Photo: The Canadian Press

TORONTO — Amid the mass transition to remote working as a result of the COVID-19 pandemic, most employers are likely focused on operational issues in order to get their employees up and running in their new home offices.

However, in addition to IT issues, experts say employers would be well advised to equip and train their staff to be vigilant against data breaches during this time, as periods of upheaval present a golden opportunity for cybercriminals looking for a way into a company’s network.

In most jurisdictions, a business is typically legally responsible for breaches caused by employees, contractors and service providers.

“Even if they screw up—even if they did something they weren’t supposed to do by accident—the employer is on the hook,” says Brent Arnold, a partner with Gowlings WLG.

Security experts warn that criminals can take advantage of the chaotic COVID-19 situation to trick people into downloading software that can be dangerous or disruptive.

For instance, ransomware can block access to information systems until a fee is paid, potentially shutting down the organization. Other malware may steal customer information or employee passwords.

Many organizations weren’t prepared to have so many employees suddenly work from home as part of government and corporate efforts to deal with the highly contagious COVID-19 coronavirus.

Under employment law, Arnold says, an employer is usually liable for their workers unless there’s actual fraud or the employee is “doing something they’re not supposed to be doing—on purpose.”

“You’ll see situations where somebody also sues the employee, but it’s generally recognized that it’s the company that’s ultimately liable for this.”

But Arnold says there’s an important distinction between being at fault for something going wrong and being legally liable for the consequences of the mess that follows.

“The fact that a company gets breached doesn’t mean they are liable,” he says. “They’ll be liable if they didn’t take reasonable measures to stop that from happening.”

Arnold says most courts don’t expect the precautions to be perfect “because medium and small businesses can’t afford to take all of the possible precautions.”

But he says organizations should be able to prove to a court or regulator that they’ve taken at least the basic steps, such as setting up security technology, procedures and training.

Similarly, Arnold acknowledges that an organization may be under pressure to compensate employees affected by such as breach—the loss of a computer, for instance, or leak of family information.

“If I’m the employee, I suppose the position that I take is: you put me at risk by requiring me to do this on my own computer, on my own equipment, in my own home, using my own WiFi and you didn’t give me adequate training to spot this sort of a thing.”

It’s not likely that employees would sue, Arnold says, but it’s more possible if there’s a written employment agreement.

“And, interestingly, it’s not the rank-and-file employees that we see getting caught by these (scams) all the time. It’s often executives, people who are in a hurry … They’re the ones, often, who are more likely to click on an email that they’re not supposed to.”

Chandra Majumdar, who leads the national cyber threat management practice for EY Canada, says there’s been exponential growth in phishing emails that tempt the reader to click on an attachment or web link that appears to be about COVID-19 or the coronavirus.