What is Cybersecurity Law, Really?

Cybersecurity is everywhere these days. People are talking about it in business circles, in legal circles, in technology circles and at all points in between.  Scores of articles abound dispensing advice about best practices for IT security management. You are reading this blog possibly because you are worried about cybersecurity and the legal ramifications of a cyber breach – but what does that really mean?  We are here to cut through the noise.

There is no one law that contains all of the rules about what companies should be doing regarding cybersecurity. That would make life simple! On the contrary, the possible outcomes of a data breach touch a number of different legal areas that companies need to think about and the risks that companies have to manage are complex. For example, a data breach could involve any of the following legal issues:

  • What is the nature of the compromised data? Is it information that is a trade secret or confidential information of a third party and what liability would the company have to that third party if the information were to be disclosed? If it is the company’s own trade secret that is divulged through a data breach, what does that mean for the company’s valuation, particularly if there is a sale transaction in the near future? On the other hand, does the breach involve personal information of individuals and if so, is there any statutory duty to notify them? What are the specific requirements of notification by jurisdiction and what are the ramifications if the company does not notify? What would be the likely scope of any class action litigation?
  • Does the company have insurance to cover the breach? Although cyber coverage has been around for a while, it is an emerging market in Canada and the actual scope of coverage varies from policy to policy – what coverage does the company actually have?
  • Does the company have any regulatory obligations that are specific to its industry that might apply?
  • If the company is a publicly traded entity, what is the obligation to report the incident in public filings, and if there is an obligation, how much detail must be provided?
  • What is the role of the board of directors? In corporate law, directors have a duty to discharge their duties acting honestly and in good faith with a view to the best interests of the corporation and to exercise care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances. Given the breach, was that duty discharged or not, and if not, could an action be brought against the directors as a result?
  • Was the breach an “inside job”? If so, is it cause for dismissal? How would discipline for this type of transgression be handled in a unionized environment?  Is it possible to press criminal charges?
  • How can the victim company best contain and manage the aftermath of the breach and still put itself in the best possible position for any ensuing litigation from third parties who have suffered damage as a result of the breach? How can documents and conversations be covered by solicitor/client privilege?
  • If a third party service provider was handling the data that was compromised, what does the contract with that supplier say about the allocation of risk for the breach?  How much, if any, of the costs will it bear?
  • Looking past the breach, what policies and procedures can organizations either put into place or update to try to prevent future breaches and mitigate the effects of further incidents? Beside IT security and IT asset management policies, consider the company’s board governance and reporting structures, and its policies on privacy, whistle blowing, document retention/data governance, vendor management, employee training and discipline and the use of outside counsel.

Data breach or cybersecurity is a multi faceted legal topic. Most commentators today say it is not a question of “if” a breach will occur, but “when”. 

At a minimum, organizations need to think about the issues above when designing their cyber preparedness and response strategies.

Keep an eye on this blog as we explore each of these areas in further detail. We welcome your suggestions and feedback on any other topical cybersecurity/data breach issues that you would like to see covered.