Lawyers, Boards and Cybersecurity

by John Gregory

A lot of attention is being paid these days to cyberthreats and cybersecurity. It seems widely accepted that such threats and security questions cannot be confined to the IT department any more, but they involve sufficiently critical threats to organizations that boards of directors have to get involved. When boards get involved, they turn to their counsel.

Some enterprising law firms in the US have published books on the topic. The blurb for this one strikes me as a bit over the top – and the threats they sketch have been real for years (off-the-shelf attack software available for low prices to random hackers. Have they never heard of script kiddies?). But the questions raised are pertinent anyway, and maybe the suggested strategies have merit.

So: what does counsel advise? What do you advise?

What must lawyers know about defences and responses to various kinds of attack? Can you insulate your board clients (whether you’re in-house or outside counsel) from liability for damage to the organization (and its shareholders and customers) from cyberattack? Are there best practices, or only shots in the dark?

I am aware of one US case where a derivative action against a company for having been hacked was defeated by evidence of the diligence of the board in combatting and responding to the attack – which involved *many* meetings and consultations. Due diligence was very diligent indeed.

Are there any Canadian standards or legal guidance, besides on privacy matters? I am not so much thinking of data breaches as espionage or ransomware, or [insert your nightmare scenario here].

A lot of U.S. authorities are creating standards for the protection of “critical infrastructure” – are there Canadian equivalents? So the test for liability for a critical infrastructure business may be whether one has complied with those standards. For others – is there guidance to be had there?

Can you insulate yourself from a professional negligence action if you fail to protect your clients from a successful attack? Are the standards of care clear enough for that, either for the clients or for the lawyers? Where would you go to look?

Is a severe warning to the client (before disaster strikes) enough to get the lawyers off the hook? What does it have to say?

Comments are closed.

Most Recent Comments

John on The Inevitability of AI in Court: What Does It Mean for Self-Represented Litigants?:

(Part 2) Perplexity is catching up with Claude as an AI companion. The latest studies show AI’s primary use is… more »
Sam Laufer on Ontario Civil Rules Reform – the Good the Bad and the Ugly:

called in 75. Problems that I foresee: in fraud - misrepresentation and related type cases, good luck getting productions and… more »
John on The Inevitability of AI in Court: What Does It Mean for Self-Represented Litigants?:

AI became my digital buddy for a two-day family court trial. With only six weeks to prepare after a procedural… more »
Steve Matthews on Free AI Is All You Need to Supercharge Your Practice:

Former Law Librarian: As a law librarian and someone who has spent ample time constructing boolean operators myself, I think… more »

+ -

In the Absence of Federal AI Laws, Privacy Regulators Lead the Way: Lessons From the Clearview Case

Letting Our Research Run With AI Content

Professional Identify Formation: What It Is and Why It Matters

Free AI Is All You Need to Supercharge Your Practice

Indigenous Cultural Competency for Tribunals – the Steps Ahead

No Half Measures: Four Big Ideas in Ontario’s Civil Rules Review

Lawyers, Boards and Cybersecurity