Lawyers, Boards and Cybersecurity

by John Gregory

A lot of attention is being paid these days to cyberthreats and cybersecurity. It seems widely accepted that such threats and security questions cannot be confined to the IT department any more, but they involve sufficiently critical threats to organizations that boards of directors have to get involved. When boards get involved, they turn to their counsel.

Some enterprising law firms in the US have published books on the topic. The blurb for this one strikes me as a bit over the top – and the threats they sketch have been real for years (off-the-shelf attack software available for low prices to random hackers. Have they never heard of script kiddies?). But the questions raised are pertinent anyway, and maybe the suggested strategies have merit.

So: what does counsel advise? What do you advise?

What must lawyers know about defences and responses to various kinds of attack? Can you insulate your board clients (whether you’re in-house or outside counsel) from liability for damage to the organization (and its shareholders and customers) from cyberattack? Are there best practices, or only shots in the dark?

I am aware of one US case where a derivative action against a company for having been hacked was defeated by evidence of the diligence of the board in combatting and responding to the attack – which involved *many* meetings and consultations. Due diligence was very diligent indeed.

Are there any Canadian standards or legal guidance, besides on privacy matters? I am not so much thinking of data breaches as espionage or ransomware, or [insert your nightmare scenario here].

A lot of U.S. authorities are creating standards for the protection of “critical infrastructure” – are there Canadian equivalents? So the test for liability for a critical infrastructure business may be whether one has complied with those standards. For others – is there guidance to be had there?

Can you insulate yourself from a professional negligence action if you fail to protect your clients from a successful attack? Are the standards of care clear enough for that, either for the clients or for the lawyers? Where would you go to look?

Is a severe warning to the client (before disaster strikes) enough to get the lawyers off the hook? What does it have to say?

Comments are closed.

Most Recent Comments

Sarah A. Sutherland on Everybody Hates the McGill Guide: A Citations Editor’s Lamentation:

I don't use the McGill Guide much, but I have found that the "UBC Legal Citation Guide" generally meets my… more »
Alexandra Champagne on Everybody Hates the McGill Guide: A Citations Editor’s Lamentation:

To Batgirl's comment: I agree that the MLJ would benefit from collaboration with CanLII. Any resources would be of serious… more »
Noel Semple on Everybody Hates the McGill Guide: A Citations Editor’s Lamentation:

I agree with Batgirl! more »
Michele Ballagh on The Problem With Associate Fee Splits:

I think this is an interesting topic. Some associates seem quite desperate to get a percentage of their billings as… more »

+ -

Hopefulness in Times of Hate – Letters to and From a Law School

Experience

A Difficult Test for Inducing Patent Infringement

Everybody Hates the McGill Guide: A Citations Editor’s Lamentation

5 Ways Lawyers Can Stop Avoiding Conflict

Tribunals: A “People-Centered” Framework

Lawyers, Boards and Cybersecurity