Marc Lemieux (© all rights reserved)
February 25, 2015
This paper focuses on the following questions :
- In what ways does cyber crime impact the banking and payment industries?
- What governance provides direction to the banking and payment industries in respect of cyber crime?
- To what liabilities are participants in the banking and payment industries exposed as a result of cyber crime?
- IN WHAT WAYS DOES CYBER CRIME IMPACT THE BANKING AND PAYMENT INDUSTRIES?
Cyber crime is a global social phenomenon. It is a potential threat to any system connected to the internet.
Hackers attack all computer systems where they can steal valuable information, misappropriate funds, or disrupt the normal operations of society. Every day, cyber criminals strike governments, critical elements of our social infrastructure, and corporations generally, including participants in the banking and payment industries.
Over time, cyber attacks are more and more frequent and increasingly sophisticated. Cyber security measures that are effective at one point in time may be defeated by subsequent generations of cyber weapons. Cyber security management is a very dynamic task.
In the banking and payment industries, hackers target more particularly :
- the computers of banks;
- the computers of clients of banks; and
- the computers of payment networks, payment service providers and merchants.
Attacks on the computers of banks
All Canadian banks report generally that they are the object of cyber attacks. The Royal Bank of Canada described its own situation as follows in its annual report for 2013: «Given our reliance on digital and Internet technologies to conduct and expand our global operations, we are increasingly exposed to risks related to cyber security. Such incidents may include unauthorized access to our systems for purposes of misappropriating assets, gaining access to sensitive information, corrupting data, or causing operational disruption. Although our computer systems continue to be subject to cyber attacks, to date we have not experienced a material breach of cyber security.[…]».
This description reflects the banking industry’s experience generally with cyber crime. In May 2014, the New York State Department of Financial Services released the results of an industry survey of 154 depository institutions conducted on cyber security. It found that «[most] institutions irrespective of size experienced intrusions or attempted intrusions into their IT systems over the past three years». While «numerous attempted system intrusions» were reported for the prior 12 months, «very few institutions experienced successful breaches resulting in significant monetary damages».
From time to time, the media reports cyber attacks on banks. For instance, a wave of denial-of-service attacks was reported to have hit many U.S. banks for a period of over 9 months in 2012 – 2013. More recently, the TD Bank was reported to have paid penalties in the aggregate amount of US1,475 million following a breach in 2012 that exposed the personal information of 260,000 customers. As well, in November 2014, fines in the aggregate amount of £56 million were levied against a group of banks by the United Kingdom’s Financial Conduct Authority and the Prudential Regulatory Authority, for failing to have adequate systems and controls at the time of a cyber incident in 2012.
The cyber attacks that are publicly disclosed likely represent only a small fraction of all attempted breaches. Reporting an incident in 2014 and the theft by hackers of data including checking and account information, a spokesperson for JPMorgan Chase said : «Companies of our size unfortunately experience cyber attacks nearly every day».
Attacks on the computers of clients of banks
More and more, clients communicate with their banks through the internet, with computers, mobile phones and tablets. These have become targets of choice for cybercriminals, who infiltrate the clients’ systems through malware, spyware or phishing emails with a view to sending fraudulent payment instructions against the clients’ accounts and misappropriating the clients’ funds.
A number of court cases have come up in recent years, and I will canvass some of them later in this paper. These cases are only the tip of the iceberg. A study estimated in 2013 that 2,11 out of each 1000 commercial bank accounts were the object of a take-over by cybercriminals, with 9% resulting in funds leaving the institution.
Attacks on the computers of payment networks, payment service providers and merchants
Payment networks, payment service providers and merchants that transmit or store payment card information in their computer systems or point-of-sale terminals are tempting targets for cybercriminals, who steal the information, clone the cards and complete unauthorized transactions online or at points-of-sale in countries that have not yet migrated to the chip-and-pin technology.
There have been numerous and well-reported cyber attacks against payment service providers and merchants in the past few years, such as the attack on Global Payments in 2012 and the more recent attack on Target stores in 2014, as a result of which the credit cards of consumers were cloned and the consumers’ credit card accounts were charged with unauthorized transactions totaling upwards of $200 million.
I will consider the litigation arising from the Target incident and another case involving a cyber attack on Aldo Shoes in more detail in discussing liability issues later in the third and last part of this presentation.
- WHAT GOVERNANCE PROVIDES DIRECTION TO THE BANKING AND PAYMENT INDUSTRIES IN RESPECT OF CYBER CRIME?
The Task Force for the Payments System Review («Task Force») proposed a meaning for the term «governance» which I adopt in this paper, namely, «the complex process by which the relevant laws, institutions, policies, customs and relationships collectively shape the direction of an industry».
What laws, institutions, policies, customs and relationships give direction to the banking and payment industries in connection with cyber crime?
In this section I discuss the following elements of governance:
- Public Safety Canada Initiatives;
- Joint Operational Resilience Management («JORM»);
- Office of the Superintendant of Financial Institutions («OSFI») Guidance;
- Deposit Institutions Guidelines («Guidelines») of the Autorité des marchés financiers («AMF»);
- Capital markets disclosure requirements; and
- Data protection and data breach disclosure requirements under privacy laws.
Public Safety Canada Initiatives
Public Safety Canada («PSC») has extensive responsibilities which encompass cyber security and critical infrastructure.
PSC took three noteworthy initiatives in respect of cyber security which are of general application and have an impact on the banking and payment industries.
First, in 2010, PSC adopted Canada’s Cyber Security Strategy and related Action Plan 2010 – 2015 (collectively, the «Cyber Security Strategy»). The main objectives of the Cyber Security Strategy are (i) to secure government systems, (ii) work with others to secure systems outside of the government, and (iii) help Canadians to be safer online. PSC coordinates the implementation of the Cyber Security Strategy, in which the Communications Security Establishment («CSE») plays a critical role.
Second, PSC developed the Cyber Security Cooperation Program, which provides grants in support of projects that increase the resilience of Canada’s vital cyber systems through strengthened partnerships with the private sector.
Third, PSC created the Canadian Cyber Incident Response Centre («CCIRC») to work with partners inside and outside Canada to mitigate cyber threats to vital systems outside the federal government, including «systems that keep Canada’s critical infrastructure functioning properly, such as the electrical grid and financial networks, or certain valuable commercial information that underpins our economic prosperity». CCIRC support the owners and operators of systems of national importance, including critical infrastructure, by (i) making available to them technical products that offer guidance, (ii) providing technical assistance to them, and (iii) provide access to events where they can share information with others in communities of interest. CCIRC is also responsible for coordinating the national response to any serious cyber security incident.
The federal and provincial governments adopted a collective National Strategy for Critical Infrastructure in 2009 (the «Critical Infrastructure Strategy»), and the Canadian government subsequently adopted an initial Action Plan for Critical Infrastructure which was renewed in 2014 for a three year period. Under the terms of the Critical Infrastructure Strategy, «[critical] infrastructure refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government». The Critical Infrastructure Strategy develops a risk management approach for the strengthening of Canada’s vital assets and systems, «such as our food supply, electricity grids, transportation, communications and public safety systems». It covers ten critical sectors, including the sector of «finance».
Information exchange forums were created by PSC in the implementation of its Action Plan: the National Cross-Sector Forum («NCSF») and the Multi Sector Network. NCSF is working to advance more coherent and complementary actions among federal, provincial and territorial initiatives and among critical infrastructure sectors, including the sector of finance. As operator of Canada’s two national systems for the clearing and settlement of payments, the Canadian Payment Association («CPA») actively participates in NCFS.
JORM was established by the Bank of Canada in the exercise of its powers to supervise systemically important financial market infrastructures pursuant to the Payment, Clearing and Settlement Act. JORM is chaired by the Bank of Canada and includes the operators of those infrastructures and a number of financial institutions. As operator of the Large Value Transfer System, the CPA actively participates in JORM. JORM participants contribute to coordinate actions in financial sector-wide cyber events and collaborate on steps to improve resiliency.
In 2014, participants in JORM conducted a series of exercises that used fictional scenarios to test the capabilities of both the private and public sectors in crisis situations. One of the scenarios was a simulated cyber attack on a financial market infrastructure, resulting in delays and disruptions to the back-office operations of financial institutions. Larger scale simulations will be carried out in the future. Exercises such as these help improve the resilience of our financial systems and institutions to cyber threats.
Office of the Superintendant of Financial Institutions («OSFI»)
In October 2013, OSFI released its Cyber Security Self-Assessment Guidance (the «OSFI Guidance»). OSFI indicated that it did not plan to establish any specific parameters for the control and management of cyber risk. The OSFI Guidance was originally only intended to assist federally-regulated financial institutions («FRFIs») in self-assessment activities that a number of them had already engaged in. OSFI, however, has an enhanced focus on cyber risks and cyber security and «may request institutions to complete the template or otherwise emphasize cyber security practices during future supervisory assessments».
In practical terms, FRFIs should be prepared to justify material discrepancies between the elements of their practices and those mentioned in the OSFI Guidance.
The OSFI Guidance consists of a template setting out over 80 criteria grouped in six categories: organization and resources, cyber risk and control assessment, situational awareness, threat and vulnerability risk management, cyber security incident management and cyber security governance. OSFI suggests that FRFIs rate their current degree of maturity on a 1 to 4 scale («not implemented», «partially implemented», «largely implemented» and «fully implemented») and provide supporting justification. I discuss the elements forming part of these categories below and highlight some elements of greater interest for the purposes of this paper.
Organization and Resources
This section of the OSFI Guidance focuses on the policies, staff, processes and practices deployed by the FRFI to assess and mitigate cyber risks and attacks. For instance, have specific roles and responsibilities been assigned within the FRFI for the management of cyber security? Does the FRFI have a group of cyber security specialists and other skilled cyber management staff?
Cyber Risk and Control Assessment
Here, the OSFI Guidance considers the processes by which the FRFI assesses its cyber risks and controls. Among others, is the FRFI’s risk assessment process comprehensive? What mitigation steps have been taken in respect of cyber risk arising from material outsourcing arrangements and crucial IT service providers? Does the FRFI conduct vulnerability scans, penetration testing and simulated cyber attacks?
This section of the OSFI Guidance covers the FRFI’s knowledge management in respect of its cyber risks. Does the FRFI have a complete map and knowledge base of its computer systems? Does the FRFI maintain, aggregate and correlate cyber event information? What analyses of cyber event information does the FRFI carry out in order to be able to identify potential attacks? Does the FRFI track cyber security incidents through participation in industry programs (such as CCIRC)?
Threat and Vulnerability Risk Management
This is a lengthier section of the OSFI Guidance which deals with data loss detection and prevention, cyber incident detection and mitigation, software security, network infrastructure, security configuration and management, network access control and management, third party management, and customers and clients.
It probes, among others, the tools that FRFIs have to detect data loss, to detect and prevent intrusions (such as firewalls, anti-virus, anti-spyware and anti-spam applications, and denial-of-service detection and protection). It considers the ability to deploy security patches and to secure network operations (including mobile and wireless). It examines whether the FRFI enforces security configuration standards and restricts the use of unauthorized software and hardware.
The network access control and management elements include whether the FRFI has the ability to detect and block unauthorized network access, and whether the FRFI applies strong authentication mechanisms to manage user identities and access.
Third party management elements examine, among others, whether the FRFIs consider cyber risk as part of their due diligence for material outsourcing arrangements and critical IT service providers.
The customers and clients elements are the following: «Cyber security awareness and information is provided to customers and clients» and «The FRFI has taken additional actions to protect its customers and clients». These elements are of interest for our purposes. Many of us have experienced our debit or credit card being frozen by the bank for security reasons. Banks can implement software that assesses the risk of specific transactions in an account. When the risk assessment crosses a specific threshold transactions can be blocked or verified directly with the client. The monitoring of transactions through risk assessment software is one type of action that can be taken to protect the FRFI’s clients. There are undoubtedly others. What matters here is that OSFI expects actions to be taken by FRFIs to protect their customers against cyber risks. I consider later in this paper whether this governance has an impact on the contracts between FRFIs and their customers.
Cyber Security Incident Management
In this section the OSFI Guidance questions whether the FRFI has an appropriate command and control structure to support rapid response to cyber security incidents.
One element of interest in this respect is the following: «The FRFI has an external communication plan to address cyber security incidents that includes communication protocols and draft pre-scripted communications for key external stakeholders (i.e. customers, media, critical service providers, etc.)». In OSFI supervisory assessments, the FRFIs are expected to discuss their external communication plans but no clear or uniform standards are set for notices to be given to regulators, cyber incident information gathering organizations, customers affected by a cyber incident or customers generally.
The communication of information relating to attempted or successful cyber intrusions is an important one from a public policy point of view. An impression of security is essential for the adhesion by users to electronic forms of banking and payment. The sharing of information relating to attempted or successful breaches is a fundamental element of the continuing battle against cyber crime. For the moment, however, from the point of view of the OSFI Guidance, there are no mandatory thresholds of communication in this regard. I will consider the perspective of privacy governance later in this paper.
Cyber Security Governance
The OSFI Guidance section on cyber security governance is concerned with the existence of n enterprise-wide cyber security policy, risk and control assessments, key risk and performance indicators One noteworthy element for our purposes is the following: «The FRFI has considered cyber risk insurance coverage that provides financial mitigation of cyber risk incidents and impacts».
The section also challenges the sufficiency of the FRFI’s internal audit coverage and action plan, senior management board and oversight. The FRFI are expected to have established a senior management committee dedicated to cyber risk assessment and management, and to have made available sufficient funding and resources. The section verifies whether «[processes] are in place to escalate breaches of limits and thresholds to senior management for significant or critical cyber security incidents».
As well, the OSFI Guidance expects the board or one of its committees to be engaged on a regular basis to review cyber risk assessment and risk management processes, and further expects the FRFI to conduct an external benchmarking review of its cyber security framework.
Scope of OSFI Guidance limited to FRFIs
The OSFI Guidance is a welcome addition to cyber risk governance in the banking and payment industries. However, an important limitation in its scope immediately comes to mind. Participants in the banking or payment industry that are not FRFIs (such as Desjardins, Pay Pal and Moneris, for example) do not fall under OSFI’s jurisdiction. I review below the governance established by the Autorité des marches financiers in respect of Desjardins and other financial institutions regulated by the Quebec government. Other participants in the banking and payment industries are not regulated and are not subject to any framework other than the ones they create for themselves. Such an uneven treatment of cyber risk management among bank and non-bank payment service providers surely is not optimal from the point of view of the governance of the industry.
In December 2014, following the release of the Report on Cyber Security in the Banking Sector, the Federal Financial Institutions Examination Council («FFIEC») prepared general observations about the range of risks and risk management practices among financial institutions and provided guidance in this regard. In addition, the Superintendant of Financial Services issued an industry guidance letter (the «NY-DFS Guidance») to all financial institutions regulated by the New York State Department of Financial Services, integrating a targeted cyber security assessment directly into the regulatory examination process. This letter identifies topics that will be embodied in pre-examination «first-day letters» that are similar to some of the elements outlined in the OSFI Guidance. In addition to first-day letters, the NY-DFS Guidance indicates that the financial institutions will be expected to provide responses to a dozen questions which target on elements of risk assessment and risk management and touch on other points raised in the OSFI Guidance.
Deposit Institutions Guidelines («Guidelines») of the Autorité des marches financiers («AMF»)
The AMF exercises supervisory responsibilities over Desjardins, among other provincially-regulated financial institutions in Quebec («QRFIs»).
The AMF has adopted guidelines to set standards governing the activities of QRFIs, more particularly with regard to capital adequacy and sound and prudent management practices, much in the same general manner as OSFI has with respect to FRFIs. One important distinction, however, is that the AMF has not yet adopted any specific guidance in connection with cyber risks and cyber security management.
Some guidelines of the AMF do encompass cyber risks and cyber risk management explicitly or implicitly. For instance, the AMF’s Business Continuity Management Guideline sets out its expectations with respect to the procedures established to identify major operational incidents likely to pose a threat to the QRFIs, «such as natural disasters, power outages, telecommunications failures, computer malfunctions, piracy, terrorism, pandemics and the like». The AMF also has an Integrated Risk Management Guideline which sets out an expectation that QRFIs establish an adapted framework to adequately manage all of their risks. While cyber risks are not named in this guideline it most certainly falls within its general scope.
The AMF’s Sound Commercial Practices Guideline is interesting for our purposes. It communicates the AMF’s expectations regarding the fair treatment of consumers. A portion of this Guideline is dedicated to the protection of personal information and sets out an expectation that (i) «consumers are notified, on a timely basis, of any breach in confidentiality liable to jeopardize their interests or rights», (ii) «[the] institution inform AMF of any violation of the protection of personal information liable to jeopardize the interests or rights of consumers and the institution’s reputation» and (iii) «responsible individuals within the institution are informed of any breach in confidentiality on a timely basis».
As can be seen, the AMF has adopted a policy of mandatory reporting of cyber attacks to the affected «consumers» and the AMF. In this specific respect the Sound Commercial Practices Guideline takes a step in the supervision of Desjardins and the other QRFIs that OSFI has not taken in the supervision of banks and other FRFIs. The scope of the Sound Commercial Practices Guideline can, however, be questioned. The Guideline appears to be based on the policy of protecting an individual’s personal information. It only applies to individuals. From the perspective of cyber security management, however, one wonders why corporate customers of Desjardins would not also be entitled to notice in case of a cyber attack on their accounts that is «liable to jeopardize their interests or rights».
In all other respects, the AMF’s Guidelines fall short of the targeted approach OSFI has taken with respect to cyber risks and cyber security management for FRFIs. No doubt Canada’s constitutional framework explains the discrepancy between the cyber governance that applies to Desjardins and FRFIs, but from the perspective of public policy the uneven treatment of comparable financial institutions is not desirable. Perhaps this is more a challenge for Desjardins, which potential counterparties evaluate not only on the basis of the solidity of its balance sheet, but the strength of its regulatory framework as well. Although not governed by OSFI, Desjardins might have an interest in voluntarily adhering to the more targeted and rigorous cyber governance established by OSFI for banks and other FRFIs.
Capital Markets Governance
In September 2013, Canadian Securities Commissions («CSC») adopted a Cyber Security Staff Notice in respect of cyber security management. Issuers are invited to consider «how they can best address the risks of cyber crime» and to take at a minimum the following steps: « educating staff on the importance of, and their role in, ensuring the security of their firm and client information and computer security; following guidance and best practices from industry associations and recognized information security organizations; and as appropriate, conducting regular third party vulnerability and security tests and assessments».
In addition, «[issuers], registrants and regulated entities that have already taken steps to address the issue should review their cyber security risk control measures on a regular basis».
The governance specifically refers to regulated financial institutions: «Regulated entities, especially those that are key market infrastructure entities, should consider the measures necessary to manage the risks of cyber crime».
In the case of FRFIs and QRFIs that are public issuers, compliance with the more targeted and rigorous OSFI Guidance and with the AMF’S Guidelines in many respects supersedes and achieves compliance with the Cyber Security Staff Notice.
In addition to the foregoing, disclosure requirements in respect of public issuers do not identify cyber risks in particular but most certainly include them. The U.S. Securities and Exchange made this clear and stated its expectations in a Disclosure Guidance in 2011. All Canadian banks include in their reports to investors a general discussion such as the one quoted earlier in this paper. The reports all vary in detail, scope and, quite frankly, usefulness.
As a matter of capital markets policy, investors in banks and other public issuers are entitled to some information as to the cyber risks the banks face and the means and controls the banks have put into place to manage their cyber security. One wonders why, as a matter of cyber governance in the banking and payment industries, clients of banks, payment networks and payment service providers would not be entitled to a similar disclosure.
Data Protection and Data Breach Disclosure under Privacy Laws
In this portion of the paper I revisit the report of an inquiry of the federal and Albertan privacy commissioners in 2007 following a cyber attack against a national retailer, TJX Companies Inc. («TJX»), and briefly discuss actual or proposed governance subjecting breaches to mandatory disclosure to the customers and the privacy commissioners.
The Inquiry into the TJX Breach
The federal and Albertan privacy commissioners conducted a joint investigation upon being notified in January 2007 by TJX that companies in the TJX group had suffered a cyber intrusion. Hackers accessed certain customer information stored by TJX, including information related to payment card and merchandise return. The purpose of the investigation was to examine the collection, retention and safeguarding practices of the organization and to determine whether the breach could have been prevented.
The inquiry considered more particularly whether TJX had made reasonable arrangements to protect the personal information in its possession. The criterion established by the applicable legislation was whether personal information was protected by security standards appropriate to the sensitivity of the information. In assessing this sensitivity, the inquiry concluded that given the nature of the personal information that was accessed by the cyber criminals, «the harm caused could be quite serious»:
«The perpetrator(s) had access to millions of credit card numbers for an extended period of time – long enough to commit credit card fraud or to pass information on to others to do the same. While individuals who do notice unusual charges on their credit cards may not be responsible for the charges, the credit card companies or the merchants are. This could amount to significant losses to these organizations, not to mention the cost of replacing compromised credit cards.
Moreover, the breach exposes individuals to an increased level of anxiety. If their credit cards have been misused, they must deal with credit-reporting agencies to ensure that their credit rating is not affected. In some cases, this includes placing a true fraud alert on their fields and requiring that they be vigilant concerning future financial statements.»
TJX had an encryption protocol at the time of the breach («WEP»), which the inquiry found that did not provide adequate protection as it could be defeated relatively easily. TJX was in the process of converting WEP to a more secure protocol («WAP»).
The inquiry referred to the Payment Card Industry Data Security Standard («PCI DSS») as the relevant standard of practice. In September 2006, PCI DSS was modified to require WAP. By late 2006, within two months of the coming into force of the new standards, the inquiry commented, TJX should have adhered to the more secure standard. However, while TJX began the conversion in October 2005 (prior to the coming into force of the new PCI DSS industry standard), by January 2007 only a pilot project had been completed and the final conversion was expected to be completed in September 2007. To the commissioners, this timeline was unreasonable. For this reason and other failures noted by the inquiry in the conversion process, it found that TJX had failed to meet the applicable statutory safeguard provisions.
TJX had argued that it had adapted to the change in the PCI DSS standards earlier than most other retailers. The inquiry turned a deaf ear to this argument: «[w]hether or not other retailers made the move to enhance their data by using better encryption methods, the fact of the matter is that TJX was the organization subject to the breach». This appears to be a very harsh and sweeping stance. Conversion from one security protocol to the other comes with considerable operational and financial burdens. If TJX, a large national retailer which was ahead of other retailers in the conversion process, failed to meet the standard, then all the other retailers did as well. In other words, the inquiry implicitly blamed nearly all of the retail industry for having inadequate protection standards in respect of payment card information legitimately gathered in the course of doing business.
One wonders if this is the right approach. The privacy commissioners did not hear any evidence from merchants generally with respect to the processes involved in converting from one security protocol to another. They identified the PCI DSS as an industry standard but required the conversion to begin before the introduction of the new PCI DSS standard, without questioning the timeliness of the modification to a more secure standard. They did not enquire as to the involvement of merchants or the preparation by PCI DSS of the retail industry for the adoption of new standards by PCI DSS.
The privacy commissioners and OSFI have different and complementary perspectives on cyber risks and cyber security management. The OSFI Guidance does not require from banks the very high level of care determined by the privacy commissioners to apply to merchants and it accordingly appears possible for a financial institution to pass the OSFI supervisory exercise with flying colors while failing to meet the standards set by privacy commissioners. This discrepancy in regulatory expectations is not optimal and one would hope for a more uniform and collaborative approach between the regulators involved in cyber security management.
Should cyber breaches mandatorily be disclosed?
Today only the Albertan privacy legislation subjects data breaches to mandatory disclosure. Other than the Sound Commercial Practices Guideline of the AMF that I presented earlier, there is no duty either pursuant to privacy or financial institution governance to disclose breaches in the other provincial or federal statutes.
Two bills were introduced, one in Parliament and the other in the Senate, to modify the federal privacy regime to introduce an obligation to disclose data breaches to the federal privacy commissioner.
Bill C-475, introduced by a member of Parliament in the opposition in February 2013, called for modifications to be made to the federal Personal Information Protection and Electronic Documents Act («PIPEDA») to provide for a mandatory notice to the federal privacy commissioner of any loss, disclosure of or access to personal information where a reasonable person would conclude that a risk of harm exists by reason of such loss, disclosure or access, much as the Alberta legislation currently does. The proposed amendments went further and would have empowered the privacy commissioner to inform any affected person of such loss, disclosure or access, to order the organization to review its protection practices. In case of default, the amendments provided for damages and penalties.
Bill C-475 was rejected on second reading in January 2014.
Bill S-4, introduced in the Senate in April 2014, similarly proposes, among others, modifications to PIPEDA calls for a mandatory notice to the federal commissioner «if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.» In addition, Bill S-4 calls for the notice to be given to the individual concerned in case of «a real risk of significant harm to the individual». That Bill was adopted by Senate but it remains uncertain whether it will ever become law.
By way of contrast, in the U.S, almost all states have (sometimes conflicting) data breach laws calling for such disclosure.
To be noted, the proposed mandatory disclosure laws reviewed above only apply to breaches of personal information. Breaches of corporate information are not covered by privacy laws. From the perspective of cyber risk management, one wonders whether any distinction between breaches of personal information and breaches of corporate or other organizational information is warranted. Disclosure of cyber attacks to affected account holders would appear to be in order in all cases.
- TO WHAT LIABILITIES ARE PARTICIPANTS IN THE BANKING AND PAYMENT INDUSTRIES EXPOSED AS A RESULT OF CYBER CRIME?
The review of the existing governance in the preceding section suggests that contracts between banks and their customers and contracts between payment networks, payment service providers and merchants are not subject to any requirements in respect of cyber crime. Banks may therefore allocate to their clients, and payment networks and payment service providers may therefore allocate to merchants, any liability resulting from a cyber incident through industry contracts.
In this section, I review these contracts to describe the results that could be expected in cases of cyber attacks on the computers of banks, the computers of clients of banks, and the computers of payment service providers and merchants. I also consider the effectiveness of insurance in mitigating cyber risks.
Attacks on the computers of banks
I have examined the standard bank account agreement prepared by the major Canadian banks and will refer here to the agreements in force at the CIBC (not to single out that bank for any reason but simply because I have found it to be fairly easy to find the agreements on the bank’s website).
The CIBC’s standard bank agreement does not refer to the risk of cyber attacks against the bank and the correlative risk that the customer’s customer may be compromised or stolen (not even in the general manner that investors are warned of cyber risks facing banks). There is no express any obligation on the part of the bank to protect the customer’s information.
The CIBC Privacy Principles state: «CIBC respects the following principles when collecting, sharing or using your personal information: […] CIBC is responsible for personal information under its control […] CIBC protects the privacy of personal information through security measures appropriate to the sensitivity of the information […].»
These declarations addressed to all customers convey an intention to assume obligations in the nature of those that banks have with respect to individual customers under the terms of personal information protection legislation. There is here a foundation for the argument that an obligation to protect such information implicitly forms part of the agreement between the bank and its customers (whether individual, corporate or institutional).
Whether or not such an obligation to protect the customer’s information exists, if a hacker breached the bank’s systems and misappropriated funds in the client’s account, there is no doubt that the bank would be liable to indemnify the customer, subject to two provisions typically found in the banker-customer contract, namely the customer’s agreement to verify the account statement and give prompt notice of any irregularity, and the customer’s agreement to establish measures and controls to prevent employee fraud. This is because, subject to these provisions, the banker-customer contract does not allow the bank to repay the customer’s deposits to third parties in the absence of a valid authorization by the customer.
The customer’s loss would include at a minimum the misappropriated funds; the question whether other damages (such as indirect, moral or punitive damages) could be awarded is more controversial.
Attacks on the computers of clients of banks
In this portion of the paper, I discuss a typical electronic access agreement between a bank and its customers and I also compare the Canadian and American legal frameworks for such agreements.
Electronic Access Agreements
The CIBC Electronic Access Agreement sets out clear language on the measures that the customer is required to take in connection with cyber risk management:
«You agree to keep your Passwords and Personal Verification Questions absolutely confidential; they are for your use alone. You will not disclose to others (including a close family member, a friend or any bank or public official) what your Passwords or Personal Verification Questions are. You must carefully select your Passwords and Personal Verification Questions so that they cannot be easily guessed or reverse engineered by anyone else».
It specifies types of Passwords and Personal Verification Questions that cannot be used: name, birth date, year of birth, telephone number or address of the client or a close relative; the account number or credit card number of the client, any number on any ID card in the client’s wallet or «a password [the client uses] for any other service».
The client is expected to memorize his or her passwords and Personal Verification Questions. If the client decides that «it truly needs» to keep a written record, such record will not be kept «in close proximity to» the client’s bank card, it «must be disguised within the written record […] so that no [one] else can easily guess that it is a record of your Password or Personal Verification Questions». In addition, the Password and Personal Verification Questions must not be stored on or near the electronic device used by the client to access his or her account.
We all have numerous passwords for a variety of applications. Many of these passwords are required to be changed from time to time. How many of us memorize all these passwords? Password manager applications are available to assist in the process of keeping track. However, the restriction in the Electronic Access Agreement appears to prevent the use of such applications, which are stored on the electronic device.
When entering the Password and Personal Verification Questions into an electronic device, the client must take all reasonable precautions to prevent others from seeing the information.
If the client suspects that someone else knows any Password or Personal Verification Question, the client must give notice to the bank as soon as possible and no later than 24 hours after acquiring such suspicion. The bank will not be liable for any improper withdrawal from or charges against an account or any other loss if this notice is not given in a timely manner.
The CIBC Electronic Access Agreement shifts responsibility to the client for any losses that result from the use of the Password or Personal Verification Questions by the client or by any third party. Without limiting the generality of the foregoing, the client is responsible if the client claims that his or he account was accessed without authorization by a third party but does not cooperate fully in an investigation by the bank or the authorities, or if the actions of the client’s actions or inaction contributed to such unauthorized use. The client’s «contribution» by action or omission to the unauthorized use of the electronic device could be used in particular to defeat claims by clients that are victims of a phishing attack.
The CIBC Electronic Access Agreement imposes on the client the following cyber risk management duties:
«The electronic device you use may be vulnerable to viruses or online attacks that seek or intercept or alter information including sensitive information that you provide through the Internet. To reduce the chances of harm, you should take all reasonable precautions, including ensuring that any Electronic Device you use to access Online Banking or Wealth Management Online has an up-to-date anti-virus program, anti-spyware program and a firewall, if such security measures are available for your Electronic Device. To prevent unauthorized access to your Accounts, you must sign off of Online Banking or Wealth Management Online, close your browser, or sign-off of the mobile applications used by you for Mobile Banking, as soon as you finish using them».
One interesting stipulation of the agreement respecting online banking sets out an acknowledgment by the client that the bank may decline to act on an Instruction if it suspects that the Instructions are not from the client or have not been authorized by the client. The bank is not liable if it declines to act on an Instruction in these circumstances. How would a bank suspect that any Instruction is not from the client or has not been authorized by the client? As the Patco Construction v. Ocean Bank case reviewed below illustrates, banks have the ability to implement risk assessment protocols in their authentication processes. Where the risk score of a particular transaction exceeds pre-determined levels, protective measures such as challenge questions or customer confirmations may be deployed. Where the risk assessment controls leads to a suspicion that an Instruction may not be duly authorized by the customer the CIBC Electronic Access Agreement quoted above would also allow the bank to decline the Instruction.
The CIBC Electronic Access Agreement clearly points out that failure by the client to use up-to-date anti-virus software, anti-spyware software and a firewall on the electronic device used to access online banking, failure to sign off of online banking after use, and failure to comply with any of the other obligations assigned to the client by the agreement discharges CIBC from any liability in connection with unauthorized use. To emphasize this aspect of the CIBC Electronic Access Agreement, the CIBC Online Security Guarantee adds that: «In the unlikely event that someone gains unauthorized access to your accounts through CIBC online services, we will reimburse you 100% of the money lost from your accounts provided you have met your responsibilities to us».
Canadian and American frameworks compared
The Patco case illustrates the difference between the Canadian and American approaches to the allocation of liability where the customer’s computer is the victim of a cyber attack and unauthorized instruction are given online by the hacker or accomplices against the customer’s account. The American difference arises by reason of Article 4A of the Uniform Commercial Code («UCC»), which establishes that, notwithstanding the terms of the agreement between a bank and its customer, a bank that received a payment under ordinarily bears the risk of loss of unauthorized electronic instructions. A bank may only shift the liability for such a loss if it meets the requirements of Article 4A-202(b) UCC, namely where (i) the agreement between the bank and the customer provides for a security procedure, (ii) this procedure is commercially reasonable, and (ii) the bank relies on the instructions in good faith and in compliance with the procedure.
Patco Construction had an account with Peoples United Bank and used electronic banking to make regular payroll payments. The electronic access agreement between the parties provided – as the CIBC Electronic Access Agreement reviewed above does – that Patco Construction was liable for all instructions given electronically to Peoples United Bank through the use of the password and verification questions, whether they emanated from the client or any third party.
Hackers installed spyware into the computers of Patco Construction and identified the account numbers, the passwords and the answers to verification questions. With this information the hackers sent fraudulent wire transfer instructions to Peoples United Bank in favor of accomplices over the course of a few days.
Peoples United Bank authentication protocols which included (i) device authentication (i.e. the bank’s system placed a device cookie onto its customers’ computers to identify the computers used to access online banking); (ii) risk profiling (i.e. the bank’s system provided a risk score for every transaction based on various data, including the device cookie ID and transaction activity); and (iii) challenge questions (i.e. the bank’s systems would ask challenge questions to which the customer had previously provided answers where the risk score would exceed a certain threshold).
The wire transfers initiated by the hackers all caused the risk score of these transactions to be very high. The device cookie identified a computer which had never been used before by Patco Construction. The dates, amount and beneficiaries of the wire transfers were markedly different from the wire transfer instructions historically provided by Patco Construction.
The systems of Peoples United Bank had been programmed to prompt challenge questions for every transaction (notwithstanding the transaction’s risk score). Correct answers had been given to these questions.
One of the wires initiated by the hackers was returned because certain account numbers for the intended beneficiaries were invalid. Peoples United Bank called Patco Construction who immediately informed the bank that it had not authorized the transaction.
At the end of the string of fraudulent instructions, an amount of $588,000 had been debited from Patco Construction’s account, from which $243,000 was returned or recovered.
Patco Construction sued Peoples United Bank to recover its loss in the amount of $345,000. The district court allowed the bank’s motion for summary judgment, on the basis that the parties had an agreed security procedure, that this security procedure was commercially reasonable and that the bank had accepted the payment in good faith and in compliance with the procedure. On appeal to the U.S. Court of Appeals for the first circuit, the security procedure was found not to be commercially reasonable, such that pursuant to Article 4A-202(b), Peoples United Bank could not consider the wire transfer instructions to have been authorized. The Court came to this conclusion on the basis that (i) Peoples United Bank increased the exposure of Patco Construction to cyber risks by requiring challenge questions for every transaction (as this gave the hackers more opportunities to spy on the answers); (ii) Peoples United Bank did not monitor the risk scores and did not provide notice to or request any confirmation by Patco Construction where the risk scores exceeded the pre-determined risk scores; and (iii) Peoples United Bank had not, like many other banks, included the use of tokens in its authentication procedures.
In Canada, no legal framework similar to Article 4A-202 UCC overrides electronic access agreements, and a case like Patco would be determined on the basis of the agreements alone, which typically shifts liability for unauthorized instructions to the customer in all cases.
It is to be noted that banks in Canada use the standard of commercially reasonable authentication procedures to allocate liability among themselves in connection with electronic instructions given by payors to authorize payees to present pre-authorized debit (“PAD”) instructions against their bank accounts. Under rule HI of the CPA, banks that sponsor payees that issue PADs shall review the payees procedures for verifying a payor’s identity when entering into an electronic PAD agreement, to ensure that the payee is using a “commercially reasonable method” that the sponsoring bank consents to. The sponsoring bank agrees to indemnify the CPA and the bank holding the payor’s account for damages resulting from a “Payee’s failure to correctly verify a Payor’s identity using a Commercially Reasonable method when entering into an Electronic Agreement.
If the commercially reasonable authentication standard is a valid tool for the authentication of authorizations to debit the accounts of third parties, one might expect that it would also be appropriate to allocate as a tool to authenticate authorizations to debit the customer’s account.
Attacks on the computers of payment service providers and merchants
In payment industry contracts, the PCI DSS standards play an important role in the allocation of liability resulting from a cyber incident. To illustrate, I compare the processes by which liability is allocated in the recent cyber attacks on Target and Aldo Group.
Cyber criminals somehow infiltrated Target POS terminals with spyware that collected and transmitted the payment card data of Target customers to hackers and accomplices, who then used the information to clone cards and carry out unauthorized transactions which were fraudulently charged against the unsuspecting customers’ credit card or bank account. At the time of the attack, Target had rolled out state-of-the-art cyber defenses in its systems and had recently been certified to be PCI DSS compliant.
The banks that issued the cards to the customers were bound under their contracts with the cardholders to indemnify them for the unauthorized charges. The payment networks that processed the transactions did not debit Target’s settlement account nor otherwise make the issuing banks whole. The issuing banks accordingly sued Target (and the consultant that certified Target to be PCI DSS compliant) on the basis of negligence and certain data breach or consumer protection private rights of action. The banks’ action recently survived a motion for summary dismissal.
Aldo Group’s computers were similarly struck by cyber criminals using spyware. The payment card information of Aldo Group customers was used by hackers or accomplices to clone cards and carry out unauthorized transactions that were charged to the unsuspecting customers’ credit card or bank accounts.
After the incident the affected payment card network inspected the computers of Aldo Group and concluded that it was not PCI DSS compliant at the time of the attack. As in the Target case, the banks that issued the cards to the customers were bound by contract to indemnify the cardholders for the unauthorized charges. Unlike the Target case, however, the network debited Aldo Group’s settlement account to make the issuing banks whole and to cover certain fees and penalties provided for in the contracts between the network, the payment service providers and Aldo Group. Aldo Group protests that it was PCI DSS compliant and is currently suing the payment service provider and the payment network to recover the debited amounts.
The contract between the payment service provider and the merchant in the Aldo Group case provided as follows:
«You are responsible for complying with the Data Security Standards and all applicable laws related to Cardholder and Transaction Information. It is your responsibility to ensure that you obtain and are in compliance with the most recent version of the PCI DSS […]. You are responsible for any fines, fees, assessments, costs, including Card re-issuing costs and charges levied by the Card Associations, the Bank and/or us as a result of your non-compliance with the Data Standards and all other Card Association Rules and Regulations applicable to you.»
A similar provision likely is found in the agreements between all payment service providers and merchants (including between Target and its payment service provider), and in the agreements between payment card networks and payment service providers as well.
The topic of PCI DSS deserves a paper of its own and I will not attempt to cover it here.
The PCI DSS are drafted by payment card networks, and on invitation of the networks, with the participation of other industry participants. No legal framework or other governance in Canada oversees the process by which these standards are prepared and rolled out for implementation from time to time. Given the importance of cyber risks in the retail industry and the heavy operational and financial burden for compliance by merchants, some form of oversight might be in order.
There is a common premise in each of the Target and Aldo Group cases, namely, that cardholders charged with unauthorized transactions carried out by cyber criminals with cloned cards following the theft of card information in a cyber attack will be indemnified by the issuer. This premise is supported by the agreements between issuers and cardholders, which typically provide as follows:
«The Primary Cardholder is not liable if a Card is lost or stolen and unauthorized Transactions are made without a PIN or if the Credit Card Account is otherwise accessed without a PIN and without any authorization by any Cardholder».
The role insurance can play in the mitigation of cyber risks
As we have seen, the OSFI Guidance invites FRFIs to consider the role insurance can play to mitigate their cyber risks.
All the other participants in the banking and payment industries that are potential victims of cyber crime also have an interest in considering insuring their cyber risks. For the moment it would appear, however, that organizations generally remain complacent about their cyber risks, in that 3 out of 4 respondents in a recent survey believed that their security measures were effective at repelling cyber attacks.
In considering cyber risks, participants should be aware that general purpose liability policies may not be the appropriate tool for them. These policies were designed at a time when cyber risks did not exist, and while this does not mean that they do not cover cyber risks, any indemnity that they provide may not provide compensation suited to the losses.
In addition, the ongoing case of Aldo Group Inc. v. Chubb Insurance Company of Canadacasts some uncertainty on the ability of general purpose liability policies to provide any indemnification at all. In that case, a trial court refused to order the insurer to cover the losses suffered by Aldo Group following the cyber attack described earlier, on the basis of two exclusions typically found in these types of policies.
The first exclusion was as follows:
«The Company shall not be liable […] for any Loss […] based upon, arising from or in consequence of any actual or alleged liability assumed under or as a result of any oral or written contract or agreement with the Insured organization. Provided, however, that this exclusion shall not apply to Loss for which the Insured organization would be liable in the absence of such a contract or agreement.»
While Aldo Group’s liability to the payment service provider arose under a contract, it was argued that in the absence of such a contract the card issuers that have indemnified their cardholders would have had an extra-contractual recourse or other statutory right of action against Aldo Group, such that the exclusion should not apply. The Target situation illustrates indeed that where the merchant is not debited by the payment service provider, it can expect to be sued by the issuers of cards on the basis of negligence, and the exclusion would undoubtedly not apply in such a situation.
However, the trial court rejected the argument and found the exclusion to apply.
The second exclusion provided the following:
«No insured shall settle any Claim, incur any Defense Costs, or otherwise assume any contractual obligation or admit any liability with respect to any Claim without the Company’s written consent, which shall not be unreasonably withheld. The Company shall not be liable for any settlement, Defense Costs, assumed obligations or admission to which it has not consented.»
Aldo Group argued that this exclusion only applies to settlements, assumptions of obligations and admission that are subsequent to the insured claims against the insurer.
The trial dismissed this argument and found the exclusion to apply, noting that «[t]he timing of Aldo’s renunciations of rights or admissions is irrelevant».
The decision is under appeal I do not intend to comment further on the matter, other than to note that participants that wish to insure their cyber risks may prefer to consider insurance policies that include specific cyber risk coverage. Such policies have been available for some time now. In addition to solidifying the expectation of coverage, they address gaps often found in general purpose liability insurance products. It remains the participants’ role to identify the damages that need to be considered in addition to the indemnities to be paid to affected customers, and to confirm that such damages are adequately provided by the cyber risk policy, such as the costs of information technology specialists and investigators, public affairs and crisis management consultants, communications with affected customers and the monitoring of their credit rating by credit agencies, relocation and securing of compromise servers, legal assistance, and business interruption losses, contractual and regulatory assessments, fees and penalties.
In July 2014, we learned that the computer systems of our National Research Council («NRC») were breached and stored data was searched by hackers. In an unprecedented move, the head of Canada’s Communications Security Establishment released a statement to the media attributing the responsibility for the attack to «a Chinese state-sponsored actor» and noted that «hackers, criminals and state-sponsored threat actors […] are constantly probing Government of Canada systems and networks for weaknesses so that they infiltrate them and steal valuable information»; see «Letter to the editor re : Globe and Mail article – July 31, 2014», online : http://www.cse-cst.gc.ca/home-accueil/media/media.2014-07-31.eng.html. See also «National Research Council computers hacked by Chinese, says Canadian spy agency», Financial Post, FP Tech Desk (July 29, 2014), online : http://business.financialpost.com/2014/07/29/canadian-spy-agency-says-chinese-hacked-into-national-research-council-computers. On its website, the CSE notes that «there is no shortage of threats to protect against» and added : «Government departments and agencies are subject to millions of cyber intrusion attempts every day»; see «Cyber Security Awareness Month», online : https://www.cse-cst.gc.ca/en/media /media-2014-10-06.
 Each of Canada and the U.S. have a framework to protect critical infrastructure against cyber crime. For the U.S. see : Executive Order – Improving Critical Infrastructure Cybersecurity, February 12, 2013, online : http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastruture-cybersecurity and National Institute of Standards and Technology, «Framework for Improving Critical Infrastructure Cybersecurity», February 12, 2014, online : http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf. For Canada see the second part of this presentation. Notwithstanding the efforts deployed by the U.S. and Canada to improve the cyber security of critical infrastructure, attacks against utilities, electricity grids, energy distribution, airline operations, telecommunications and healthcare continue to be detected and feared; see: B. Prince, «Iranian-Sponsored Hackers Hit Critical Infrastructure Companies : Research», December 2, 2014, online : http://www.securityweek.com/iranian-sponsored-hackers-hit-critical-infrastructure-companies-research, referring to a report by Cylance, «Operation Cleaver» (undated), online : http://www.cylance.com/assets/cleaver/cylance-operations-cleaver-report.pdf. See also K. Vinton, , «Hacking Gets Physical : Utilities at Risk for Cyber Attacks», Forbes, July 10, 2014, online : http://www.forbes.com/sites/katevinton/2014/07/10/hacking-gets-physical-utilities-at-risk-for-cyber-attacks/ and D. Storm, «Hackers Exploit SCADA Holes to Take Full Control of Critical Infrastructure», Computer World, January 15, 2014, online : http://www.computerworld.com/article/2475789/cybercrime-hacking/hackers-exploit-scada-holes-to-take-full-control-of-critical-infrastruture.html.
On May 19, 2014, the U.S. Department of Justice announced that a grand jury indicted five Chinese military officers with cyber espionage against US corporations. The victims were in the nuclear power, metals and solar products industries. The hackers allegedly stole trade secrets and other information that would be useful for competitors in China. See: U.S Department of Justice, Office of Public Affairs, «U.S. Charges Five Chinese Military Hackers with Cyber Espionage Against U.S. Corporations and a Labour Organization for Commercial Advantage», May 19, 2014, online : http://www.fbi.gov/pittsburgh/press-releases/2014/u.s.-charges-five-chinese-military-hackers-with-cyber-espionage-against-u.s.-corporations-and-a-labor-organization-for-commercial-advantage. Also see generally: Symantec Corporation, «Internet Security Threat Report 2014 : volume 19», April 2014, online: http://www.symantec.com/content/en/us/entreprise/other_resources/b-istr_main_report_v19_21291018,en-us.pdf; and Verizon Entreprise Solutions, «2014 Data Breach Investigations Report», online: http://www.verizonenterprise.co/DBIR/2014.
 See Communications Security Establishment, Canada’s Cyber Security Strategy: For a Stronger and More Prosperous Canada, p. 3, online: http://www.publicsafety.gc.ca/cnt/rsrcs/pbl/ctns/cbr-scrt-strtgy/index-eng.aspx : «Every year we detect more attackers than the year before. And every year, those seeking to infiltrate, exploit or attack our cyber systems are more sophisticated and better resourced than the year before. They are investing in their capabilities. We must respond by investing more in ours of actions and responses, accompanied by continuing investment and vigilance over the long term».
 Royal Bank of Canada, Annual Report 2013, online : http://www.rbc.com/investorrelations/pdf/ar_2013_e.pdf. The bank deleted the reference to the existence of attacks and the absence of material breaches in its annual report for 2014: Royal Bank of Canada, Annual Report 2014, online: http://www.annualreports.rbc.com/ar2014/PDFs/RBC_English_AR14_ENG.pdf, at p. 47.
 New York State, Department of Financial Services, «Report on Cyber Security in the Banking Sector», May 2014, online : http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf, p. 9.
 B. Sullivan, «Banks website attacks reach new high : 249 hours offline in past six weeks», Canada MSN News, June 6, 2013, online : http://www.news.ca.msn.com/top-stories/bank-website-attacks-reach-new-high-249-hours-offline-in-past-six-weeks.
 Steptoe & Johnson LLP, E-Commerce Law Week, Issue 833, «TD Bank settles for $625,000 in Massachusetts data beach suit»: «This settlement comes just months after TD agreed to pay a penalty of $850,000 following a two-year investigation of the breach by nine other state attorneys general», online: http://www.steptoe.com/publications-10087.html.
 N. Perlroth, «JPMorgan and other banks struck by hackers», The New York Times, August 27, 2014, online : http://www.nytimes.com/2014/08/29/technology/hackers-targe-banks-including-jpmorgan.html.
 J. Stoddart, «Cybersecurity and privacy protection : Mutually reinforcing goals in the digital age», October 23, 2013, online : http://www.priv.gc.ca/media/sp-d/2013/sp-d_20131023_e.asp.
 Financial Services – Information Sharing and Analysis Center, «Results of FS-ISAC commercial account takeover survey now available», American Bankers Association, January 9, 2013, online : http://www.aba.com/tools/function/fraud/documents/pressrelease010913.pdf.
 Bank Info Security, «Global Payments Breach Tab : $94 million», (January 10, 2013), online : http://www.bankinfosecurity.com/global-payments-breach-tab-94-million; Bank Info Security, «More Litigation Tied to Hartland Breach : card issuers appeal, argue processor was negligent», February 21, 2013, online : http://www.bankinfosecurity.com/more-litigation-tied-to-heartlabd-breach-a-5528.
 Voir le site d’information créé par Target : «Responses and resources related to Target’s data breach», online : https://www.corporate.target.com/about/payment-card-issue.aspx. D. Kerr, «Target hack strips banks and credit unions of $200M», February 18, 2013, Cnet, online: http://www.cnet.com/news/targethack-strips-banks-and-credit-unions-of-200m/.
 The Aldo Group litigation involves two cases: (i) an action in Ontario by the merchant against the payment service provider and the credit card network, to recover the amount of penalties levied against the merchant following a cyber attack against the merchant’s computers which resulted in unauthorized charges on the credit cards of innocent customers, and (ii) another action in Quebec by the merchant against its insurer. See Aldo Group Inc. v. Moneris Solutions Corporation, 2012 ONSC 2581, confirmed in appeal by 2013 ONCA 725 (motion for leave to appeal to the Supreme Court of Canada dismissed no. 35700 (1er mai 2014); and Aldo Group Inc. v. Chubb Insurance Company of Canada, 2013 QCCS 2006, currenly in appeal before the Court of Appeal of Quebec.
 Task Force for the Payments System Review, Policy Paper B : Governance – Stakeholders and their Disconnect, December 2011, p. 5.
 The CSE is a security and intelligence organization which the National Defense Act mandates to collect foreign intelligence, to help protect the computer networks of greatest importance in Canada, and to provide technical assistance to federal law enforcement and security organizations. To protect the computers of government and Canadians, CSE has developed cyber and technical expertise and provides advice and services. It monitors government networks, works with government departments to defend and strengthen systems and works with the private sector to protect vital computer networks.
 National Strategy for Critical Infrastructure, supra, note 19, p. 2.
 Canadian Payments Association, Annual Report, 2013.
 H. Gallagher et al., «Cyber Security : Protecting the Resilience of Canada’s Financial System», Bank of Canada, Financial Systems Review, December 2014, 47 at p. 52.
 See Patco Construction v. Peoples United Bank, infra, note 54.
 Supra, note 16.
 «FFIEC Cybersecurity Assessment General Observations», online : https://www.ffiec.gov/press/PDF/FFIEC_cybersecurity_assessment_observtions.pdf.
 «NYDFS issues examination guidance to banks outlining new targeted cyber security preparedness assesments», December 10, 2014, online : http://www.dfs.ny.gov/about/press2014/pr1412101.htm, enclosing a memo of the Superintendant of Financial Services to all banking institutions chartered or licensed by the New York State Department of Financial Services.
 Division of Corporate Finance, «CF Disclosure Guidance: Topic No. 2 Cybersecurity», October 13, 2011, online: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.hml.
 The report of the inquiry («TJX Inquiry Report») can be found online: https://www.priv.gc.ca/cf-dc/2007/TJX_rep_070925_e.asp.
 TJX Inquiry Report, ibid., paras 77 and 78.
TJX Inquiry Report, ibid., para. 93.
 TJX Inquiry Report, ibid., para. 98.
 Section 34.1(1) of the Personal Information Protection Act (Alberta) provides that an«[o]rganization having personal information under its control must, without unreasonable delay, provide notice to te Commissioner of any incident involving the loss or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.»
 For the text and history of the bill, see online: http://www.parl.gc.ca/LegisInfo/BillDetails.aspx?Language=E&Mode=1&billId=6251848.
 For the text of the bill, see online: http://www.parl.gc.ca/HousePublications/Publication.aspx?DocId=6524312&File=33.
 National Conference of State Legislature, «State security breach notification laws» (April 11, 2014), online : http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. A small number of those laws provide a private right of action to individuals for damages suffered as a result of the loss, dislosure of or access to their personal information : see In re : Target Corporation Customer Data Security Breach Litigation, U.S.D.C (Minn.), MDL No. 14-2522, pp. 20 and ff.
 Larose c. Banque Nationale du Canada, 2010 QCSC 5385; wee also Willingham v. Global Payments Inc., 2013 WL 440702 (N.D. Ga. 2013), at p. 19 : «Plaintiff’s [personally identifiable information] does not have an inherent monetary value».
 Online : https://www.cibc.com/ca/mobile/legal/agreement/html, section 7.
 Ibid., section 9.
 Ibid., section 12.
 Ibid., section 14.
 Ibid., section 66.
 Patco Const. Co., Inc. v. Peoples United Bank, 684 F (3d) 197 (1st Cir 2012) («Patco»)
 Patco, ibid., p. 5.
 In re : Target Corporation Customer Data Security Breach Litigation, U.S. District Court (Minn.), December 18, 2014, MDL No. 14-2522.
 See Aldo Group Inc. v. Moneris Solutions Corporation, supra, note 15.
 IT Governace, «Boardroom cyber watch survey – 2014 Report», online : http://www.itgovernance.co.ok/boardroom-cyber-watch.aspx.
 Supra, note 15.
 Aldo Group Inc. v. Chubb Insurance Company of Canada, supra, note 15, para. 42.
 Ibid., paras 56-58.
 Ibid., para. 70.
 Ibid., para. 74.
 R. Betterley, «Cyber/privacy insurance market survey 2013», June 2013, Betterley Risk Consultants Inc., online: http://www.betterley.com/samples/cpims134_nt.pdf .
 See Retail Ventures, Inc. v. National Union Fire Insurance Company of Pittsburgh, 2007 WL 943011 (S.D. Ohio 2007)