Canadian Lawyer InHouse

29 CANADIANLAWYERMAG.COM/INHOUSE MAY 2016 Ralph Kroman, partner with WeirFoulds LLP in Toronto, says it's never a bad idea for a lawyer to be proactive rather than reactive, but when it comes to protecting customer information and the organization from po- tential litigation, in-house can never be too careful when preparing for a cyberattack and its aftermath. He sees it as being the No. 1 skill of in-house counsel who are looking at keeping their feet under them as they navi- gate the shifting sands of cybersecurity and ever-adapting legislation. "Being proactive can in fact reduce liability and in fact elim- inate it," Kroman says. However, many are caught fl at-footed when their organization experiences a threat that compromises the integrity of corporate data, says Kroman, whose practice is focused on intellectual property and information technology. He says there is a tendency to treat cybersecur- ity and data breach prevention as a technol- ogy issue, but planning, ongoing protection, and any response to an incident should also involve people and processes. EMBRACE LIFE-LONG LEARNING Because the nature of threats is changing day to day and month to month as is legis- lation, in-house counsel also needs to have an open mind and be eager to learn, says Kroman. They also need to be persistent, both in terms of keeping on top of trends, legislation, and threats, but also in edu- cating the executives and employees in their organization. Legislation is adapting and becoming more ro- bust. "Counsel really needs to keep on top of it," he says. "It's not just something you can look up in a book." What is law today may change, he adds, and while it's quite unusual for legislation to change overnight, and in-house counsel should have a process in place to keep on top of any changes. This is where tapping the expertise of an external legal resource can help. "It can really be a team effort." One of the reasons Kroman says in-house counsel needs to be persistent is that many organizations have an "it can't happen to them" attitude. "There can be a reluctance in the organization to do things in cyber- security beyond technology measures." There are more incidents of corporate data breaches being reported, and more lawsuits as a result, says Kroman. And it's not just enough to understand Canadian legislation with regards to privacy. It's important to know who must be notifi ed, including various governments. "Those obligations are changing quite rapidly," he says. "As part of preparing for an incident, organizations need to understand what jurisdictions apply." A company in Canada may have to com- ply with privacy legislation in more than one province, as well as that of other countries, depending on the nature of its operations. It needs to understand who to notify and when it must notify, says Kroman. "Case law has shown that failure to notify can open up an organization to a successful lawsuit." Safeguarding privacy is a core component of cybersecurity. Chantal Bernier, who led the Offi ce of the Privacy Commissioner of Canada for six years and is now counsel with Dentons LLP in Ottawa, says the privacy aspect means a key skill for in-house counsel is having suffi cient knowledge of regulatory frameworks to understand when they are triggered in the advent of a data breach. Organizations should either have internal expertise or retain external counsel who has that knowledge, Bernier says. In-house counsel should also keep an eye on global trends, not just around technol- ogy but around the legal impact of a suc- cessful cyberattack. Bernier's experience with both the federal government and now as external counsel is that senior manage- ment often underestimates the importance of security, as well as the legal repercus- sions that come with a data breach. In- house counsel needs to engage with C-level executives to educate them from a corpor- ate risk management perspective. Advice needs to be ongoing, Bernier adds, particularly whenever new technology is adopted. Bernier cites the bring-your-own- device phenomenon as a prime example of a trend that requires the input of in-house counsel on what the privacy issues and risks to the business are with regard to employees carrying corporate data on their own smart- phones or tablets. Training around privacy issues has be- come increasingly important, according to Éloïse Gratton, a partner at Borden Ladner Gervais LLP in Montreal. "More and more in-house lawyers are taking privacy courses or having privacy certifi cations," she says. Gratton also serves as national co-leader of the fi rm's national privacy and data secur- ity practice group and sees about 15 to 20 breaches a year. "At the end of the day, you need to understand the frameworks." In addition to ever-evolving privacy legislation, there is also case law over the years that can provide an indication as to the consequences an organization might face if it has a data breach of any kind, Gratton says. When one occurs, counsel should keep in mind what a privacy com- missioner will scrutinize, such as whether its security technology is industry standard. For example, if a data breach occurred via a compromised laptop, was the data on it adequately encrypted? What kind of gov- ernance was in place? What are the poli- cies in place for employees to support the safeguarding of customer information and intellectual property? CYBERSECURITY IS CORE TO CORPORATE RISK MANAGEMENT If a third-party service provider is involved, organizations should make sure they are transferring only the data that is necessary for that function. And in an era of Big Data where many businesses rely heavily on analy- sis of customer information and behaviour to make decisions, Gratton says they need to know who is using personally identifi able information and how it is being aggregated. "It's not always clear at what point a piece of information is anonymized," she says. As use of outside providers through models such as cloud computing expose PII to third parties, it calls for robust contractual terms, which is a tangible area where in-house coun-

• Cover