Managing Your Risk, Protecting Your Assets
KEY CONTACTS: Bernice Karn and Marlon Hylton
As businesses increasingly rely on digitization in a world with virtual data infrastructure and cloud-based technology, they are at significant risk of cyber threats. With the cost of dealing with a cyberattack running into the millions of dollars — not to mention the reputational cost and threat of litigation — developing and maintaining a proactive, defensive cybersecurity plan should be top of mind for management teams and boards of directors.
When a data breach occurs, companies often do not respond effectively due to three key failures:
- Failure to prepare leadership. Coaching is required to ensure that key decision makers and operational leads understand what processes should be followed in the case of a breach to mitigate data loss and potential damage to the organization.
- Failure to build adequate internal policies. There is a misconception that data breaches nearly always occur from external sources. The reality is that many breaches happen from within, intentionally or otherwise. This often occurs when policies are not developed specifically to address this risk.
- Failure to engage appropriate external help. When a cyber incident occurs, it is usually too late to begin looking for external vendors and advisors. Part of the preparation process includes understanding the important role an external firm can play, and those relationships are best developed in advance to improve responsiveness and crisis preparedness.
Given that most firms have not been subject to a significant cyberattack (that they are aware of), they may not be aware of the scope of preparation that must take place to minimize security risk and manage a potential crisis.
How We Can Help
The Cassels Brock Cybersecurity Team offers businesses practical guidance with respect to:
- Legal risk assessment
- Advising boards and management teams on governance issues relating to cybersecurity
- Compliance and strategic risk mitigation advice
- Advising on cybersecurity and D&O insurance coverage
- Security incident preparedness, response, and disclosure counselling
- Due diligence and risk allocation advice for transactions of all types
- Engagement with public policy and regulatory processes
- Representation in the event of an investigation, enforcement action or litigation
As cybersecurity laws evolve, Cassels Brock will continue to be at the forefront, ensuring that our clients are responsive, compliant, and protected. Our team members work directly with national organizations and government agencies, directly advising on the potential impact of cybersecurity regulations and helping to guide developments taking place across the country.
A 360° Approach
We understand that each business is different and we work with you to develop a customized plan including:
- Operational risk assessment
- Process development and deployment
- Leadership training and consultation
- Developing appropriate employee policies
- Crisis preparedness testing
- Committed, responsive representation in the case of a major cyber incident
- Drafting of document retention and information governance policies
- Advice on electronic document conversions and electronic document management
- Assisting with supply chain management information security issues
- Drafting/negotiation of “Software as a Service” data security schedules
Our goal is to ensure that we work with businesses to implement a 360° approach to creating, managing and maintaining a secure cyber environment in the face of escalating threats and legal requirements, and a shift in the duty of care for businesses and directors.
Our Cybersecurity Team
Our team possesses a unique blend of skills spanning various practice areas to help businesses deal with cybersecurity issues including privacy, litigation, insurance, financial services, corporate governance and technology law. The depth and experience of our lawyers has allowed us to develop industry-leading capabilities in sectors such as manufacturing, insurance, healthcare, financial services, retail, communications and transportation.
Our recent experience helping clients prepare for – and develop strategies to respond to – cyberattacks includes:
- Acting for an international insurance company in Canadianizing its cyberliability policy and providing an analysis of Canadian privacy laws
- Acting for numerous financial institutions in Canada to negotiate outsourcing and SaaS agreements, incorporating data security, breach notification and cyberliability provisions in each
- Advising multiple US and international clients on Canadian privacy laws and on the differences between Canadian laws and US/EU requirements
- Acting for several Canadian, US and international clients in planning and co-ordinating responses to data breaches and in filing notifications with applicable regulatory authorities in Canada
- Designing privacy protection schedules for organizations to present to service providers handling personal information
- Successfully arguing ground breaking case before the Office of the Privacy Commissioner of Canada regarding the transfer of personal information outside of Canada and the distinction between transfer and disclosure of data
- Advising and representing one of Canada’s largest telecommunications companies respecting internet related summonses and search warrants
- Advising a large university regarding liability issue for social media
- Prosecuting and defending cyberlibel cases and related class actions for corporations and individuals