While the Canadian government has said it intends to pass legislation dealing with cybersecurity (see Bill C-26 to enact the Critical Cyber Systems Protection Act), many companies have already taken significant steps to protect their IT infrastructure. However, the Internet of Things is too often overlooked in this process. This is in spite of the fact that many devices are directly connected to the most important IT infrastructure for businesses. Industrial robots, devices that control production equipment in factories, and devices that help drivers make deliveries are just a few examples of vulnerable equipment. Operating systems and a range of applications are installed on these devices, and the basic operations of many businesses and the security of personal information depend on the security of the devices and their software. For example: An attack could target the manufacturing equipment control systems on the factory floor and result in an interruption of the company’s production and significant recovery costs and production delays. By targeting production equipment and industrial robots, an attacker could steal the blueprints and manufacturing parameters for various processes, which could jeopardize a company’s trade secrets. Barcode scanners used for package delivery could be infected and transmit information to hackers, including personal information. The non-profit Open Web Application Security Project (OWASP) has released a list of the top ten security risks for the Internet of Things.1 Leaders of companies that use this kind of equipment must be aware of these issues and take measures to manage these risks. We would like to comment on some of the risks which require appropriate policies and good company governance to mitigate them. Weak or unchangeable passwords: Some devices are sold with common or weak initial passwords. It is important to ensure that passwords are changed as soon as devices are set up and to keep tight control over them. Only designated IT personnel should know the passwords for configuring these devices. You should also avoid acquiring equipment that does not allow for password management (for example, a device with an unchangeable password). Lack of updates: The Internet of Things often relies on computers with operating systems that are not updated during their lifetime. As a result, some devices are vulnerable because they use operating systems and software with known vulnerabilities. Good governance includes ensuring that such devices are updated and acquiring only devices that make it easy to perform regular updates. Poor management of the fleet of connected devices: Some companies do not have a clear picture of the Internet of Things deployed in their company. It is crucial to have an inventory of these devices with their role in the company, the type of information they contain and the parameters that are essential to their security. Lack of physical security: Wherever possible, access to these devices should be protected. Too often, devices are left unattended in places where they are accessible to the public. Clear guidelines should be provided to employees to ensure safe practices, especially for equipment that is used on the road. A company’s board of directors plays a key role in cybersecurity. In fact, the failure of directors to monitor risks and to ensure that an adequate system of controls is in place can expose them to liability. Here are some elements of good governance that companies should consider practising: Review the composition of the board of directors and the skills matrix to ensure that the team has the required skills. Provide training to all board members to develop their cyber vigilance and equip them to fulfill their duties as directors. Assess cybersecurity risks, including those associated with connected devices, and establish ways to mitigate those risks. The Act to modernize legislative provisions respecting the protection of personal information sets out a number of obligations for the board of directors, including appointing a person in charge of the protection of personal information, having a management plan and maintaining a register of confidentiality incidents. For more information, you can read the following bulletin: Amendments to Privacy Laws: What Businesses Need to Know (lavery.ca) Lastly, a company must at all times ensure that the supplier credentials, passwords and authorizations that make it possible for IT staff to respond are not in the hands of a single person or supplier. This would put the company in a vulnerable position if the relationship with that person or supplier were to deteriorate. See OWASP top 10
The manufacturing, distribution, and retail industries are composed of many different companies of various sizes. These companies are subject to numerous pressures and must innovate and adapt to meet the changing needs of their customers and rapidly evolving business environments. Whatever their size or the specific nature of their activities, an understanding of their legal environment is essential to achieving their objectives.
As a manufacturing enterprise, you are dealing with specific challenges that require an in-depth understanding of the environment in which you operate. Let’s take a shot at answering 6 of your everyday questions.
What precautions should be taken to protect your intellectual property (IP)?
- Set up confidentiality agreements early.
- Avoid or provide a framework for joint ownership of IP.
- Obtain all IP rights from your business partners.
- Think of investing in protecting your IP!
Mergers and Acquisitions
Why and how do you conduct a due diligence review when acquiring or selling a business?
Makes it possible for the parties to negotiate and draft a purchase agreement containing the seller’s appropriate disclosures and outlining an adequate risk-sharing arrangement.
- Obtain an accurate portrait of the target company.
- Measure the possible synergies between the companies.
- Assess the risks of the transaction.
- Identify the list of corrections to be made prior to closing.
- Prepare a purchase offer that accurately reflects the situation or pull out of the negotiations.
- Establish an integration plan following the closing of the transaction.
How do you successfully integrate AI into your organization?
Prepare yourself going forward by answering the following questions:
- What competencies are needed to implement AI? Do you have the required ressources internally?
- Which of the company’s values must be maintained throughout this change?
- Which tasks will be replaced or transformed by AI? Could these changes result in labour disputes?
- What will the reactions to the changes be and how will the advent of this technology be communicated internally and externally?
Are you hiring foreign workers? Here are a few things to think about.
Ensure that the individual holds a valid work permit and that the job complies with the conditions set out in the permit.
- Put the working conditions being offered in writing.
- Stipulate in the contract:
- Who is responsible for covering transport and moving fees?
- Who is responsible for finding accommodations?
- A method for reimbursing your investment in incidental expenses in the event of the employee’s premature departure.
Notify the appropriate authorities if you alter the employment conditions of a foreign worker so that you are not out of compliance.
Why should you use a family trust as a tax planning tool?
Multiply the capital gains deduction
An individual holding shares of a company for more than 24 months can usually benefit from a capital gains exemption of about $850,000, once in his lifetime. Setting up a family trust makes it possible to multiply the capital gains exemption by the number of beneficiaries of the trust.
Minimize the tax payable at death
Upon the death of an owner-manager who has himself set up a family trust holding all of the shares of the company, there will not, usually, be any taxes levied in the event of the accidental death of the owner, since the trust is not subject to the deemed disposition rules that apply to all property at the time of death.
What are the best practices regarding internationalization?
- Study the target market and all available resources to guide you through the process.
- Cultivate a network of contacts and partners and conduct prompt follow-ups so as not to miss out on any opportunities.
- Define the risks as well as other social, legal and economic considerations.
- Surround yourself with qualified individuals to 1. negotiate the contracts and ensure legal and regulatory compliance and 2. oversee the export logistics.
- Artificial Intelligence
- Class Actions
- Commercial Litigation
- Competition and Antitrust Law
- Corporate and Business Integrity
- Corporate Governance
- Criminal Law and Penal
- Debt Financing and Banking
- Franchising and Distribution
- Government Affairs and Public Law Litigation
- Information, Privacy and Defamation
- Labour and Employment
- Mediation and Arbitration
- Mergers and Acquisitions
- Pension and Benefits
- Product Liability
- Real Estate
- Restructuring and Insolvency
- Securities Law
- Tax Litigation
- Technology and Entertainment
On June 20, 2022, the federal government registered regulations that, as the name implies, prohibit (or restrict, in some cases) the manufacture, import and sale of certain single-use plastics that pose a threat to the environment. The Regulations will come into force on December 20, 2022, with the exception of certain provisions taking effect in the following months.1 Manufacturing, importing and selling certain single-use plastic products made entirely or partially of plastic, such as foodservice ware, checkout bags and straws, will be soon be prohibited. This regulation is expected to affect more than 250,000 Canadian businesses that sell or provide single-use plastic products, primarily in the retail, food service, hospitality and healthcare industries. The following is a comprehensive list of items that will be prohibited: Single-use plastic ring carriers designed to hold and carry beverage containers together2; Single-use plastic stir sticks designed to stir or mix beverages or to prevent liquid from spilling from the lid of its container3; Single-use plastic foodservice ware (a) designed in the form of a clamshell container, lidded container, box, cup, plate or bowl, (b) designed to serve or transport ready-to-eat food or beverages without further preparation, and (c) made from certain materials4; Single-use plastic checkout bags designed to carry purchased goods from a business and (a) whose plastic is not a fabric, or (b) whose plastic is a fabric that will break or tear, as the case may be, (i) if it is used to carry 10 kg over a distance of 53 m 100 times; (ii) if it is washed in accordance with the washing procedures specified for a single domestic wash in the International Organization for Standardization standard ISO 6330, as amended from time to time5; Single-use plastic cutlery that is formed in the shape of a fork, knife, spoon, spork or chopstick that either (a) contains polystyrene or polyethylene, or (b) changes its physical properties after being run through an electrically operated household dishwasher 100 times6; Single-use plastic straws that either (a) contain polystyrene or polyethylene, or (b) change their physical properties after being run through an electrically operated household dishwasher 100 times7. The main exceptions Single-use flexible plastic straws Single-use flexible plastic straws, i.e. those with a corrugated section that allows the straw to bend and maintain its position at various angles,8 may be manufactured and imported9. These flexible straws may also be sold in any of the following circumstances: The sale does not take place in a commercial, industrial, or institutional setting10. This exception means that individuals can sell these flexible straws. The sale is between businesses in packages of at least 20 straws.11 The sale is made by a retail store of a package of 20 or more straws to a customer who requests it without the package being displayed in a manner that permits the customer to view the package without the help of a store employee12; The sale of straws is between a retail store and a customer, if the straw is packaged together with a beverage container and the packaging was done at a location other than the retail store13; The sale is between a care facility, such as a hospital or long-term care facility, and its patients or residents14. The export of single-use plastic items - All the manufactured single-use plastic items listed above may be manufactured, imported or sold for export15. That said, any person who manufactures or imports such items for export will be required to keep a record of certain information and documents as appropriate for each type of plastic manufactured item16. Records of the information and documents will have to be kept for at least five years in Canada17. Conclusion: an opportunity to rethink common practices In the short term, businesses will need to start thinking about how they will replace the plastic manufactured items they use. To help businesses select alternatives to single-use plastic items, the federal government has released its Guidance for selecting alternatives to the single-use plastics in the proposed Single-Use Plastics Prohibition Regulations.18 According to this document, the aim should be to reduce plastics. Businesses may begin by considering whether a single-use plastic should be replaced or no longer provided. Only products that perform essential functions should be replaced with non-plastic equivalents. Stir sticks and straws can be eliminated most of the time. Another way to reduce waste is to opt for reusable products and packaging. Businesses are invited to rethink their products and services to provide reusable options. Reusable container programs (i.e. offering customers the option of using their own reusable containers) are a reuse option that businesses may want to consider, in particular to reduce the amount of plastic food containers. Only where reusable products are not feasible should businesses substitute a single-use plastic product with a recyclable single-use alternative. Businesses in this situation are encouraged to contact local recycling facilities to ensure that they can successfully recycle products at their end of life. Ultimately, charging consumers for certain single-use substitutes (e.g. single-use wooden or moulded fibre cutlery) may also discourage their use. Ibid, s. 1 Ibid, s. 3 Ibid, s. 6 Polystyrene foam, polyvinyl chloride, plastic containing black pigment produced through the partial or incomplete combustion of hydrocarbons or oxo-degradable plastic; Ibid. This standard is entitled Textiles – Domestic washing and drying procedures for textile testing; Ibid. Ibid. Ibid, ss. 4 and 5. Ibid, s. 1. Ibid, s. 4. Ibid, para. 5(2). Ibid, para. 5(3). Ibid, para. 5(4); According to Guidance for selecting alternatives to the single-use plastics in the proposed Single-Use Plastics Prohibition Regulations, the goal is to ensure that people with disabilities who need flexible single-use plastic straws continue to have access to them at home and can carry them to restaurants and other premises. Ibid, para. 5(5). Ibid, para. 5(6). Ibid, para. 2(2). Ibid., s. 8 Ibid, para. 9(1). https://www.canada.ca/en/environment-climate-change/services/managing-reducing-waste/consultations/proposed-single-use-plastics-prohibition-regulations-consultation-document.html
Ransomware has wreaked so much havoc in recent years that many people forget about other cybersecurity risks. For some, not storing personal information makes them feeling immune to hackers and cyber incidents. For others, as long as their computers are working, they do not feel exposed to no malware. Unfortunately, the reality is quite different. A new trend is emerging: malware is being released to collect confidential information, including trade secrets, and then such information is being sold to third parties or released to the public.1 The Pegasus software used to spy on journalists and political opponents around the world has been widely discussed in the media, to the point that U.S. authorities decided to include it on their trade blacklist.2 However, the use of spyware is not limited to the political sphere. Recently, a California court ordered a U.S. corporation, 24.ai, to pay $30 million to one of its competitors, Liveperson.3 This is because 24.ai installed competing technology on mutual client websites where LivePerson’s technology already is installed. Liveperson alleged in its lawsuit that 24.ai installed spyware that gathered confidential and proprietary information and data regarding Liveperson’s technology and client relationships. In addition, the software which 24.ai allegedly installed removed some features of Liveperson’s technology, including the “chat” button. In doing so, 24.ai interfered in the relationship between Liveperson and its clients. This legal saga is ongoing, as another trial is scheduled to take place regarding trade secrets related to a Liveperson client.4 This legal dispute illustrates that cybersecurity is not only about personal information, but also about trade secrets and even the proper functioning of business software. A number of precautions can be taken to reduce the risk of cybersecurity incidents. Robust internal policies at all levels of the business help maintain a safe framework for business operations. Combined with employee awareness of the legal and business issues surrounding cybersecurity, these policies can be important additions to IT best practices. In addition, employee awareness facilitates the adoption of best practices, including systematic investigations of performance anomalies and the use of programming methods that protect trade secrets. Moreover, it may be advisable to ensure that contracts with clients provide IT suppliers with sufficient access to conduct the necessary monitoring for the security of both parties. Ultimately, it is important to remember that the board of directors must exercise its duty with care, diligence and skill while looking out for the best interests of the business. Directors could be held personally liable if they fail to meet their obligation to ensure that adequate measures are implemented to prevent cyber incidents or if they ignore the risks and are wilfully blind. Thus, board members must be vigilant, be trained in and aware of cybersecurity in order to integrate it into their risk management approach. In an era in which intellectual property has become a corporation’s most important asset, it goes without saying that it is essential to put in place not only the technological tools, but also the procedures and policies required to adequately protect it! Contact Lavery for advice on the legal aspects of cybersecurity. See Page, Carly, “This new Android spyware masquerades as legitimate apps,” Techcrunch, November 10, 2021. https://techcrunch.com/2021/11/10/android-spyware-legitimate-apps; Page, Carly, “FBI says ransomware groups are using private financial information to further extort victims,” Techcrunch, November 2, 2021. https://techcrunch.com/2021/11/02/fbi-ransomware-private-financial-extort. Gardner, Frank, “NSO Group: Israeli spyware company added to US trade blacklist,” BBC News, November 3, 2021. https://www.bbc.com/news/technology-59149651. Claburn, Thomas, “Spyware, trade-secret theft, and $30m in damages: How two online support partners spectacularly fell out,” The Register,June 18, 2021. https://www.theregister.com/2021/06/18/liveperson_wins_30m_trade_secret. Brittain, Blake, “LivePerson wins $30 million from 7.ai in trade-secret verdict,”Reuters, June 17, 2021. https://www.reuters.com/legal/transactional/liveperson-wins-30-million-247ai-trade-secret-verdict-2021-06-17.