hero-image

Cybersecurity, Privacy & Data Protection

When it comes to cybersecurity, there are only two kinds of organizations: those that have been hacked and know it, and those that have been hacked and don’t know it yet.
Cyber risk management is an increasingly important challenge for all organizations. We are one of the most talented and experienced cybersecurity legal teams in Canada. Our lawyers have extensive expertise and experience in cyber risk management and crisis management legal services, and are peerless in our ability to successfully prosecute and defend complex cyber litigation (including class actions).

Our skilled team offers six areas of targeted service.

Cyber Risk Management Program

We can assist you with:

  • identifying, assessing and prioritizing cyber risks and selecting the best risk treatments for identified risks
  • advising on legal requirements and regulatory guidance
  • helping conduct audits and privileged assessments
  • advising on risk treatments
  • drafting/reviewing program documents

Incident Response Plans

We craft pre-determined, written incident response plans—including various protocols and guidelines—for rapid, lawful and effective responses to various cybersecurity incidents. This includes advising on legal requirements and regulatory guidance and drafting/reviewing incident response plans and related documents, including:

  • protocols and guidelines for communications
  • record keeping
  • evidence collection
  • risk assessments
  • ·notification/information sharing
  • post-incident review

Test, Train and Exercise Program

A testing, training and exercise (TTX) program can help ensure that incident response plans are up-to-date and that relevant personnel and information technology systems are in a state of readiness. We can help you with:

  • designing and executing a TTX program by

    providing advice on legal requirements and regulatory guidance

  • drafting/reviewing TTX program documents
  • participating in TTX program activities (e.g. table-top exercises)
  • providing privileged assessments and advice

Practices/Procedures and Education/Training

We offer comprehensive practices/procedures and education/training for the use of information technology systems and information, and ongoing education/training of relevant personnel. This includes:

  • advice on legal requirements and regulatory guidance, including advice regarding privacy, hiring/engagement/ on-boarding of personnel and monitoring/enforcing compliance
  • drafting/reviewing policies and procedures
  • assisting with education/training
  • providing advice regarding monitoring, verifying and enforcing compliance

Business Partner Risk Management

We also advise on business partner risk management. It is imperative to address cyber risks in contracts with business partners (e.g. vendors, suppliers, service providers and subcontractors). This is especially true for business arrangements involving transfers of regulated information (e.g. personal information) to business partners, including in connection with the use of cloud services and other outsourcing arrangements. This includes:

  • providing advice regarding legal requirements and regulatory guidance
  • preparing due diligence checklists
  • drafting/reviewing standard form procurement documents and standard form contract schedules
  • drafting and negotiating contracts with business partners
  • drafting/reviewing internal policies and procedures
  • assisting with monitoring and verifying business partner compliance with contractual requirements

Board and Senior Management Advice

We offer tailored advice to boards and senior management. As a C-suite issue, directors and officers are responsible for ensuring that their corporation/organization properly manages cyber risks and effectively responds to cyber incidents. We can help educate and advise directors and senior management on how to fulfil their legal duties and establish an appropriate due diligence and business judgment record.

Experience - Cyber Risk Management and Crises Management

  • Representing numerous clients (including corporations operating in the financial services and retail trade industries) to manage security breaches involving different Canadian jurisdictions, including investigating the breaches; acting as the contact for interested parties, the individuals concerned, the media, external technical consultants and privacy commissioners (including the Privacy Commissioner of Canada, the Alberta, British Columbia, and Ontario Privacy Commissioners and the Commission d'accès à l'information du Québec); advising regarding notification obligations; assisting in drafting letters of notification; and generally contributing to the response strategy.
  • Representing various clients in investigations carried out by privacy commissioners and regulators, including:
    • a leading Canadian credit score and analytics company
    • an American multi-national corporation traded on the New York Stock Exchange (NYSE)
    • a leader in international family entertainment and interactive media
    • a multi-national technology company
    • various financial institutions
  • Conducting privacy impact assessments and evaluating risks connected with the management of personal information, designing personal information protection programs adapted to the needs and risks faced by the client, and assisting in implementing those programs for various clients, including for:
    • an American multi-national corporation traded on the NASDAQ stock exchange, specializing in Internet-related products and services
    • a Canadian cable and broadcasting telecommunications company
    • a leading firm that develops, manufactures, markets and distributes a vast array of generic products for the retail pharmaceutical industry
    • a leading Canadian fintech company
  • Conducting privacy audits, including by studying personal information flows in companies and their subsidiaries ("data mapping"), conducting "gap analysis", focusing on practices connected with privacy policies and/or applicable privacy statutes, for various clients including:
    • one of the largest retailers in Canada;
    • a leading consumer products company
    • a leading company in the retail pharmaceutical industry
  • Providing training and education services and developing training and education programs dealing with compliance with privacy and cybersecurity laws for employees who manage customers' or employees' personal information, legal departments (including staff responsible for compliance), as well as sales, marketing, human resources and information technology teams, for clients including:
    • one of the largest financial institutions in Canada
    • one of the largest automobile manufacturers
    • one of the largest suppliers of outsourcing services
    • a Canadian leader in consumer products
  • Negotiating key business partner agreements for numerous clients in various industry sectors (including retailers, telecommunications service providers, financial institutions and Internet businesses) that address cyber risk management issues, including:
    • strategic partnership agreements
    • technology outsourcing agreements
    • cloud services agreements
    • data sharing agreements

Experience - Cyber Litigation and Class Actions

  • Representing a financial services regulator named as a defendant in a class action resulting from the loss of personal information contained on a portable computer. We successfully obtained a dismissal of the class action.
  • Representing a major automobile financing company named as a defendant in a class action resulting from the loss of a data tape that contained personal information. We successfully obtained a dismissal of the class action.
  • Representing Google as a defendant in a potential privacy class action (now at the pre-certification stage) on behalf of persons whose electronic data was allegedly transmitted over an unsecured wireless internet connection and whose personal information was allegedly intercepted.
  • Representing Bell Canada in a privacy class action on behalf of Internet subscribers regarding Bell's alleged practice of deliberately slowing down consumer services during peak hours in an attempt to favour business users and alleged use of "deep packet inspection" technology to access and collect the content of messages sent using Bell's service.
  • Representing the Investment Industry Regulatory Organization of Canada (IIROC) in a privacy class action regarding an incident involving the loss of an unencrypted laptop containing the financial information of more than 52,000 brokerage firm clients we successfully obtained a dismissal of the class action.
  • Representing numerous hospitals and healthcare institutions facing potential or actual claims relating to unauthorized use or disclosure of healthcare information, ranging from small individual breaches and large situations involving loss or theft of data storage devices.
  • Representing a leading New York-based broker-dealer prosecuting an action to obtain emergency injunctive relief against a computer network service provider that refused to provide administrative passwords necessary for access to essential functions such as email and the ability to print.
  • Obtaining civil search orders for US and Canadian satellite television broadcasters whose copyrighted television signals were being pirated, in order to seize computer servers and identify wrongdoers.
  • Obtaining equitable discovery orders for a client following the theft of its confidential information that appeared on a website in order to require the Internet service provider to disclose IP addresses of the wrongdoers.
  • Obtaining an extraordinary mandatory injunction to require an Internet hosting service provider to shut down servers being used to facilitate the global theft of copyrighted works via the internet.
  • Obtaining an extraordinary mandatory injunction to require a point-of-sale service provider to remove from a national retailer's point-of-sale system an unauthorized lock designed to disable the system if disputed fees were not paid.
  • Representing a healthcare institution in a privacy class action by hospital employees brought under the "intrusion upon seclusion" breach of privacy tort in a case that is expected to define the parameters of this new tort.
  • Representing a hospital in two proposed privacy class actions alleging that hospital employees improperly accessed new-mother contact details and sold that information to persons selling RESPs.
  • Representing a Canadian bank being sued for the criminal actions of a rogue employee alleged to have breached the privacy of bank customers by accessing electronically stored information.

Key Contacts

Stay Up to Date

Subscribe to receive our insights and perspectives on the latest legal developments that will affect you.
Register