On March 7, 2025, the Saskatchewan Court of King’s Bench affirmed the withholding of file path information from a requester who sought the information under Saskatchewan’s provincial freedom of information statute.
The Court described the information as “file path addresses/links and barcodes within the documents that describe the process of accessing information/data stored in specific databases on a computer system.”
Notably, the institution relied on the class-based exemption for information with proprietary value. Proof of a non-speculative risk of harm is not required to invoke such this exemption, but case law in Saskatchewan and Ontario narrows the class to information with “inherent monetary value” and a proprietary character (in my words). The Court held that the exception applied based on an affidavit that stated that granting access would provide, “an instruction manual for any person with access to SHA’s systems to quickly and effectively identify and access locations on SHA’s systems that contain sensitive personal and personal health information and other sensitive security information…”
In 2023, the IPC/Ontario rejected a claim made by the Ontario Ministry of Health that file path information was exempt from the right of access because the Ministry failed to prove a non-speculative risk of harm. It commented, “I do not accept that disclosure of the file path information (the location of a specific document in the ministry’s computer system) could reasonably be expected to compromise the security of the ministry’s computer system or allow unauthorized individuals to infiltrate the ministry’s computer systems. The ministry has not adequately explained how this information could be used to access the ministry’s computer system by an individual who is not a ministry employee.”
I’ve underlined the text above to highlight the flaw in the Ministry’s argument—though, to be fair, it was addressing only two lines of file path information. It is difficult to conceive how file path information could be used to compromise a network. However, one can easily see how such information could assist a malicious actor in quickly locating valuable data within a network. File path information should be exempt, and the new Saskatchewan case will help make that argument. It’s a particularly good case because it rests on a class based exemption and not amore circumstantial harms based exemption.
Note that the IPC/Ontario has withheld other information about a network to protect it from malicious actors. See Ontario Lottery and Gaming Corporation (Re), 2016 CanLII 85802 (ON IPC), <https://canlii.ca/t/gw1g6>, retrieved on 2025-09-23.
Schiller v Saskatchewan Health Authority, 2025 SKKB 37 (CanLII), <https://canlii.ca/t/kb2fh>, retrieved on 2025-09-23.
It is no surprise that the federal government has brought back its federal critical infrastructure cyber security bill, a bill labeled C-8 that will enact the Critical Cyber Systems Protection Act. When the prior government first proposed this law in 2022 as bill C-26, its stated objective was to “address longstanding gaps” in its ability to protect systems and services of national importance. Industry is generally onside, mobilized by the by the 2021 ransomware attack against Colonial Pipelines that highlighted the fragility of North American supply chains.
The CCSPA – which will apply to “designated operators” of federally regulated critical cyber systems – has come back in much the same form as introduced with Bill C-26. In lieu of providing a summary of the entirety of Bill C-8, here are seven points for designated operators to consider.
The CSSPA will be framework legislation with very limited substance or clear guidance. Designated operators can assess only the high-level requirements relating to cyber security program establishment, implementation and maintenance, with the required substance of cyber security programs likely to be dealt with in detail by regulation
The “critical cyber system” definition will delineate the scope of obligations, and is very broad: “a cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system.” The words “could affect” establish a low criticality threshold. In its current form, Bill C-8 likely encompasses control systems and a wide range of other systems.
It appears that designated operators will be permitted to prioritize and schedule their risk mitigation commitments, with the exception of risk mitigation commitments relating to supply chain risks. Bill C-8 prioritizes supply chain risks by stipulating that designated organizations must take steps to mitigate such risks “as soon as” they are identified. This distinction does not appear to be risk-based, noir is the rationale is clear.
Incident reporting (to the Communications Security Establishment) is to be done within 72 hours, presumably of validation. The incident definition, however, is broad: “an incident, including an act, omission or circumstance, that interferes or may interfere with… the continuity or security of a vital service or vital system… or the confidentiality, integrity or availability of the critical cyber system.” Operationalizing an obligation to report an occurrence that “may” have an impact will be difficult. Designated operators will struggle to distinguish between the many immaterial “cyber events” – e.g., alerts and false positive reports – that they identify and cyber incidents that must be reported. Designated operators may also rush to report and over-report given the Bill does not contemplate a period of assessment or investigation.
The government’s power to issue binding directions is broad, and not expressly constrained by pre-conditions such as necessity or reasonableness. There is no requirement to consult with designated operators about potential operational impact or other concerns prior to or after issuing a direction nor will directions be subject to the same vetting process that applies to regulations under the Statutory Instruments Act.
Designated operators may seek judicial review of directions by applying to Federal Court. In one of the few changes implemented with Bill C-8, the government has (positively) removed provisions that contemplated the hearing of these review applications ex parte and in camera.
Like its predecessor, Bill C-8 provides for government use and disclosure of information provided by designated operators and, to protect the security and business interests of designated operators, deems certain information confidential. The question is whether the balance struck by the Bill is proper and fair to designated operators given the sharing allowances in the Bill are broad.
Government is legitimately concerned with the need for a responsive regime that encourages the protection of critical infrastruture from adversaries, though there are legitimate and important questions for critical infrastructure owners and operators to consider about whether Bill C-8 strikes an appropriate balance.
Wired Magazine published an article last week about school cyber attacks in the United States that was wholly denigrating of the role of cyber incident response counsel – “breach coaches.” Wired’s theme was that schools are using their lawyers to deprive parents, students, and the public of information. Wired has inspired this post, though I will say little more about it than “Don’t believe everything you read.” Rather, I will be positive, and explain that transparency is at the center of good cyber incident response and that breach counsel enable transparency through clear, accurate, and timely communication.
We must communicate to manage
Let us start with the object of incident response. Sure, we want to contain and eradicate quickly. Sure, we want to restore services as fast as possible. But without making light of it, I will say that there is lots of “drama” associated with most major cyber incidents today that renders incident response about more than containment and eradication.
Major incidents are visible, high stakes affairs in which reputation and relationships are at stake. You will have many stakeholders descending on you from time zero, and every one of them wants one thing – information. You do not have a lot of that to give them, in the early days at least, but you have got to give them what you can.
In other words, you need to do the right thing and be seen to do the right thing. This means being clear about what has happened and what you are doing about it. It means reporting to law enforcement. It means sharing threat information with peers. It means getting your message out.
This is crises communication best practice. If smoke is billowing from your house and the public has questions, the public will make its own story about your fire if you say nothing, and any obfuscation risks blowback. You must, as best you can, get your message out.
Let’s get privilege straight
Lawyers love privilege, but we may not do a good enough job at helping the public understand why it is so important, and why it is not inimical to transparency.
There are two types of privilege.
Solicitor-client privilege is the strongest form of privilege. A confidential communication between lawyer and client that relates to the giving or receiving of legal advice (in the broadest sense) is privileged.
Litigation privilege works a little differently, and is quite important for giving a person who is in litigation or who contemplates litigation a “zone of privacy” in which to prepare, strategize and plan free from an adversary’s scrutiny.
Privilege is a powerful tool for organizations because it shields communications from everyone – an adversary in litigation, a freedom of information requester, a regulator.
This is for good reason: privilege allows for good legal advice on complicated, high stakes problems. If litigation is pending or anticipated, it also allows for the adversaries to be adversaries, which contributes to the truth seeking function of adjudication. Privileged is hallowed, and recognized by our courts as central to rule of law.
Privilege, though, applies to communications, not to facts that have an independent existence. Is your head exploding yet? Let me explain this tricky idea.
Say an incident leads to the discovery of four facts – Fact A, Fact B, Fact C and Fact D. There is a question about whether those four facts prove data exfiltration of a particular set of data. Lawyer and client can communicate with each other to develop an understanding of that legal question. The lawyer can advise the client about what the evidence means, whether inferences can be drawn, and how the evidence is likely to be interpreted by a judge or a regulator. The lawyer may give an answer – “no exfiltration” – but also explain the strengths and weaknesses of taking that position. All the evaluation and advice – the communication – is privileged, but Fact A, Fact B, Fact C, and Fact D are not. In incident response, those facts are normally embodied in the forensic artifacts collected and preserved by the forensic investigator or collected in communications with the threat actor(s). Those artefacts and communications are producible in litigation and producible to a regulator, which allows others to examine them, engage in analysis (that may replicate the analysis that occurred under privilege), and draw their own conclusions. What an adversary or regulator cannot do is piggyback on solicitor-client communications to understand how the lawyer and client viewed all the nuance of the issue.
This is an important point to understand because it answers some unfounded concerns that privilege is a tool of obfuscation. It is not.
Privilege must be respected, though. There’s a now famous case in Canada in which an organization attempted to claim that recorded dialog with a threat actor was privileged because the communication was conveyed to counsel by an expert retained by counsel. The Court rightly held this was over reach. The threat actor dialog itself is fact. The same goes for forensic timelines. They are privileged because they are recorded in privileged reports. In litigation, this does help put some burden on an adversary to analyze the evidence themselves and develop their own timeline. But it’s unwise to tell a regulator, “I’m not giving you a timeline because the only place its recorded is in my privileged report.” Withhold the precise framing of the timeline in your report. Keep any conclusory elements, evaluations, and qualifications confidential, too. But give the regulator the facts. That’s all they want, and it should spare you a pointless privilege dispute.
From the zone of privilege to the public
I explain to our incident response clients that we work with them in a zone of privacy or privilege that is a safe communication zone. It is like a staging area for evidence, where we can sit with evidence, understand it, and determine what is and is not fact. The picture of an incident is formed slowly over time based on investigation. Things that seem the case are often not the case, and assumptions are to be relied upon cautiously.
It is our role, as counsel, to advise the client on what is safe to treat as fact. Once fact, it can be pushed out of the zone of privilege to the public in communications. It is at this point the communication will live on the public record and be used as evidence, so we carefully vet all such communication by asking four questions:
Is there any speculation? Are all facts accurately described? Are all facts clearly described?
Are there commitments/promises? Are they achievable?
Does the communication accurately convey the risk? If it raises alarm or encourages action, is that justified? Or will we cause stress for no good reason?
Does the communication reveal anything said under privilege (which can waive privilege)?
Our duty is to our client, and our filter is to protect our client, but it also benefits the public because it ensures that incident communications are clear and reliable. This is hard work, and the heavy scrutiny that always comes later can reveal weaknesses in word choice, even. But by and whole, organizations with qualified incident response counsel achieve transparency and engender stakeholder and public understanding and confidence.
Good notification takes time
Any organization whose network is compromised can contain the incident, and then an hour later announce, “If you have ever been employed with us or been a client of our your information may have been stolen.” This will almost always be a true statement, but it’s also a meaningless and vast over notification. Good legal counsel lead their clients to investigate.
Investigation takes time. Determining what has been taken, if anything, is the first step. If you do that well, it can take about a week. But that is only the start. Imagine looking at a 453,000 file listing, delivered to you by a threat actor without any file path metadata. The question: who is affected? Your file share is encrypted, so you do not even have readable copies of the files yet.
Is it any wonder that organizations notify weeks and months after they are attacked? You cannot rightly blame the lawyers or their clients for this. It is hard work. If an organization elects to spend six figures and four months on e-discovery to conduct file level analysis, it will be able to send a letter to each affected individual that sets out a tailored list of exposed data elements. Our regulator in Ontario has called this “the standard,” at the same time opening the door to more generalized notifications. We are moving now to population based notifications, while still trying to be meaningful. Consider the following:
All individuals who received service x between date 1 and date 2 are affected. The contact information of all such individuals has been exposed (phone, e-mail and address as provided). About a third of the individuals in this population provided an emergency contact. The identity of this person and their phone number was also exposed.
I am explaining this because time to notify is the easiest thing on which to criticize an organization. Time to notification visible, and far easier to understand than it is to explain to mas audiences with the kind of descriptions I have made here. Believe me, though, it is a very demanding challenge on which incident response counsel spend significant time and energy with their clients and data processing vendors, all with the aim of giving earlier and meaningful notifications.
Conclusion
Cyber incident response counsel are essential for effective and transparent incident management. They facilitate clear communication, crucial for stakeholder confidence and the fulfilment of obligations. Privilege, often misunderstood, enables open lawyer-client communication, improving decision-making. It’s not a tool to hide facts. Counsel guide clients through investigations and notifications, ensuring accuracy and avoiding speculation. Notification delays often stem from the complex process of determining breach scope and identifying affected individuals. Counsel help balance speed and quality of notification, serving their clients first, but also the public.
On November 7th, the Newfoundland and Labrador Supreme Court issued an access to information decision with some notable points.
First, the Court held that a public body validly redacted file path information from a document set based on the security of a computer system exemption to the public right of access. The public body adduced good evidence that the paths could be used by threat actors to (a) randomly generate usernames amendable to brute forcing or similar attacks (b) identify domain administrators, and (c) map the network, all creating a real and non-speculative risk of attack. The finding is based on the evidence, but there is nothing unique about the the risk that the Court recognized.
Second, the Court affirmed a decision to apply the privilege exemption based on a solicitor-client privilege claim and despite a dispute between the public body and the Newfoundland Information and Privacy Commissioner about the scope of the so called “continuum of communication.” The Court held the following communications were within the protected continuum:
E-mail messages between non-lawyers that were subsequent to the direct giving and receiving of legal advice about “process and timing” (and up the e-mail thread).
Drafts of documents known to be subject to editing by legal counsel and from which “an informed reader could readily infer what legal counsel had advised.”
Notes, questions and references in documents made by an individual who gave evidence that she received legal advice in relation to all the notes, questions and references.
This finding is as sound as it is protective in my view.
I’m working through a reading pile today, and will note briefly that the Saskatchewan IPC has issued a report about the Edge Imaging cyber incident from earlier this year, which affected a number of Ontario school boards.
It was an atypical incident. Edge Imaging used a subcontractor called Entourage Yearbooks to store and process school yearbook photos. A threat actor accessed an Entourage AWS server, downloaded and deleted photos and held them for ransom. Edge ultimately reported to its school board/division clients that Entourage, “reported that they secured the return of all the Canadian photo files from the threat actors, along with their commitment that the photo files have been deleted, and were not distributed.”
The Saskatchewan IPC report deals with whether the photos contained personal information, whether the affected school divisions met their duty to notify, and whether the service providers investigated reasonably, and whether the affected school divisions took appropriate protective steps in light of the incident. It is very cursory. The matter is simply a reminder about outsourcing risks, which school boards need to manage. The Ontario IPC updated its guidance earlier this year – see Privacy and Access in Public Sector Contracting with Third Party Service Providers.
It was an honour and pleasure to speak today at the Canadian SecuR&E Forum, a research and education community-building event event hosted by CANARIE. My object was to spread the gospel of threat information sharing and debunk some myths about legal privilege as a barrier to it. Here are my slides, and I’ve also included the text of my address below.
Slide one
I am here today as a representative of my profession – the legal profession.
I’m an incident response lawyer or so-called “breach coach.” Lawyers like me are often used in an advisory capacity on major cyber incidents. Insurers encourage this. They feel we add consistency of approach mitigate downside risk.
I’ve done some very difficult and rewarding things with IT leaders in responding to incidents, and genuinely believe in the value of using an incident response lawyer. But I am also aware of a discomfort with the lawyer’s role, and the discomfort is typically expressed in relation to the topic of threat information sharing.
We often hear organizations say, “The lawyer told us not to share.”
I’m here as a lawyer who is an ally to IT leadership, and to reinforce the very premise of CanSSOC – that no single institution can tackle cybersecurity issues alone.
Here’s my five-part argument in favour of threat information sharing:
Organizations must communicate to manage
The art is in communicating well
Working within a zone of privilege is important
But privilege does not protect fact
And threat information is fact
My plan is to walk you through this argument, taking a little detour along the way to teach you about the concept of privilege.
Slide 2
Let’s first define what we are talking about – define “threat information.”
NIST is the National Institute for Standards and Technology, an agency of the US Department of Commerce whose cybersecurity framework is something many of your institutions use.
NIST says threat information is, “Any information related to a threat that might help an organization protect itself against a threat or detect the activities of an actor.”
Indicators (of compromise) are pieces of evidence that indicate a network has been attacked: traffic from malicious IP addresses and malware signatures, for example.
“TTPs” are threat actor “tactics, techniques and procedures.” These are behaviours, processes, actions, and strategies used by a threat actor. Of course, if one knows threat actor measures, one can employ countermeasures.
Beyond indicators and TTPs, we have more contextualized information about an incident, information that connects the pieces together and helps give it meaning. It all fits within this definition, however.
Slide 3
Argument 1 – we must communicate to manage
Let’s start with the object of incident response. Sure we want to contain and eradicate quickly. Sure we want to restore services as fast as possible. Without making light of it, I’ll say that there is lots of “drama” associated with most major cyber incidents today,
Major incidents are visible, high stakes affairs in which reputation and relationships are at stake. You’ll have many, many stakeholders descending on you from time zero, and every one of them wants one thing – information. You don’t have a lot of that to give them, in the early days at least, but you’ve got to give them what you can.
In other words, you need to do the right thing and be seen to do the right thing. This means being clear about what’s happened and what you’re doing about it. It means reporting to law enforcement. And it means sharing threat information with peers.
We’re stronger together is the CanSSOC tag line, and it’s bang on. NIST says that Tier 4 or “adaptive” organizations – the most mature in its framework – understand their part in the cyber ecosystem share threat information with external collaborators. There’s no debate: sharing threat information is part of a widely accepted cybersecurity standard.
Slide 4
Argument 2 – the art is in communicating well
People have a broad right to remain silent under our law.
And anything they say can be used as evidence against them in a court of law.
These are plain truths that are taught to lawyers first year constitutional and criminal law classes across the country.
And the right to remain silent ought to be to be adhered to strictly in some scenarios – when one faces criminal jeopardy, for example
Incident scenarios are far, far from that.
The most realistic downside scenario in most incidents is getting sued.
In theory, you can avoid civil liability by not being transparent about your bad facts.
In reality, hiding your bad facts is almost always an unwise approach.
This is because bad facts will come out:
because you’ll notify individuals affected by a privacy breach in accordance with norms or because it’s legally required; or
because you’re a public body subject to FOI legislation.
So you’ve got to do what the communications pros say: get ahead of it the issue, control the message and communicate well.
Slide 5
Let’s detour from the argument for a moment to do some important background learning.
What is legal privilege?
Short answer – It is a very helpful tool for incident responders.
It’s a helpful tool because it shields communications from pretty much everyone. Adversaries in litigation are the main concern, but also the public – who, again, has a presumptive right of access to every record in the custody or control of a university.
There are two types of privilege.
Solicitor-client. This is the strongest form of privilege. You see the definition here. Invoking privilege is not as simple as copying your lawyer on a communication. But if you send a communication to a lawyer and your decision-making team at the same time, and your lawyer is a legal advisor to the team, the communication is privileged.
Litigation privilege works a little differently, and is quite important. I specify in engagement letters that my engagement is both as an advisor and “in contemplation of litigation” so reports produced by the investigators we hire are more likely to survive a privilege challenge.
Invoking privilege is why you want to call your incident response counsel at the outset. If the investigator comes in first, you can always have a late-arriving lawyer say that the investigation is now for their purpose and in contemplation of litigation, but that assertion could be questioned given the timing. In other words, the investigation will look operational and routine and not for the very special purposes that support a privilege claim.
Slide 6
Back to the argument
Argument 3 – Working within a zone of privilege is important
Here’s an illustration of the power of privilege and why you want to establish it.
The left-hand column is within the zone of privilege. I’m in that zone. The experts I retain for you are in that zone. And you’re in that zone along with other key decision-makers. We keep the team small so our confidential communication is more secure.
And we can speak freely within the zone. Have a look at the nuanced situation set out in the left-hand column. The forensic investigator can present evidence gathered over hours and hours of work in one clear and cogent report. We can deal with fine points about what that evidence may or may not prove and what you ought to do about it. I’ll tell you where you can and should go, but I’ll also tell you about the frailties in those directions and other options you shouldn’t and won’t take.
None of that need ever see the light of day, and in the right-hand column, in public, you can tell your story in the clearest, plainest and most favorable way possible: “We do not believe there has been any unauthorized access to student and employee personal information.” If plaintiff counsel or anyone else wishes to disprove that, they can’t go to your forensic report for a road map to the evidence and for something to mine for facts that might seal your fate in court. They must gather all the evidence gathered by your investigator themselves, re-do the analysis and then figure out on their own what it means.
Privilege is of powerful benefit.
Slide 7
Argument 4 – privilege doesn’t protect facts
I often hear, “We need to keep things confidential because of privilege.” Let me tell you what that means.
The privilege belongs to the client, not the lawyer. Clients can waive privilege, so they need to keep their privileged communications and documents confidential. Institutions do this all the time, but it’s risky to say, “We’re doing this because our lawyer said so.” That’s arguably an implicit waiver.
The easy rule is, “Don’t publish anything you’ve said to your lawyer or that your lawyer has said to you.” Don’t state it directly. Don’t even hint at it!
The same goes for your forensic investigator. Saying “Our forensic investigator told us this.” is also a risk. Just say that you’ve done your investigation, and these are the facts, or you that you believe this to be the case.
If you do that. If you talk about the facts, you won’t waive privilege. You’ll be using the privilege to derive the facts you publish, and will be safe.
This is what your lawyer is working so hard on in an incident. One of our main roles is to work within that zone of privilege on the evidence and to determine what is and isn’t fact. If it really is fact, and you are in transparency mode, you will get the fact out whether it’s a good fact or a bad fact. And I’ll agonize with you about what that right hand column should say and make sure it is safe. I’ll ask myself continuously, “If my client gets into a fight later, will that be what is ultimately proven to be the truth?”
Slide 8
Argument 5 – threat information is fact
It is. And if you can convey facts without waiving privilege, you can convey threat information without waiving privilege.
So don’t listen to anyone that tells you that you can’t share threat information because it will waive privilege. It’s not a valid argument.
You’ll have a very clear view of indicators of compromise fairly early into an incident and should share them immediately because their value is time limited.
It takes longer to identify TTPs, but they are safe to share too because they are factual.
That’s my argument. I’ve been talking tough, but will end with a qualification – a qualification and a challenge!
The qualification. You should be wary of the unstructured sharing of information with context, particularly early on in an incident: CISOs call CISOs, Presidents call Presidents, I understand. I get it, and think that the risk of oral conversations with trusted individuals can be low. Nonetheless, this kind of informal sharing is not visible, and does represent a risk that is unknown and unmanaged. I’d rather you bring it into the formal incident response process and do it right. For example, I was part of an incident last year in which CanSSOC took an unprecedented and and creative step in brining together two universities who were simultaneously under attack by the same threat actor so they could compare notes.
This is the, challenge, then: how do we – IT, leaders, lawyers and CANSSOC together – enable better sharing in a safe manner. There’s a real opportunity to lead the nation on this point, and I welcome it.
My BLG teammates and I take the privilege of guiding clients through the perils of cyber incidents seriously. To honour the privilege, we think deeply about various aspects of our performance, including how we can perform better under pressure. Dr. Dan Dworkis’s book, The Emergency Mind: Wiring Your Brain for Performance Under Pressure is now required reading.
Dr. Dworkis is a professor of medicine and an emergency physician. His book, published in 2021, is part of a project that includes a website, podcast and other supports for individuals and teams striving to perform better under pressure. Dr. Dworkis calls The Emergency Mind a “mental toolkit.” It’s comprised of 25 prescriptions for how to think and act in high pressure situations.
When I picked up The Emergency Mind and started in, I was immediately excited. For me, there’s no greater measure of a text than its relevance, and The Emergency Mind was packed with relevant ideas. I connected with them as a lawyer and an athlete, but drew most insight in respect of my role as a cyber incident coach and team lead. I took some notes while reading, and have turned them into the table below. The left hand column summarizes some key ideas from The Emergency Mind. The Right hand column are my notes (now edited) on their application to cyber incident response.
Practice the discipline of “suboptimal”
Idea: Bad outcomes and mistakes will happen. Identify (label) and accept the mistake, rapidly pivot to face the new reality, and learn from the event.
Quote: “Personally, when I perform the labeling part of a response, I begin by saying, ‘Well, this is suboptimal.’ Labelling something as ‘suboptimal’ acknowledges the challenging nature of what is happening without pulling me or my team off-line the way that calling it ‘horrible’ or ‘hopeless’ might.”
Labelling thoughts and emotions is a well-known and effective mindfulness technique. To use it in incident response, one must first acknowledge that incident response can provoke emotion.
This is true, especially when things go wrong. Evidence is sometimes deleted, information is leaked or conveyed to third parties prematurely, threat actors do not do what is predicted, and so on. When faced with these problems, the team must resist the urge to dwell on the matter of fault and continue to look forward. Learning comes later in the incident response process, at least after the acute phase has passed.
I also appreciate Dr. Dworkis’s use of the term “suboptimal” because it mirrors the typical objective we set in guiding clients through an incident – to “optimize” the course of action in light of business, reputational and legal risks. Use of the terms “optimal” and “suboptimal” highlights the fluid nature of incident response. There are always multiple paths to the end.
Combine action and analysis
Idea: Have and foster an ability to apply the right mode of thinking and action – be it fast or slow.
Quote: “When you are not forced to act, jumping into a response without further analysis of the emergency is sometimes a bit like throwing darts without looking at the dartboard. You might hit the board, but because you don’t understand where you are aiming, you’re much more likely to miss the target entirely and waste your darts.”
This is reminiscent of an idea I have shared with associates about practicing law fast and slow, adapted from Daniel Khaneman’s text Thinking Fast and Slow. We need to know when a legal problem deserves a quick handling – enabled by assumptions and qualifications – and when we must buy time for more robust analysis.
In incident response, we are primarily in fast thinking, “action mode.” There are moments on calls when you need to pause, draw deep on experience and instinct, and declare how best to proceed. The qualification is implicit, though sometimes we explain that we are making a decision based on “gut.”
At the same time, slowing the pace of decision making down is a major responsibility of a cyber incident coach. Dr. Dworkis’s dart board metaphor can illustrate the tendency of many inexperienced incident response teams to rush at the outset of a cyber incident. I’m not counselling inaction, but most teams will benefit from a pause and emotions check at the outset. There is more time available than you feel.
Favour praxis over theory
Idea: Identify solutions that can actually be applied in the moment whether or not they represent theoretical best practice. Favour praxis – the application of knowledge to real life.
Quote: “One of the best ways you can start to consider the details of praxis and theory in your field is to explore deeply the actual mechanisms that must function correctly for you to deliver your skill. Get curious about how the sausage is made, so to speak. Lean into learning both deeply in your chosen skills, and laterally into the adjacent skills that help you and your team succeed.”
This is a good one for me, particularly as it pertains to the challenge of analyzing large, stolen data sets. Doing a proper analysis based on e-discovery is plainly the ideal, but e-discovery is expensive and time consuming, and time-to-notify is a very visible fact. Burning weeks and months on e-discovery can spoil an excellent early-stage response, leaving an organization who has spent the time and money to “do the job right” the subject of overwhelmingly negative judgement and outcry.
So, before engaging in e-discovery, we build the best possible informal view of the data set, we build towards reasonable assumptions, and we see if classes of individuals can be notified without e-discovery. We help clients weigh the risk of “over notification” against the risk of delay. These solutions are neither precise nor pretty, but can be defensible.
Decide not to decide
Idea: Do not waste your decision-making resources. Devote them to the most important and difficult decisions.
Quote: “During an emergency, the most critical decisions are those that irreversibly (or at least strongly) commit your team to a particular mental model or course of action.”
No cyber incident coach is happy to be brought into a matter and paired with an incident response forensics vendor who has already been retained. That single decision bears more on the outcome of an incident than any other in my view. This is because we must trust the chosen vendor, especially regarding the scope and depth of the investigation. There is a limited ability to consider and discuss the scope of forensic evidence collection, and deference to a vendor’s standard practice is the norm. These practices vary, and over and under scoping an investigation can have highly negative consequences.
Practice Wabi-sabi
Idea: Employ the Japanese concept of wabi-sabi, which emphasizes the values of simplicity, imperfection, and transience.
Quote: “… if you deny that situations change, you create a potentially dangerous schism in your universe and the reality around you. As this gap increases, the solutions and plans you had generated before reality changed will be rapidly ineffective.”
My strong preference is to contact a threat actor early because it is a fast way to gather reliable information and because it is a means of enhancing control and keeping the primary adversary in view.
Threat actors – perhaps frustrated by repeated engagement with organizations who are more interested in investigation than payment – have adopted countermeasures, becoming very stingy with their information. We also recently provided counsel on an incident in which our client had reliable intelligence that a threat actor would be slow to publish in the absence of contact, which meant it could delay a reach out while remaining in control.
This perfectly illustrates Dr. Dworkis’s point. The Wabi-sabi way demands detachment from a tactic we have so often helped clients deploy to a successful end.
See the forest and the leaf
Idea: Default to an attention span that is zoomed in, but don’t lose sight of the whole field.
Quote: “… emergency medical providers often find themselves handling multiple sick patients simultaneously. In these circumstances, it might not be possible, or desirable, to completely restrict your focus to a single patient. Here, communication and delegation are key, and cognitively offloading some of your thinking to skilled team members helps you deploy your focus where you need it most.”
At any given time, we will be working with ten to twenty clients who are responding to incidents – our patients. As a team lead, my attention is drawn most to those clients with incidents in the acute phase, which lasts from one to three weeks. Beyond that, incidents move into a slower phase that involves e-discovery, notification and reporting. We delegate much of the work in that phase to an excellent team of associates. These associates have a greater degree of technical knowledge about the latter phase of incident response than the partners who act as leads.
Given the money spent on e-discovery and notification, the latter phase of incident response is not low risk, but it does move slower, and tasks can be delegated effectively with good communication. Good communication requires a lead to “run the board” regularly – re-building a view of all cases – and making course corrections before small latter phase problems grow.
Harness the wisdom of the room
Idea: To the extent possible, rely on information and knowledge from every individual on the team.
Quote: “As a leader, you will frequently feel tension between your need to process multiple points of view and to move forward rapidly with a plan. At some points during a crisis, your emphasis should be on action and execution of your plan. At others, the emphasis might be on unifying your team’s vision through open discussion.”
Dr. Dworkis recommends asking the team, “What are we missing? What have we not tried yet?” I’ve done more of this questioning at his urging, and like how it affects the team dynamic. It’s an acknowledgement that incident response is complex, that there are few clear answers and that the perspective of the team matters. It’s an invitation to humility, and a humble crises leader is a good crises leader.
Preparation and performance under pressure go hand in hand, and we all know that preparation for cyber incidents is a critical best practice. My urging to cyber responders (lawyers and non-lawyers alike) is to expand your scope of preparation to encompass performance under pressure. This will help you develop fundamental skills and behaviors to that will have an impact on your and your teams’ performance. Reading The Emergency Mind would be a great start.
On October 3rd, the Ontario’s cyber security Expert Panel issued its report to Minister of Public and Business Service Delivery, Kaleed Rasheed.
His Honour said, “The Expert Panel’s recommendations will form the foundation of our cyber security policies and help develop best practices shared across all sectors as well as inform future targeted investments in our cyber capabilities and defences.”
Those recommendations are:
Regarding governance: Ontario should reinforce existing governance structures to enable effective cyber security risk management across the BPS.
Regarding education and training: Ontario should continue to develop diverse and inclusive cyber security awareness and training initiatives across all age-levels of learning, supported by a variety of common and tailored content and hands-on activities.
Regarding communication: Ontario should implement a framework that encourages BPS entities to share information related to cyber security securely amongst each other with ease.
Regarding shared services: Ontario should continue to develop, improve, and expand shared services and contracts for cyber resiliency across the BPS, considering sector-specific needs where required.
Here are three issues of significance to public sector instutions and their insurers.
FIRST, the governance recommendation contemplates more government oversight, including through “a single oversight body, employing a common operating model [and] clearly establishing accountabilities.”
Institutions require more funding to address cyber security risks. This recommendation is positive because it will lay the necessary groundwork.
As suggested by the Expert Panel, the current relationship between government and institutions is somewhat confused. Government is engaged an informal kind of oversight that lacks effectiveness and can rightly put institutions on guard because its measures are unclear. Institutions will benefit from clear and simple accountabilities and – did I say it already? – the funding to meet those accountabilities.
SECOND, the communication recommendation encompasses threat information sharing, with the Expert Panel stating, “Ontario should establish a unified critical information sharing protocol to ensure quick communication of cyber incidents, threat intelligence, and vulnerabilities amongst BPS organizations.”
This is to rectify what the Expert Panel says is the “unidirectional” flow of threat information, which is reported to government but is not yet “broadly shared across the BPS.” Institutions know that government currently craves the early reporting of threat information, but the perceived benefit is still minimal. The Expert Panel recommendation is positive in that it may lead to their receipt of more timely, more enriched threat information.
THIRD, the shared services recommendation addresses the cyber insurance coverage problem now faced by the public sector. The expert panel states:
Ontario should investigate options for establishing a self-funded cyber insurance program to support the delivery of services such as breach coaching, incident response, and recovery to which all BPS organizations can subscribe.
There is a form of self-funded cyber coverage available various parts of the Ontario public sector through insurance reciprocals. This coverage is expanding, and the role of reciprocals is becoming more important now that the insurance market has become so hard. Primary coverage by reciprocals, even if limited in scope, can make secondary coverage more obtainable for public sector institutions.
The “breach coaching” reference above gives me pause, though I understand it to be indicative of how the role of expert legal counsel in incident response was borne out of the cyber insurance market (with the term coined by cyber risk and insurance company NetDiligence, I believe).
Breach coaching is simply expert legal advice by another name. It is funded by cyber insurance for those who have coverage, and insurers have required their insureds to use vetted and approved legal advisors in responding to incidents because they understand the risk mitigating (and cost reducing) value of this specialized legal service. Public sector institutions without coverage bear all the same risks as those with coverage, and without proper advice are at great peril. The need for proper legal advice one reason is why it is so important to solve the public sector coverage problem, though institutions dealing with a major cyber incident should not consider legal advice to be optional.
On July 5th, the IPC/Ontario held that an Ontario medical clinic breached its PHIPA safeguarding duties by:
Allowing staff to use personal e-mail accounts to send patient information provided staff referred to patients only by by initials, medical reference numbers or accession numbers
Allowing the posting of login credentials (on sticky notes or the equivalent) to enable shared access to two computers
Failing to abide by the IPCs model for agent information and instruction, which requires annual privacy training and the re-signing of confidentiality agreements on an annual basis
The clinic self-corrected upon receiving the complaint, but not without defending its posting of login credentials by explaining that the two computers were physically secure and did not contain patient information. It shouldn’t have bothered. Its information and instruction failure aside, the clinic committed plain and basic network security wrongs. The IPC’s decision is notable for calling them out.
The wave of public sector reform is coming, so it’s time to start thinking and talking about they best way achieve strong privacy protection in the Ontario public sector. I had the honour of participating the University of Toronto’s Privacy Day celebration yesterday, including by sitting on a panel and giving the short prepared remark below. I’m all for privacy protection and modernization, but the implementation of administrative monetary penalties in the Ontario public sector (like now in Quebec) would fundamentally change the relationship between the Ontario public sector and its regulator and not serve the public or education sectors well.
All About Information 
You must be logged in to post a comment.