While the Canadian government has said it intends to pass legislation dealing with cybersecurity (see Bill C-26 to enact the Critical Cyber Systems Protection Act), many companies have already taken significant steps to protect their IT infrastructure. However, the Internet of Things is too often overlooked in this process. This is in spite of the fact that many devices are directly connected to the most important IT infrastructure for businesses. Industrial robots, devices that control production equipment in factories, and devices that help drivers make deliveries are just a few examples of vulnerable equipment. Operating systems and a range of applications are installed on these devices, and the basic operations of many businesses and the security of personal information depend on the security of the devices and their software. For example: An attack could target the manufacturing equipment control systems on the factory floor and result in an interruption of the company’s production and significant recovery costs and production delays. By targeting production equipment and industrial robots, an attacker could steal the blueprints and manufacturing parameters for various processes, which could jeopardize a company’s trade secrets. Barcode scanners used for package delivery could be infected and transmit information to hackers, including personal information. The non-profit Open Web Application Security Project (OWASP) has released a list of the top ten security risks for the Internet of Things.1 Leaders of companies that use this kind of equipment must be aware of these issues and take measures to manage these risks. We would like to comment on some of the risks which require appropriate policies and good company governance to mitigate them. Weak or unchangeable passwords: Some devices are sold with common or weak initial passwords. It is important to ensure that passwords are changed as soon as devices are set up and to keep tight control over them. Only designated IT personnel should know the passwords for configuring these devices. You should also avoid acquiring equipment that does not allow for password management (for example, a device with an unchangeable password). Lack of updates: The Internet of Things often relies on computers with operating systems that are not updated during their lifetime. As a result, some devices are vulnerable because they use operating systems and software with known vulnerabilities. Good governance includes ensuring that such devices are updated and acquiring only devices that make it easy to perform regular updates. Poor management of the fleet of connected devices: Some companies do not have a clear picture of the Internet of Things deployed in their company. It is crucial to have an inventory of these devices with their role in the company, the type of information they contain and the parameters that are essential to their security. Lack of physical security: Wherever possible, access to these devices should be protected. Too often, devices are left unattended in places where they are accessible to the public. Clear guidelines should be provided to employees to ensure safe practices, especially for equipment that is used on the road. A company’s board of directors plays a key role in cybersecurity. In fact, the failure of directors to monitor risks and to ensure that an adequate system of controls is in place can expose them to liability. Here are some elements of good governance that companies should consider practising: Review the composition of the board of directors and the skills matrix to ensure that the team has the required skills. Provide training to all board members to develop their cyber vigilance and equip them to fulfill their duties as directors. Assess cybersecurity risks, including those associated with connected devices, and establish ways to mitigate those risks. The Act to modernize legislative provisions respecting the protection of personal information sets out a number of obligations for the board of directors, including appointing a person in charge of the protection of personal information, having a management plan and maintaining a register of confidentiality incidents. For more information, you can read the following bulletin: Amendments to Privacy Laws: What Businesses Need to Know (lavery.ca) Lastly, a company must at all times ensure that the supplier credentials, passwords and authorizations that make it possible for IT staff to respond are not in the hands of a single person or supplier. This would put the company in a vulnerable position if the relationship with that person or supplier were to deteriorate. See OWASP top 10
- Québec, 2010
Partner, trademark agent and head of Lavery’s Legal Lab on Artificial Intelligence (L3AI)
Eric Lavallée is a lawyer and trademark agent in the Business Law Group and he runs the Lavery Legal Lab on Artificial Intelligence (L3AI).
As a result of his extensive experience in intellectual property (patents, trade-marks and software protection) Mr. Lavallée took on a special interest in developments related to artificial intelligence over the past few years.
Mr. Lavallée is regularly called upon to assist businesses of all sizes, from start-ups to large corporations in drafting licensing agreements and business contracts in high technology as well as implementing protection and due diligence strategies for their intellectual property needs.
He has developed leading-edge expertise in the analysis of the legal impact of the application and implementation of artificial intelligence in sectors related to his practise of law, namely privacy protection, corporate governance and business law.
Expertise in nanotechnology
Eric Lavallée has a Master’s degree in Physics as well as a Doctorate in Electrical Engineering. Prior to joining Lavery in 2014, he was Vice-President, R&D, for a nanotechnology research and development firm. He has four inventions to his name relating to electron beam lithography for applications in microelectronics:
- Method of producing an etch-resistant polymer structure using electron beam lithography
- Plasma polymerized electron beam resist
- Fabrication of sub-micron silicide structures on silicon using resistless electron beam lithography
- Fabrication of sub-micron etch-resistant metal/semiconductor structures using resistless electron beam lithography
As a researcher, he also authored 15 scientific papers and presented his work at international conferences held in the United States, Europe and Japan in the nanotechnology industry.
In 1997, he was awarded the Médaille du Mérite des Gouverneurs de la Faculté de génie de l'Université de Sherbrooke (University of Sherbrooke Faculty of Engineering Governors’ Achievement Medal). In 2009, he received the Prix du doyen de la Faculté de droit de l'Université de Sherbrooke (University of Sherbrooke Faculty of Law Dean’s Award) and the Prix du Barreau du Québec (Quebec Bar Award).
- LL.B., Université de Sherbrooke, 2009
- Ph.D. in electrical engineering, Université de Sherbrooke, 2000
- M.Sc. in physics, Université de Sherbrooke, 1996
- B.Sc. in physics, Université de Sherbrooke, 1994
Boards and Professional Affiliations
- College of Patent Agents and Trademark Agents (CPATA)
Ransomware has wreaked so much havoc in recent years that many people forget about other cybersecurity risks. For some, not storing personal information makes them feeling immune to hackers and cyber incidents. For others, as long as their computers are working, they do not feel exposed to no malware. Unfortunately, the reality is quite different. A new trend is emerging: malware is being released to collect confidential information, including trade secrets, and then such information is being sold to third parties or released to the public.1 The Pegasus software used to spy on journalists and political opponents around the world has been widely discussed in the media, to the point that U.S. authorities decided to include it on their trade blacklist.2 However, the use of spyware is not limited to the political sphere. Recently, a California court ordered a U.S. corporation, 24.ai, to pay $30 million to one of its competitors, Liveperson.3 This is because 24.ai installed competing technology on mutual client websites where LivePerson’s technology already is installed. Liveperson alleged in its lawsuit that 24.ai installed spyware that gathered confidential and proprietary information and data regarding Liveperson’s technology and client relationships. In addition, the software which 24.ai allegedly installed removed some features of Liveperson’s technology, including the “chat” button. In doing so, 24.ai interfered in the relationship between Liveperson and its clients. This legal saga is ongoing, as another trial is scheduled to take place regarding trade secrets related to a Liveperson client.4 This legal dispute illustrates that cybersecurity is not only about personal information, but also about trade secrets and even the proper functioning of business software. A number of precautions can be taken to reduce the risk of cybersecurity incidents. Robust internal policies at all levels of the business help maintain a safe framework for business operations. Combined with employee awareness of the legal and business issues surrounding cybersecurity, these policies can be important additions to IT best practices. In addition, employee awareness facilitates the adoption of best practices, including systematic investigations of performance anomalies and the use of programming methods that protect trade secrets. Moreover, it may be advisable to ensure that contracts with clients provide IT suppliers with sufficient access to conduct the necessary monitoring for the security of both parties. Ultimately, it is important to remember that the board of directors must exercise its duty with care, diligence and skill while looking out for the best interests of the business. Directors could be held personally liable if they fail to meet their obligation to ensure that adequate measures are implemented to prevent cyber incidents or if they ignore the risks and are wilfully blind. Thus, board members must be vigilant, be trained in and aware of cybersecurity in order to integrate it into their risk management approach. In an era in which intellectual property has become a corporation’s most important asset, it goes without saying that it is essential to put in place not only the technological tools, but also the procedures and policies required to adequately protect it! Contact Lavery for advice on the legal aspects of cybersecurity. See Page, Carly, “This new Android spyware masquerades as legitimate apps,” Techcrunch, November 10, 2021. https://techcrunch.com/2021/11/10/android-spyware-legitimate-apps; Page, Carly, “FBI says ransomware groups are using private financial information to further extort victims,” Techcrunch, November 2, 2021. https://techcrunch.com/2021/11/02/fbi-ransomware-private-financial-extort. Gardner, Frank, “NSO Group: Israeli spyware company added to US trade blacklist,” BBC News, November 3, 2021. https://www.bbc.com/news/technology-59149651. Claburn, Thomas, “Spyware, trade-secret theft, and $30m in damages: How two online support partners spectacularly fell out,” The Register,June 18, 2021. https://www.theregister.com/2021/06/18/liveperson_wins_30m_trade_secret. Brittain, Blake, “LivePerson wins $30 million from 7.ai in trade-secret verdict,”Reuters, June 17, 2021. https://www.reuters.com/legal/transactional/liveperson-wins-30-million-247ai-trade-secret-verdict-2021-06-17.
Do you have the right to copy source code written and developed by someone else? The answer to this question depends on the situation; however, even in the context of open innovation, intellectual property rights will be the starting point for any analysis required to obtain such an answer. In the software industry, open-source licences allow anyone to access the source code of corresponding software, free of charge and with few restrictions. The goal is generally to promote the improvement of this code by encouraging as many people as possible to use it. Linus Torval, the programmer of the Linux kernel (certainly one of the most well-known open-source projects) recently stated that without the open-source approach, his project would probably not have survived.1 However, this approach has legal consequences: Vizio was recently hit with a lawsuit alleging non-compliance with an open-sourceGPL licence used in the SmartCast OS software embedded in some of its televisions. It is being sued by Software Freedom Conservancy (“SFC”), an American non-profit promoting and defending open-source licences. As part of its lawsuit, SFC alleges, among other things, that Vizio was required to distribute the SmartCast OS source code under the above-mentioned open-source GPLlicence, which Vizio failed to do, thereby depriving consumers of their rights2. In Canadian law, section 3 of the Copyright Act3 gives the author the exclusive right to produce or reproduce all or any substantial part of an original work. This principle has been adopted by all signatories of the 1886 Berne Convention, i.e., almost every country in the world. A licence agreement, which may inter alia confer the right to reproduce the work of another person, can take different forms. It also establishes the extent of the rights conferred and the terms and conditions of any permitted use. However, not all open-source licences are equivalent. Many allow creators to attach various conditions to the right to use the code that has been made available. Under these licences, anyone may use the work or software, but subject to the following constraints, depending on the type of licence in effect: Obligation to display: An open-source licence may require disclosure of certain information in the software or in the source code itself, such as the following: The author’s name or pseudonym, or even maintaining the anonymity of the author, depending on their wishes, and/or a citation of the title of the work or software; The user licence of the redistributed open-source work or software; A modification note for each modified file; and A warranty disclaimer. Contribution obligations: Some licences require the sharing of any modifications made to the open-source code, with said modifications being under the same licence conditions. In some cases, this obligation extends to any software that incorporates the open-source code. In other words, code derived from open-source material can itself become open-source. This obligation to contribute can generally be categorized as follows: Any redistribution must be done under the original licence, making the result open-source as well; Any redistribution of the code, modified or not, must be done under the original licence, but other code may be associated or added without being subject to the open-source licence; or Any redistribution is done without any sharing constraints. Ban on commercialization: Some licences prohibit any use for commercial purposes. Apache v2 Level of obligation to contribute upon redistributionAny redistribution of the software, modified or not, or with added components, must be done under the terms of the original licence. Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedYes BSD Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Copyright notice Warranty disclaimer Commercial use permittedYes CC BY-NC 4.0 Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedNo CC0 1.0 Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Licence of the redistributed open-source software Commercial use permittedYes GPLv3 Level of obligation to contribute upon redistributionAny redistribution of the software, modified or not, or with added components, must be done under the terms of the original licence Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedYes, but sub-licensing is not allowed LGPLv3 Level of obligation to contribute upon redistributionAny redistribution of the software, modified or not, must be done under the terms of the original licence. New components can be added, but not integrated, under other non-open-source licences Mandatory elements to display Licence of the redistributed open-source software Identification of any changes made to the code Copyright notice Warranty disclaimer Commercial use permittedYes MIT Level of obligation to contribute upon redistributionAny redistribution of the software can be done without any obligation to share. Mandatory elements to display Licence of the redistributed open-source software Copyright notice Warranty disclaimer Commercial use permittedYes It is important to make programming teams aware of the issues that can arise when using modules governed by what are known as “viral licences” (such as the CC BY-NC 4.0 licence) in the design of commercial software. Such software could lose significant value if such modules are incorporated, making it difficult or even impossible to commercialize said software. In the context of open innovation where developers want to share their code, in particular to encourage collaboration, it is important to understand the scope of these different licences. The choice of the appropriate licence must be made based on the project’s objectives. Also, keep in mind that it is not always possible to change the licence used for the distribution of the code once said distribution has commenced. That means the choice of licence can have long-term consequences for any project. David Cassel, Linus Torvalds on Community, Rust and Linux's Longevity, The NewStack, Oct. 1, 2021, online: https://thenewstack.io. See the SFC press release: https://sfconservancy.org/copyleft-compliance/vizio.html. RSC 1985, c. C-42.
For the time being, there are no specific laws governing the use of artificial intelligence in Canada. Certainly, the laws on the use of personal information and those that prohibit discrimination still apply, no matter if the technologies involved are so-called artificial intelligence technologies or conventional ones. However, the application of such laws to artificial intelligence raises a number of questions, especially when dealing with “artificial neural networks,” because the opacity of the algorithms behind these makes it difficult for those affected to understand the decision-making mechanisms at work. Such artificial neural networks are different in that they provide only limited explanations as to their internal operation. On November 12, 2020, the Office of the Privacy Commissioner of Canada (OPC) published its recommendations for a regulatory framework for artificial intelligence.1 Pointing out that the use of artificial intelligence requiring personal information can have serious privacy implications, the OPC has made several recommendations, which involve the creation of the following, in particular: A requirement for those who develop such systems to ensure that privacy is protected in the design of artificial intelligence systems; A right for individuals to obtain an explanation, in understandable terms, to help them understand decisions made about them by an artificial intelligence system, which would also involve the assurance that such explanations are based on accurate information and are not discriminatory or biased; A right to contest decisions resulting from automated decision making; A right for the regulator to require evidence of the above. It should be noted that these recommendations include the possibility of imposing financial penalties on companies that would fail to abide by this regulatory framework. Moreover, contrary to the approach adopted in the General Data Protection Regulation and the Government of Quebec’s Bill 64, the rights to explanation and contestation would not be limited solely to automated decisions, but would also cover cases where an artificial intelligence system assists a human decision-maker. It is likely that these proposals will eventually provide a framework for the operation of intelligence systems already under development. It would thus be prudent for designers to take these recommendations into account and incorporate them into their artificial intelligence system development parameters as of now. Should these recommendations be adopted, it will also become necessary to consider how to explain the mechanisms behind the systems making or suggesting decisions based on artificial intelligence. As mentioned in these recommendations, “while trade secrets may require organizations to be careful with the explanations they provide, some form of meaningful explanation should always be possible without compromising intellectual property.”2 For this reason, it may be crucial to involve lawyers specializing in these matters from the start when designing solutions that use artificial intelligence and personal information. https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/completed-consultations/consultation-ai/reg-fw_202011/ Ibid.
On March 29, 2022, ImmunoPrecise Antibodies Ltd (IPA) announced that it acquired BioStrand BV, BioKey BV, and BioClue BV (together, “BioStrand”), a group of Belgian entities pioneers in the field of bioinformatics and biotechnology. With this €20 million acquisition, IPA will be able to leverage BioStrand’s revolutionary AI-powered methodology to accelerate the development of therapeutic antibody solutions. In addition to creating synergies with its subsidiaries, IPA expects to develop new markets with this revolutionary technology and strengthen its position as a world leader in biotherapeutics. Lavery was privileged to support IPA in this cross-border transaction by providing specialized expertise in cybersecurity, intellectual property, securities and mergers and acquisitions. The Lavery team was led by Selena Lu (transactional) and included Eric Lavallée (technology and intellectual property), Serge Shahinian (intellectual property), Sébastien Vézina (securities), Catherine Méthot (transactional), Jean-Paul Timothée (securities and transactional), Siddhartha Borissov-Beausoleil (transactional), Mylène Vallières (securities) and Marie-Claude Côté (securities). ImmunoPrecise Antibodies Ltd. is a biotherapeutic, innovation-powered company that supports its business partners in their quest to discover and develop novel antibodies against a broad range of target classes and diseases.