While the Canadian government has said it intends to pass legislation dealing with cybersecurity (see Bill C-26 to enact the Critical Cyber Systems Protection Act), many companies have already taken significant steps to protect their IT infrastructure. However, the Internet of Things is too often overlooked in this process. This is in spite of the fact that many devices are directly connected to the most important IT infrastructure for businesses. Industrial robots, devices that control production equipment in factories, and devices that help drivers make deliveries are just a few examples of vulnerable equipment. Operating systems and a range of applications are installed on these devices, and the basic operations of many businesses and the security of personal information depend on the security of the devices and their software. For example: An attack could target the manufacturing equipment control systems on the factory floor and result in an interruption of the company’s production and significant recovery costs and production delays. By targeting production equipment and industrial robots, an attacker could steal the blueprints and manufacturing parameters for various processes, which could jeopardize a company’s trade secrets. Barcode scanners used for package delivery could be infected and transmit information to hackers, including personal information. The non-profit Open Web Application Security Project (OWASP) has released a list of the top ten security risks for the Internet of Things.1 Leaders of companies that use this kind of equipment must be aware of these issues and take measures to manage these risks. We would like to comment on some of the risks which require appropriate policies and good company governance to mitigate them. Weak or unchangeable passwords: Some devices are sold with common or weak initial passwords. It is important to ensure that passwords are changed as soon as devices are set up and to keep tight control over them. Only designated IT personnel should know the passwords for configuring these devices. You should also avoid acquiring equipment that does not allow for password management (for example, a device with an unchangeable password). Lack of updates: The Internet of Things often relies on computers with operating systems that are not updated during their lifetime. As a result, some devices are vulnerable because they use operating systems and software with known vulnerabilities. Good governance includes ensuring that such devices are updated and acquiring only devices that make it easy to perform regular updates. Poor management of the fleet of connected devices: Some companies do not have a clear picture of the Internet of Things deployed in their company. It is crucial to have an inventory of these devices with their role in the company, the type of information they contain and the parameters that are essential to their security. Lack of physical security: Wherever possible, access to these devices should be protected. Too often, devices are left unattended in places where they are accessible to the public. Clear guidelines should be provided to employees to ensure safe practices, especially for equipment that is used on the road. A company’s board of directors plays a key role in cybersecurity. In fact, the failure of directors to monitor risks and to ensure that an adequate system of controls is in place can expose them to liability. Here are some elements of good governance that companies should consider practising: Review the composition of the board of directors and the skills matrix to ensure that the team has the required skills. Provide training to all board members to develop their cyber vigilance and equip them to fulfill their duties as directors. Assess cybersecurity risks, including those associated with connected devices, and establish ways to mitigate those risks. The Act to modernize legislative provisions respecting the protection of personal information sets out a number of obligations for the board of directors, including appointing a person in charge of the protection of personal information, having a management plan and maintaining a register of confidentiality incidents. For more information, you can read the following bulletin: Amendments to Privacy Laws: What Businesses Need to Know (lavery.ca) Lastly, a company must at all times ensure that the supplier credentials, passwords and authorizations that make it possible for IT staff to respond are not in the hands of a single person or supplier. This would put the company in a vulnerable position if the relationship with that person or supplier were to deteriorate. See OWASP top 10
Selena Lu Partner, Lawyer
- Québec, 2010
Selena Lu is a partner in the Business Law group and focuses her practice on mergers and acquisitions.
She frequently advises clients abroad on commercial law matters relating to investment and expansion in Canada. Selena has strong business acumen and offers practical and innovative solutions to her clients, who are mainly entrepreneurs and owner-operators.
Over the years, Selena has developed an interest and acquired significant experience in supporting customers in their technological change. On a day-to-day basis, she advises clients on the legal impacts of the introduction of new technologies, especially in artificial intelligence. Moreover, she oversees the development of the structure and negotiation of mergers and acquisitions along with complex business relationships for developing, marketing and acquiring technologies.
Selena also has extensive experience in corporate governance. Administratrice de sociétés certifiés (ASC), she served on several boards of directors, including those of the Caisse Desjardins De Lorimier-Villeray, the Montreal Chinese Garden Society, the Fashion & Design Festival and the Chamber of Commerce of Metropolitan Montreal. She is currently a member of the Board of Directors of the Musée national des beaux-arts du Québec, the Société du parc Jean-Drapeau and the Collège des administrateurs de sociétés.
Since the beginning of her career, Selena has held several leadership roles. In 2014, she was elected President of the Young Chinese Professionals Association (YCPA). In 2017, Selena chaired the organizing committee of the Montreal Chinese Hospital Foundation Ball. In 2018, she was named 81st President of the Junior Chamber of Commerce of Montreal (JCCM). In 2019, she was invited to Montréal City Hall to sign the Golden Book in recognition of her volunteer contribution to the Chinese community in Montréal.
Recognized as one of Entreprendre magazine’s Top 100 Women Leaders, Selena is regularly invited as a speaker on governance, diversity and inclusion, and leadership.
- Recipient of the medal of honour from the Quebec National Assembly, 2023
- The Canadian Legal LEXPERT® Directory in the field of Corporate Mid-Market, 2023
- Recipient of the “Rising Stars Leading Lawyers Under 40” award by Lexpert, 2022
- Recipient of the « Connecteure de l’année » award of the Gala de la communauté startup 2021
- Recipient of the Lys de la Diversité Award for social and community involvement
- Named “Diversity Personality of the Year” in Média Mosaïque’s Diversity Top 20 of 2019.
- Finalist in the “Women’s Leadership” and “Junior Chamber of Commerce of the Year” categories as part of the 2016 Grands Prix de la relève d'affaires of the Regroupement des jeunes chambres de commerce du Québec
- Recipient of the “Activity of the Year” award for the Orchid Ball as part of the 2016 Grands Prix de la relève d'affaires of the Regroupement des jeunes chambres de commerce du Québec
- Appointed in 2015 as an “Eminent Young Overseas Chinese” by the Chinese Consulate in Montréal and selected to participate in a trade mission to Beijing, Hangzhou and Shanghai
- Administratrice de sociétés certifié (ASC), Collège des administrateurs de sociétés
- “Next-Generation Directors”, Université Laval’s Continuing Education General Directorate and the Collège des administrateurs de sociétés, 2014
- LL.B., Université de Montréal, 2009
- B.Comm., McGill University, 2005
Boards and Professional Affiliations
- Member of the Board of Directors of the Société du Parc Jean-Drapeau (2020 - to date)
- Member of the Board of Directors of the Collège des administrateurs de sociétés (2017 - to date)
- Member of the Board of Directors of the Musée national des beaux-arts du Québec (2017 - to date)
- President of the Junior Chamber of Commerce of Montreal (2018-2019)
- Member of the Community Advisory Committee of Aéroports de Montréal (2018–2019)
- Member of the Board of Directors of the Chamber of Commerce of Metropolitan Montreal (CCMM) (2018–2019)
- Member of the Board of Directors of the Fashion & Design Festival (2017–2018)
- Chair of the organizing committee of the Montreal Chinese Hospital Foundation Ball (2017)
- Member of the jury of the JiuDing Club Scholarship (2016–2017)
- President of the Association of Young Chinese Professionals (YCPA) (2015–2016)
- Member of the Board of Directors of Caisse Desjardins De Lorimier-Villeray (2014–2016)
- Member of the Board of Directors of the Montreal Chinese Garden Society (2014–2016)
- Member of the Honour Circle and angel investor of the OSM Young Ambassadors Club (2012–2014)
Ransomware has wreaked so much havoc in recent years that many people forget about other cybersecurity risks. For some, not storing personal information makes them feeling immune to hackers and cyber incidents. For others, as long as their computers are working, they do not feel exposed to no malware. Unfortunately, the reality is quite different. A new trend is emerging: malware is being released to collect confidential information, including trade secrets, and then such information is being sold to third parties or released to the public.1 The Pegasus software used to spy on journalists and political opponents around the world has been widely discussed in the media, to the point that U.S. authorities decided to include it on their trade blacklist.2 However, the use of spyware is not limited to the political sphere. Recently, a California court ordered a U.S. corporation, 24.ai, to pay $30 million to one of its competitors, Liveperson.3 This is because 24.ai installed competing technology on mutual client websites where LivePerson’s technology already is installed. Liveperson alleged in its lawsuit that 24.ai installed spyware that gathered confidential and proprietary information and data regarding Liveperson’s technology and client relationships. In addition, the software which 24.ai allegedly installed removed some features of Liveperson’s technology, including the “chat” button. In doing so, 24.ai interfered in the relationship between Liveperson and its clients. This legal saga is ongoing, as another trial is scheduled to take place regarding trade secrets related to a Liveperson client.4 This legal dispute illustrates that cybersecurity is not only about personal information, but also about trade secrets and even the proper functioning of business software. A number of precautions can be taken to reduce the risk of cybersecurity incidents. Robust internal policies at all levels of the business help maintain a safe framework for business operations. Combined with employee awareness of the legal and business issues surrounding cybersecurity, these policies can be important additions to IT best practices. In addition, employee awareness facilitates the adoption of best practices, including systematic investigations of performance anomalies and the use of programming methods that protect trade secrets. Moreover, it may be advisable to ensure that contracts with clients provide IT suppliers with sufficient access to conduct the necessary monitoring for the security of both parties. Ultimately, it is important to remember that the board of directors must exercise its duty with care, diligence and skill while looking out for the best interests of the business. Directors could be held personally liable if they fail to meet their obligation to ensure that adequate measures are implemented to prevent cyber incidents or if they ignore the risks and are wilfully blind. Thus, board members must be vigilant, be trained in and aware of cybersecurity in order to integrate it into their risk management approach. In an era in which intellectual property has become a corporation’s most important asset, it goes without saying that it is essential to put in place not only the technological tools, but also the procedures and policies required to adequately protect it! Contact Lavery for advice on the legal aspects of cybersecurity. See Page, Carly, “This new Android spyware masquerades as legitimate apps,” Techcrunch, November 10, 2021. https://techcrunch.com/2021/11/10/android-spyware-legitimate-apps; Page, Carly, “FBI says ransomware groups are using private financial information to further extort victims,” Techcrunch, November 2, 2021. https://techcrunch.com/2021/11/02/fbi-ransomware-private-financial-extort. Gardner, Frank, “NSO Group: Israeli spyware company added to US trade blacklist,” BBC News, November 3, 2021. https://www.bbc.com/news/technology-59149651. Claburn, Thomas, “Spyware, trade-secret theft, and $30m in damages: How two online support partners spectacularly fell out,” The Register,June 18, 2021. https://www.theregister.com/2021/06/18/liveperson_wins_30m_trade_secret. Brittain, Blake, “LivePerson wins $30 million from 7.ai in trade-secret verdict,”Reuters, June 17, 2021. https://www.reuters.com/legal/transactional/liveperson-wins-30-million-247ai-trade-secret-verdict-2021-06-17.
On June 26, 2023, Lexpert recognized the expertise of three of our partners in its 2023 Lexpert Special Edition: Technology and Health. Chantal Desjardins, Selena Lu and André Vautour now rank among Canada’s leaders in the area of Technology and Health. Chantal Desjardins is a partner, lawyer and trade-mark agent in Lavery’s intellectual property group. She contributes actively to the development of her clients’ rights in this field, which includes the protection of trade-marks, industrial designs, copyright, trade secrets, domain names and other related forms of intellectual property, in order to promote her clients’ business goals. Selena Lu is a partner in the Business Law group and focuses her practice on mergers and acquisitions. She frequently advises clients abroad on commercial law matters relating to investment and expansion in Canada. Over the years, Selena has developed an interest and acquired significant experience in supporting customers in their technological change. On a day-to-day basis, she advises clients on the legal impacts of the introduction of new technologies. Moreover, she oversees the development of the structure and negotiation of mergers and acquisitions along with complex business relationships for developing, marketing and acquiring technologies. André Vautour practices in the fields of corporate and commercial law and is particularly interested in corporate governance, strategic alliances, joint ventures, investment funds and mergers and acquisitions of private corporations. He practises in the field of technology law (drafting technology development and transfer agreements, licensing agreements, distribution agreements, outsourcing agreements, and e-commerce agreements).
On April 19, 2023, Lexpert recognized the expertise of four of our partners in its 2023 Lexpert Special Edition: Finance and M&A. Etienne Brassard, Jean-Sébastien Desroches, Édith Jacques and Selena Lu now rank among Canada's leaders in the financial sector and in M&A. Etienne Brassard practices business law, more specifically corporate financing, mergers and acquisitions and corporate law. In his practice, he advises local and international businesses in relation to all forms of private financing, from traditional or convertible debt to equity investments. He has thus developed extensive expertise in setting up complex financing structures, in both operational and transactional contexts. Jean-Sébastien Desroches practices business law and focuses primarily on mergers and acquisitions, infrastructure, renewable energy and project development as well as strategic partnerships. He has had the opportunity to steer several major transactions, complex legal operations, cross-border transactions, reorganizations, and investments. Édith Jacques is a partner in Montréal's Business law group. She specializes in mergers and acquisitions, commercial law, as well as international law and acts as business and strategic consultant to mid- and large-size companies. Selena Lu is a partner in the Business Law group and focuses her practice on mergers and acquisitions. She frequently advises clients abroad on commercial law matters relating to investment and expansion in Canada. Selena has strong business acumen and offers practical and innovative solutions to her clients, who are mainly entrepreneurs and owner-operators.
Lavery is proud to announce that 33 partners are ranked among the leading practitioners in Canada in their respective practice areas in the 2023 edition of The Canadian Legal Lexpert Directory. The following Lavery partners are listed in the 2023 edition of The Canadian Legal Lexpert Directory: Class Actions Laurence Bich-Carrière Myriam Brixi Construction Law Nicolas Gagnon Corporate Commercial Law Étienne Brassard Jean-Sébastien Desroches Christian Dumoulin Édith Jacques Corporate Finance & Securities Josianne Beaudry René Branchaud Corporate Mid-Market Luc R. Borduas Étienne Brassard Jean-Sébastien Desroches Christian Dumoulin Édith Jacques Selena Lu André Vautour Employment Law Richard Gaudreault Marie-Josée Hétu Guy Lavoie Zeïneb Mellouli Infrastructure Law Nicolas Gagnon Insolvency & Financial Restructuring Jean Legault Ouassim Tadlaoui Yanick Vlasak Jonathan Warin Intellectual Property Chantal Desjardins Alain Y. Dussault Isabelle Jomphe Labour Relations Benoit Brouillette Simon Gagné Richard Gaudreault Marie-Josée Hétu Marie-Hélène Jolicoeur Guy Lavoie Litigation - Commercial Insurance Marie-Claude Cantin Bernard Larocque Martin Pichette Laurence Bich-Carrière Mergers & Acquisitions Josianne Beaudry Mining Josianne Beaudry René Branchaud Sébastien Vézina Occupational Health & Safety Josiane L'Heureux Property Leasing Richard Burgos Workers' Compensation Marie-Josée Hétu Guy Lavoie Carl Lessard