The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/918234
50 J A N U A R Y 2 0 1 8 w w w . C A N A D I A N L a w y e r m a g . c o m both from a preventive perspective and in the event of an attack. "The appropriateness will depend on the size of the client and insurers will work with clients in terms of what they need for their particular size or risk." When it comes to developing cross- border breach response plans, Hulton strongly recommends clients don't wait for the "ultimate stress test" of an actual incident. Hulton and her team help clients develop breach response plans, edu- cate general counsel on best practices and provide counsel in the case of an actual breach. Though "the uptake var- ies across the board," Hulton says her team is constantly preaching the proac- tive approach to clients and recently more are on board, which she calls heartening. Jean-François De Rico, a partner specializing in information technology law at Langlois Lawyers LLP's Quebec City office, agrees there are chang- ing attitudes toward the need for hav- ing a detailed breach response well in advance of an actual issue, although he notes there's a general acknowledge- ment that there's no situation where absolute security can be assured. De Rico starts from the premise that the threat is global and constant, and his obligation to clients is to enlight- en them about the risks arising from threats that are known today, what can be managed and how best to do so. "Cybersecurity occupies me more in the prevention realm as of today than in the curing and breach context," he adds. "In at least the last two or three years, I've been doing a lot more reviewing, advising, contractual work — both in the procurement side and actual nego- tiation as to the measures of informa- tion security that will be imposed on a service provider. There's a lot of nego- tiations in that field." Kolnhofer says it's an education pro- cess with the clients to get them to accept that cybersecurity breaches are a reality. "There's still a perception this is not going to happen to a small busi- ness, your average business, any kind of local business smaller than Yahoo or those larger companies that you hear in the news," she says. "They're some- what resistant to thinking they need to expend resources to implement all these strategies, but it is actually happening." Hulton says the role of legal counsel in a company's cybersecurity protocol is misunderstood, with many believing the issue is purely technology based. "Devoting more financial resources is one aspect of it, but also, inherently in cybersecurity, education is the other side of the coin. The two have to go hand in hand." Involving all levels of employees is crucial — CEOs have to make friends with their IT department because "if anybody knows exactly what's going on, it's that department. They can't be afraid to talk to their CEO." The best approach to cybersecurity, she notes, is to understand that there are many moving parts. It's about plan- ning, foresight, updates and developing a privacy program. The boilerplate approach to these issues is not enough anymore — there are a lot of do-it-yourself people out there, Hulton notes, who think they can grab a response plan off the internet, "do a couple little tweaks in-house" and be good to go, but that's not the case. Using best practices in prevention and breach response is part of remain- ing competitive, Kolnhofer says, adding "at this point if you're not keeping up with the current privacy by design, then you might simply have to exit the mar- ket because people aren't going to want to deal with you. It definitely makes you more marketable." Privacy by design is a three-fold approach, where a business sets up IT systems that protect as best possible, have accountable business practices and then "implement it from a physical per- spective in terms of the physical design of your business and the IT perspec- tive — what you're using in terms of equipment and infrastructure," Koln- hofer says. "The key with this approach is bal- ancing the protection and risk manage- ment while ensuring your clients are able to continue with whatever their innovative projects are and to keep them competitive in the business that they're in." Hulton and her team offer clients the opportunity to proactively conduct an internal audit to help develop breach response plans. They give the clients the tools to do the first step themselves and gather basic information; the lawyers then "cross-examine" them, asking the hard questions and drilling down based on the cybersecurity team's experience. "If we can get proactive and get in there ahead of time, we already know what their cross-border exposure is, so we've already covered that. [In] this day and age, even very small mom-and-pop operations are cross-border." De Rico, whose team works both with public organizations and business- es, acts for clients in the course of pro- curement projects and the development or review of internal policies, but he notes it can be hard to meet the "cloudy language" requirements of information security, which is "the obligation to ensure you put in place appropriate processes, procedures and controls to ensure security of information," he says. "I keep myself informed of the threats, the risks and the way to miti- gate that risk technologically but also in the realm of business processes and the education of actual individuals." In cross-border operations with the U.S., there's varying legislation depend- ing on the state you're dealing with and that leads to some tricky decisions, Kolnhofer says. "Should you adopt the strictest laws and apply that generally or have more of a patchwork system of compliance depend- ing on where your business is operating? That can become a resource challenge." There's no blanket advice you can give clients, Kolnhofer says, because it's going to depend on the size of their busi- ness, the resources available — because "it might become cost-prohibitive to get too complicated with what they're imple- menting from a risk approach" — and also on the sensitivity of the data. "Each business is different — the level of business they're doing in the other jurisdictions is different, it might depend on how strict or not the other jurisdic- tion's regulations are," Kolnhofer says. "You weigh a cost-benefit analysis." Hulton says her personal inclination is always to go with the best-practic- L E G A L R E P O RT \ C Y B E R S E C U R I T Y L AW