Summary

Cyber risk management is an increasingly important challenge for organizations of all sizes and kinds. Cyber risks are the risks of damage, loss and liability to an organization resulting from a failure or breach of the organization's information technology systems or unauthorized use or disclosure of the organization's sensitive, protected or regulated data. Commentators have said that there are only two kinds of organizations — those that have been hacked and know it, and those that have been hacked and don't know it yet.

BLG has one of the most talented and experienced cybersecurity legal teams in Canada. BLG lawyers have extensive expertise and experience regarding cyber risk management and crisis management legal services, and a proven ability to successfully prosecute and defend complex cyber litigation (including class actions).

Cybersecurity and Cyber Risk Management Service Offerings

Cyber Risk Management Program

Effective cyber risk management should be based on a comprehensive cyber risk management program involving the identification, assessment and prioritization of cyber risks and the selection of suitable risk treatments for identified risks.

BLG can assist with the development and implementation of a cyber risk management program by providing advice regarding legal requirements and regulatory guidance, helping conduct audits and assessments, advising regarding risk treatments, and drafting/reviewing program documents.

Incident Response Plans

Effective cyber risk management requires pre-determined, written incident response plans (including various protocols and guidelines) for the rapid, lawful and effective response to various kinds of cybersecurity incidents.

BLG can assist with the development of incident response plans by providing advice regarding legal requirements and regulatory guidance and drafting/reviewing incident response plans and related documents (including protocols and guidelines for communications, record keeping, evidence collection, risk assessments, notification/information sharing and post-incident review).

Test, Train and Exercise Program

Effective cyber risk management requires a testing, training and exercise ("TTX") program to help ensure that incident response plans are up-to-date and relevant personnel and information technology systems are in a state of readiness.

BLG can assist with the design and execution of a TTX program by providing advice regarding legal requirements and regulatory guidance, drafting/reviewing TTX program documents, participating in TTX program activities (e.g. table-top exercises) and providing post-activity assessments and advice.

Practices/Procedures and Education/Training

Effective cyber risk management requires practices and procedures for the use of information technology systems and information and ongoing education and training of relevant personnel (including directors and senior management).

BLG can assist with cyber risk management practices/procedures and education/training by providing advice regarding legal requirements and regulatory guidance (including advice regarding privacy, hiring/engagement/on-boarding of personnel and monitoring/enforcing compliance), drafting/reviewing policies and procedures, assisting with education/training and providing advice regarding monitoring, verifying and enforcing compliance.

Business Partner Management

Effective cyber risk management requires that cyber risks be addressed in contracts with business partners (e.g. vendors, suppliers, service providers and subcontractors), especially for business arrangements involving transfers of regulated information (e.g. personal information) to business partners, including in connection with the use of cloud services and other outsourcing arrangements.

BLG can assist with business partner risk management by providing advice regarding legal requirements and regulatory guidance, preparing due diligence checklists, drafting/reviewing standard form procurement documents and standard form contract schedules, drafting and negotiating contracts with business partners, drafting/reviewing internal policies and procedures and assisting with monitoring and verifying business partner compliance with contractual requirements.

Board and Senior Management Advice

Cyber risk management is a C-suite issue. Directors and officers are responsible for ensuring that their corporation/organization properly manages cyber risks and effectively responds to cyber incidents.

BLG can help educate and advise directors and senior management so that they are able to ask the right questions, fulfil their legal duties, and establish an appropriate due diligence and business judgment record.

Cybersecurity and Cyber Risk Management Service Offerings







Publications & Presentations

Publications

Experience & Expertise

Cyber Risk Management and Crisis Management

BLG's recent cyber risk management and crisis management experience includes:

  • Representing numerous clients (including corporations operating in the financial services and retail trade industries) to manage security breaches involving different Canadian jurisdictions, including investigating the breaches; acting as the contact for interested parties, the individuals concerned, the media, external technical consultants and privacy commissioners (including the Privacy Commissioner of Canada, the Alberta, British Columbia, and Ontario Privacy Commissioners and the Commission d'accès à l'information du Québec); advising regarding notification obligations; assisting in drafting letters of notification; and generally contributing to the response strategy.
  • Representing various clients in investigations carried out by privacy commissioners and regulators, including:
    • a leading Canadian credit score and analytics company;
    • an American multi-national corporation traded on the New York Stock Exchange (NYSE);
    • a leader in international family entertainment and interactive media;
    • a multi-national technology company; and
    • various financial institutions.

Cyber Litigation and Class Actions

BLG's litigators have extensive experience in all aspects of cyber litigation and have acted as counsel in some of the most notable cybersecurity and privacy cases in Canada, including as counsel for Google, Bell Canada, numerous financial institutions, healthcare organizations and retailers. BLG's recent cyber litigation and class action experience includes:

  • Representing a financial services regulator named as a defendant in a class action resulting from the loss of personal information contained on a portable computer. We successfully obtained a dismissal of the class action.
  • Representing a major automobile financing company named as a defendant in a class action resulting from the loss of a data tape that contained personal information. We successfully obtained a dismissal of the class action.
  • Representing Google as a defendant in a potential privacy class action (now at the pre-certification stage) on behalf of persons whose electronic data was allegedly transmitted over an unsecured wireless internet connection and whose personal information was allegedly intercepted.
Show More ↓

Rankings & Recognitions

The Cybersecurity Group or its members are recognized in:

  • 2017 Acritas Star, Cyber Risk and Data
  • 2017 edition of Chambers Canada — Canada's Leading Lawyers for Business (Privacy & Data Protection)
  • 2017 and 2016 editions of The Best Lawyers in Canada® (Information Technology Law)
  • 2016 Lexology Client Choice Awards as the exclusive winner for Information Technology in British Columbia
  • 2013 in Lexpert® magazine, Canadian expert on privacy law
  • Éloïse Gratton was awarded Clawbies : Canadian Legal Blog Award for the year 2014, for the best new legal blog, for her blog on privacy and IT law
  • Since 2001, the Canadian Legal Lexpert® Directory for Computer & IT Law