there will also be a lot of job creation.
“I think there was some fear a year or two ago, but now AI is here and the world hasn’t exploded. Let’s fully jump in and embrace it and make sure everyone’s using it responsibly,” said Kelly.
The panel was moderated by Ryan Berger, privacy & employment partner at Lawson Lundell.
Stay tuned for details about the Legal Innovation Forum’s six-part Generative AI Masterclass series, coming in 2025.
