Cybersecurity

Overview

Our expertise

Our service offer covers all aspects of cybersecurity, including identifying risks, understanding the issues at stake, implementing best practices in cyber vigilance and providing support should a company be sued following a breach of confidentiality.

Lavery’s team has extensive experience and expertise, particularly in crisis management with respect to:

• Protection of personal and other sensitive data
• Information technology
• Technology governance
• IT risk management
• Disputes (including class actions)
• Labour and employment law

Our team keeps abreast of legislative changes regarding personal information, an area currently undergoing rapid change. It also has an understanding of cutting-edge technology, including the Internet of Things, artificial intelligence and quantum computing, all of which will drastically affect cybersecurity practices in the coming years.

Service offer to private and public institutions

As we know that legal matters represent only a fraction of the issues that need to be addressed with respect to an organization’s cyber vigilance, our service offer includes legal services geared towards IT security management and non-legal services that combine a range of prevention and response measures to provide an effective and operational solution based on four criteria:

• Strategy and transformation: Developing strategies and programs that focus on business needs and risks and support growth and resilience by making cybersecurity and privacy a company-wide priority.
• Incident and threat management: Preparing for, identifying, responding to, investigating and handling threats with confidence.
• Consumer privacy and protection: Designing, implementing and running a privacy program that enables your organization to maximize the use of data in accordance with the law, while building consumer trust.
• Implementation and operations: Designing, implementing, running and improving the use of cybersecurity technologies and continuously monitoring your environment to detect and contain threats to your business.

Service offer to SMEs

Our firm has developed a cybersecurity service offer to, in particular, analyze companies’ needs in this area and identify possible flaws that require their attention.

As a first step, your organization must complete a cybersecurity needs analysis questionnaire.

Once the questionnaire is completed, we are able to establish a diagnosis, propose solutions and an action plan to remedy problematic aspects and guide you in implementing our recommendations on the following:

• Cybersecurity governance: A sound decision-making process is important for any business when it comes to cybersecurity.
• Processes related to employees, suppliers and subcontractors: A business’ decisions and policies respecting cybersecurity must be properly communicated not only within the organization, but also with all stakeholders.
• Protection of personal information and data, and Canada’s anti-spam legislation: If your organization collects data or personal information as part of its operations, it must do so in accordance with the law.
• Technical and technological component to increase cybersecurity: Legal and strategic advice associated with implementing the action plan following our cybersecurity needs analysis.

Representative mandates

• Advised one of the largest professional orders in Quebec regarding a major computer security breach affecting its employees and members.
• Advised a major Canadian chemical company on the theft of its employees’ and customers’ personal data.
• Advised a Canadian tax and financial planning association following a cyberattack on its IT service provider.
• Advised and provided a legal opinion to one of the most prominent public organizations in Quebec on the appropriateness and content of an incident report resulting from a breach of confidentiality following a cyberattack.
• Advised a multinational tobacco company on the measures to be implemented in the event of a computer security breach and reviewed its policies, guidelines and response plans in this regard.
• Provided training to executives of a multinational cybersecurity insurance organization.
• Provided training to a major accounting and tax firm on cybersecurity and privacy.
• Advised a Crown corporation on applying the General Data Protection Regulation (GDPR) and created a matrix to identify cases where this European legal framework, which includes rules on IT security breaches, should be applied.
• Participated in data protection IT audits for various companies as part of a partnership with an international consulting firm.
• Advised a Canadian vehicle parts company that was held to ransom following an unwarranted intrusion into its databases containing all of the technical drawings of its American and European vehicle manufacturer clients.
• Reviewed the physical and software security rules of two major Canadian financial institutions’ IT and telecommunications systems and negotiated and drafted the physical and software security obligations incumbent on the service provider to which the operation of these systems was outsourced in order to ensure adequate contractual protection for the financial institutions against any breach of confidentiality of personal and other sensitive data entrusted to the service provider.
• Assisted a European law firm with a major employee and supplier data breach involving a multinational electronics company and its subsidiaries in several jurisdictions around the world.
• Advised a publicly traded company in the implementation of IT governance and security measures for the sharing of trade secrets between its various sites in Canada, the United States and Europe.
• Represented a European company that was the victim of a cyber incident to claim damages from those responsible for the incident located in Canada.