Lawyers, Boards and Cybersecurity

A lot of attention is being paid these days to cyberthreats and cybersecurity. It seems widely accepted that such threats and security questions cannot be confined to the IT department any more, but they involve sufficiently critical threats to organizations that boards of directors have to get involved. When boards get involved, they turn to their counsel.

Some enterprising law firms in the US have published books on the topic. The blurb for this one strikes me as a bit over the top – and the threats they sketch have been real for years (off-the-shelf attack software available for low prices to random hackers. Have they never heard of script kiddies?). But the questions raised are pertinent anyway, and maybe the suggested strategies have merit.

So: what does counsel advise? What do you advise?

What must lawyers know about defences and responses to various kinds of attack? Can you insulate your board clients (whether you’re in-house or outside counsel) from liability for damage to the organization (and its shareholders and customers) from cyberattack? Are there best practices, or only shots in the dark?

I am aware of one US case where a derivative action against a company for having been hacked was defeated by evidence of the diligence of the board in combatting and responding to the attack – which involved *many* meetings and consultations. Due diligence was very diligent indeed.

Are there any Canadian standards or legal guidance, besides on privacy matters? I am not so much thinking of data breaches as espionage or ransomware, or [insert your nightmare scenario here].

A lot of U.S. authorities are creating standards for the protection of “critical infrastructure” – are there Canadian equivalents? So the test for liability for a critical infrastructure business may be whether one has complied with those standards. For others – is there guidance to be had there?

Can you insulate yourself from a professional negligence action if you fail to protect your clients from a successful attack? Are the standards of care clear enough for that, either for the clients or for the lawyers? Where would you go to look?

Is a severe warning to the client (before disaster strikes) enough to get the lawyers off the hook? What does it have to say?

Comments are closed.