Embed Size (px)
Citation preview
1
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
Alex Cameron
Fasken Martineau
November 25 2015
Preparedness
bull Does your organization have in place an incident response
plan to address data breaches and cybersecurity incidents
bull Yes 56
bull No 13
bull I donrsquot know 31
2
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Nobody is perfecthellip
bull ldquoNobody should be held to a standard of perfection and the
Respondent already had a detailed protocol before the
occurrence of what can only be considered as a human
errorrdquo - Townsend v Sun Life Financial 2012 FC 550
bull ldquoThe fact that a breach has occurred is not necessarily
indicative of a contravention of the Act While an organization
may not have been able to prevent a breach it may still have
had appropriate safeguards in placerdquo - PIPEDA Report of
Findings 2014-004
Overview
bull Privacy 101
bull Privilege in cybersecurity assessments
bull Privilege in breach response
bull Key changes to PIPEDA
bull Ethics and professionalism issues
bull Privacy litigation trends
bull Key issues on the horizon
3
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privacy 101
bull Statutory privacy torts
bull Public sector statutes
bull Private sector data protection statutes
bull Health privacy statutes
bull Sector-specific rules
bull Common law
bull International rules
Privilege in cybersecurity assessments
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in cybersecurity assessments
bull Yes 46
bull No 26
bull I donrsquot know 28
4
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Scenario
bull Your IT department retained an outside consultant to
conduct a security review Legal counsel was not involved
bull The consultant sent a written report to IT which identifies
major weaknesses in need of urgent attention
bull Before the problems are fixed hackers exploit one of the
key weaknesses identified in the report
bull Complaints and litigation ensue
bull The Privacy Commissioner and plaintiffrsquos counsel seek
production of the report
Privilege in cybersecurity assessments
bull Categories of privilege
bull Solicitor-client privilege
bull Litigation privilege
bull Settlement privilege
bull Ad hoc privilege
5
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Solicitor-client privilege applies where a communication is
bull made in the context of a solicitor-client relationship
bull made in the course of either requesting or providing legal
advice and
bull intended to remain confidential
bull Solosky v The Queen [1980] 1 SCR 821
Privilege in cybersecurity assessments
bull Communications that do not specifically request or provide
legal advice are still privileged where they are a ldquopart of a
continuum aimed at keeping both [parties] informed so that
advice may be sought and given as requiredrdquo
Balabel v Air India [1988] 2 All ER 246 (CA)
bull Solicitor-client privilege extends to records (eg a lawyerrsquos
working papers) directly related to the seeking formulating or
giving of legal advice or legal assistance
Susan Hosiery v Canada (MNR) [1969] CTC 353 (Ex Ct)
6
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Litigation privilege
bull Covers documents created for the dominant purpose of
litigation either actual or contemplated (eg surveillance
witness statements investigation reports)
bull Barristerrsquos notes of a non-privileged interview of his client
by an audit committee consultant met test for litigation
privilege where litigation was anticipated
R v Dunn 2012 ONSC 2748 at paras 53-59 (Nortel case)
Privilege in cybersecurity assessments
bull The Wigmore test
bull The communications must originate in a confidence that
they will not be disclosed
bull This element of confidentiality must be essential to the full
and satisfactory maintenance of the relation between the
parties
bull The relation must be one which in the opinion of the
community ought to be sedulously fostered
bull The injury that would inure to the relation by the disclosure
of the communications must be greater than the benefit
thereby gained for the correct disposal of litigation
7
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Scenario update
bull It is learned that the Chief Privacy Officer (CPO) of the
organization spoke with IT prior to retaining the consultant
bull The CPO told IT that the security review would be useful
because the board keeps asking about cybersecurity
bull The CPO is also in-house legal counsel for the company
Privilege in cybersecurity assessments
bull In-house counsel can wear many hats
bull Legal Advisor
bull Risk Manager
bull Policy Advisor
bull Compliance Monitor
bull Manager of Lawyers (amp Legal Expenses)
bull Business Advisor
bull Corporate Investigator
8
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Lawyers employed by a corporation are covered by solicitor-
client privilege as long as they are performing the function of
a solicitor not a ldquobusiness counsellorrdquo
Canada (Privacy Commissioner) v Blood Tribe Department of Health 2008 SCC 44 at para 10
Pritchard v Ontario [2004] 1 SCR 809
IBM Canada Ltd v Xerox of Canada Ltd [1978] 1 FC 513 (CA)
R v Shirose (sub nom R v Campbell) (1999) 171 DLR (4th) 193 (SCC)
Privilege in cybersecurity assessments
bull ldquoAdvice given by lawyers on matters outside the
solicitor-client relationship is not protected A comparable
range of functions is exhibited by salaried corporate counsel
employed by business organizations hellipalthough (as in
government) the corporate context creates special problems
see hellip No solicitor-client privilege attaches to advice on
purely business matters even where it is provided by a
lawyerrdquo R v Campbell [1999] 1 SCR 565 at para 50
9
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull If a lawyer also has an official role in the management of the
company for which she works her activities relating to the
management role do not attract solicitor-client privilege Presswood v International Chemalloy Corp (1975) 11 OR (2d) 164
See also Toronto-Dominion Bank v Leigh Instruments Ltd (1997) 32 OR (3d) 575 (OC (GenDiv))
Privilege in cybersecurity assessments
bull Scenario update
bull It has been determined that on the day the report was
received it was discussed at a meeting with IT human
resources risk management and in-house counsel
bull The report itself was destroyed at the meeting and no
copies remain
bull The plaintiff calls in-house counsel as a witness in the
litigation against the company
10
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull When will a lawyerrsquos presence at a meeting render the
subject of the meeting privileged
bull The mere fact of a lawyerrsquos involvement does not establish
privilege
bull Courts have held that privilege attaches to those portions
of board meeting minutes that record counselrsquos advice Nova Scotia Power Corp v Surveyer Nenniger amp Chenevert Inc (1986) 74 NSR (2d)
327 (NS TD) affrsquod (1987) 78 NSR (2d) 217 (CA)
Privilege in cybersecurity assessments
bull Privilege is not the same as confidentiality
bull For example
bull LSUC Rule 33-1 - A lawyer at all times shall hold in strict
confidence all information concerning the business and
affairs of the client acquired in the course of the
professional relationship and shall not divulge any such
information unless
bull (a) expressly or impliedly authorized by the client
bull (b) required by law or by order of a tribunal of competent
jurisdiction to do so hellip
11
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull ldquothere is generally no assumption that legal advice was the
focus of communications between a client and in-house
counsel even when the latter is employed as in-house
counsel As in-house counsel often wear various hats a
factual foundation is required to demonstrate with respect
to each document sheltered by privilege that in-house
counsels involvement with the issue as qua-counselrdquo
bull BIE Health Products v Canada (Attorney General) 2015 ONSC 544
Privilege in cybersecurity assessments
bull Practice points for meetings
bull Limit attendance to those actually required to be there
bull Be careful regarding the content and circulation of minutes
and other documents
bull Determine the subject of meetings in advance and be
explicit if it is for the purpose of legal advice or litigation
privilege
bull See Toronto-Dominion Bank v Leigh Instruments Ltd where
excessive internal circulation was a factor in finding a lack of privilege
(1997) 32 OR (3d) 575 (OC (GenDiv))
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
2
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Nobody is perfecthellip
bull ldquoNobody should be held to a standard of perfection and the
Respondent already had a detailed protocol before the
occurrence of what can only be considered as a human
errorrdquo - Townsend v Sun Life Financial 2012 FC 550
bull ldquoThe fact that a breach has occurred is not necessarily
indicative of a contravention of the Act While an organization
may not have been able to prevent a breach it may still have
had appropriate safeguards in placerdquo - PIPEDA Report of
Findings 2014-004
Overview
bull Privacy 101
bull Privilege in cybersecurity assessments
bull Privilege in breach response
bull Key changes to PIPEDA
bull Ethics and professionalism issues
bull Privacy litigation trends
bull Key issues on the horizon
3
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privacy 101
bull Statutory privacy torts
bull Public sector statutes
bull Private sector data protection statutes
bull Health privacy statutes
bull Sector-specific rules
bull Common law
bull International rules
Privilege in cybersecurity assessments
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in cybersecurity assessments
bull Yes 46
bull No 26
bull I donrsquot know 28
4
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Scenario
bull Your IT department retained an outside consultant to
conduct a security review Legal counsel was not involved
bull The consultant sent a written report to IT which identifies
major weaknesses in need of urgent attention
bull Before the problems are fixed hackers exploit one of the
key weaknesses identified in the report
bull Complaints and litigation ensue
bull The Privacy Commissioner and plaintiffrsquos counsel seek
production of the report
Privilege in cybersecurity assessments
bull Categories of privilege
bull Solicitor-client privilege
bull Litigation privilege
bull Settlement privilege
bull Ad hoc privilege
5
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Solicitor-client privilege applies where a communication is
bull made in the context of a solicitor-client relationship
bull made in the course of either requesting or providing legal
advice and
bull intended to remain confidential
bull Solosky v The Queen [1980] 1 SCR 821
Privilege in cybersecurity assessments
bull Communications that do not specifically request or provide
legal advice are still privileged where they are a ldquopart of a
continuum aimed at keeping both [parties] informed so that
advice may be sought and given as requiredrdquo
Balabel v Air India [1988] 2 All ER 246 (CA)
bull Solicitor-client privilege extends to records (eg a lawyerrsquos
working papers) directly related to the seeking formulating or
giving of legal advice or legal assistance
Susan Hosiery v Canada (MNR) [1969] CTC 353 (Ex Ct)
6
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Litigation privilege
bull Covers documents created for the dominant purpose of
litigation either actual or contemplated (eg surveillance
witness statements investigation reports)
bull Barristerrsquos notes of a non-privileged interview of his client
by an audit committee consultant met test for litigation
privilege where litigation was anticipated
R v Dunn 2012 ONSC 2748 at paras 53-59 (Nortel case)
Privilege in cybersecurity assessments
bull The Wigmore test
bull The communications must originate in a confidence that
they will not be disclosed
bull This element of confidentiality must be essential to the full
and satisfactory maintenance of the relation between the
parties
bull The relation must be one which in the opinion of the
community ought to be sedulously fostered
bull The injury that would inure to the relation by the disclosure
of the communications must be greater than the benefit
thereby gained for the correct disposal of litigation
7
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Scenario update
bull It is learned that the Chief Privacy Officer (CPO) of the
organization spoke with IT prior to retaining the consultant
bull The CPO told IT that the security review would be useful
because the board keeps asking about cybersecurity
bull The CPO is also in-house legal counsel for the company
Privilege in cybersecurity assessments
bull In-house counsel can wear many hats
bull Legal Advisor
bull Risk Manager
bull Policy Advisor
bull Compliance Monitor
bull Manager of Lawyers (amp Legal Expenses)
bull Business Advisor
bull Corporate Investigator
8
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Lawyers employed by a corporation are covered by solicitor-
client privilege as long as they are performing the function of
a solicitor not a ldquobusiness counsellorrdquo
Canada (Privacy Commissioner) v Blood Tribe Department of Health 2008 SCC 44 at para 10
Pritchard v Ontario [2004] 1 SCR 809
IBM Canada Ltd v Xerox of Canada Ltd [1978] 1 FC 513 (CA)
R v Shirose (sub nom R v Campbell) (1999) 171 DLR (4th) 193 (SCC)
Privilege in cybersecurity assessments
bull ldquoAdvice given by lawyers on matters outside the
solicitor-client relationship is not protected A comparable
range of functions is exhibited by salaried corporate counsel
employed by business organizations hellipalthough (as in
government) the corporate context creates special problems
see hellip No solicitor-client privilege attaches to advice on
purely business matters even where it is provided by a
lawyerrdquo R v Campbell [1999] 1 SCR 565 at para 50
9
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull If a lawyer also has an official role in the management of the
company for which she works her activities relating to the
management role do not attract solicitor-client privilege Presswood v International Chemalloy Corp (1975) 11 OR (2d) 164
See also Toronto-Dominion Bank v Leigh Instruments Ltd (1997) 32 OR (3d) 575 (OC (GenDiv))
Privilege in cybersecurity assessments
bull Scenario update
bull It has been determined that on the day the report was
received it was discussed at a meeting with IT human
resources risk management and in-house counsel
bull The report itself was destroyed at the meeting and no
copies remain
bull The plaintiff calls in-house counsel as a witness in the
litigation against the company
10
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull When will a lawyerrsquos presence at a meeting render the
subject of the meeting privileged
bull The mere fact of a lawyerrsquos involvement does not establish
privilege
bull Courts have held that privilege attaches to those portions
of board meeting minutes that record counselrsquos advice Nova Scotia Power Corp v Surveyer Nenniger amp Chenevert Inc (1986) 74 NSR (2d)
327 (NS TD) affrsquod (1987) 78 NSR (2d) 217 (CA)
Privilege in cybersecurity assessments
bull Privilege is not the same as confidentiality
bull For example
bull LSUC Rule 33-1 - A lawyer at all times shall hold in strict
confidence all information concerning the business and
affairs of the client acquired in the course of the
professional relationship and shall not divulge any such
information unless
bull (a) expressly or impliedly authorized by the client
bull (b) required by law or by order of a tribunal of competent
jurisdiction to do so hellip
11
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull ldquothere is generally no assumption that legal advice was the
focus of communications between a client and in-house
counsel even when the latter is employed as in-house
counsel As in-house counsel often wear various hats a
factual foundation is required to demonstrate with respect
to each document sheltered by privilege that in-house
counsels involvement with the issue as qua-counselrdquo
bull BIE Health Products v Canada (Attorney General) 2015 ONSC 544
Privilege in cybersecurity assessments
bull Practice points for meetings
bull Limit attendance to those actually required to be there
bull Be careful regarding the content and circulation of minutes
and other documents
bull Determine the subject of meetings in advance and be
explicit if it is for the purpose of legal advice or litigation
privilege
bull See Toronto-Dominion Bank v Leigh Instruments Ltd where
excessive internal circulation was a factor in finding a lack of privilege
(1997) 32 OR (3d) 575 (OC (GenDiv))
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
3
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privacy 101
bull Statutory privacy torts
bull Public sector statutes
bull Private sector data protection statutes
bull Health privacy statutes
bull Sector-specific rules
bull Common law
bull International rules
Privilege in cybersecurity assessments
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in cybersecurity assessments
bull Yes 46
bull No 26
bull I donrsquot know 28
4
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Scenario
bull Your IT department retained an outside consultant to
conduct a security review Legal counsel was not involved
bull The consultant sent a written report to IT which identifies
major weaknesses in need of urgent attention
bull Before the problems are fixed hackers exploit one of the
key weaknesses identified in the report
bull Complaints and litigation ensue
bull The Privacy Commissioner and plaintiffrsquos counsel seek
production of the report
Privilege in cybersecurity assessments
bull Categories of privilege
bull Solicitor-client privilege
bull Litigation privilege
bull Settlement privilege
bull Ad hoc privilege
5
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Solicitor-client privilege applies where a communication is
bull made in the context of a solicitor-client relationship
bull made in the course of either requesting or providing legal
advice and
bull intended to remain confidential
bull Solosky v The Queen [1980] 1 SCR 821
Privilege in cybersecurity assessments
bull Communications that do not specifically request or provide
legal advice are still privileged where they are a ldquopart of a
continuum aimed at keeping both [parties] informed so that
advice may be sought and given as requiredrdquo
Balabel v Air India [1988] 2 All ER 246 (CA)
bull Solicitor-client privilege extends to records (eg a lawyerrsquos
working papers) directly related to the seeking formulating or
giving of legal advice or legal assistance
Susan Hosiery v Canada (MNR) [1969] CTC 353 (Ex Ct)
6
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Litigation privilege
bull Covers documents created for the dominant purpose of
litigation either actual or contemplated (eg surveillance
witness statements investigation reports)
bull Barristerrsquos notes of a non-privileged interview of his client
by an audit committee consultant met test for litigation
privilege where litigation was anticipated
R v Dunn 2012 ONSC 2748 at paras 53-59 (Nortel case)
Privilege in cybersecurity assessments
bull The Wigmore test
bull The communications must originate in a confidence that
they will not be disclosed
bull This element of confidentiality must be essential to the full
and satisfactory maintenance of the relation between the
parties
bull The relation must be one which in the opinion of the
community ought to be sedulously fostered
bull The injury that would inure to the relation by the disclosure
of the communications must be greater than the benefit
thereby gained for the correct disposal of litigation
7
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Scenario update
bull It is learned that the Chief Privacy Officer (CPO) of the
organization spoke with IT prior to retaining the consultant
bull The CPO told IT that the security review would be useful
because the board keeps asking about cybersecurity
bull The CPO is also in-house legal counsel for the company
Privilege in cybersecurity assessments
bull In-house counsel can wear many hats
bull Legal Advisor
bull Risk Manager
bull Policy Advisor
bull Compliance Monitor
bull Manager of Lawyers (amp Legal Expenses)
bull Business Advisor
bull Corporate Investigator
8
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Lawyers employed by a corporation are covered by solicitor-
client privilege as long as they are performing the function of
a solicitor not a ldquobusiness counsellorrdquo
Canada (Privacy Commissioner) v Blood Tribe Department of Health 2008 SCC 44 at para 10
Pritchard v Ontario [2004] 1 SCR 809
IBM Canada Ltd v Xerox of Canada Ltd [1978] 1 FC 513 (CA)
R v Shirose (sub nom R v Campbell) (1999) 171 DLR (4th) 193 (SCC)
Privilege in cybersecurity assessments
bull ldquoAdvice given by lawyers on matters outside the
solicitor-client relationship is not protected A comparable
range of functions is exhibited by salaried corporate counsel
employed by business organizations hellipalthough (as in
government) the corporate context creates special problems
see hellip No solicitor-client privilege attaches to advice on
purely business matters even where it is provided by a
lawyerrdquo R v Campbell [1999] 1 SCR 565 at para 50
9
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull If a lawyer also has an official role in the management of the
company for which she works her activities relating to the
management role do not attract solicitor-client privilege Presswood v International Chemalloy Corp (1975) 11 OR (2d) 164
See also Toronto-Dominion Bank v Leigh Instruments Ltd (1997) 32 OR (3d) 575 (OC (GenDiv))
Privilege in cybersecurity assessments
bull Scenario update
bull It has been determined that on the day the report was
received it was discussed at a meeting with IT human
resources risk management and in-house counsel
bull The report itself was destroyed at the meeting and no
copies remain
bull The plaintiff calls in-house counsel as a witness in the
litigation against the company
10
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull When will a lawyerrsquos presence at a meeting render the
subject of the meeting privileged
bull The mere fact of a lawyerrsquos involvement does not establish
privilege
bull Courts have held that privilege attaches to those portions
of board meeting minutes that record counselrsquos advice Nova Scotia Power Corp v Surveyer Nenniger amp Chenevert Inc (1986) 74 NSR (2d)
327 (NS TD) affrsquod (1987) 78 NSR (2d) 217 (CA)
Privilege in cybersecurity assessments
bull Privilege is not the same as confidentiality
bull For example
bull LSUC Rule 33-1 - A lawyer at all times shall hold in strict
confidence all information concerning the business and
affairs of the client acquired in the course of the
professional relationship and shall not divulge any such
information unless
bull (a) expressly or impliedly authorized by the client
bull (b) required by law or by order of a tribunal of competent
jurisdiction to do so hellip
11
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull ldquothere is generally no assumption that legal advice was the
focus of communications between a client and in-house
counsel even when the latter is employed as in-house
counsel As in-house counsel often wear various hats a
factual foundation is required to demonstrate with respect
to each document sheltered by privilege that in-house
counsels involvement with the issue as qua-counselrdquo
bull BIE Health Products v Canada (Attorney General) 2015 ONSC 544
Privilege in cybersecurity assessments
bull Practice points for meetings
bull Limit attendance to those actually required to be there
bull Be careful regarding the content and circulation of minutes
and other documents
bull Determine the subject of meetings in advance and be
explicit if it is for the purpose of legal advice or litigation
privilege
bull See Toronto-Dominion Bank v Leigh Instruments Ltd where
excessive internal circulation was a factor in finding a lack of privilege
(1997) 32 OR (3d) 575 (OC (GenDiv))
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
4
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Scenario
bull Your IT department retained an outside consultant to
conduct a security review Legal counsel was not involved
bull The consultant sent a written report to IT which identifies
major weaknesses in need of urgent attention
bull Before the problems are fixed hackers exploit one of the
key weaknesses identified in the report
bull Complaints and litigation ensue
bull The Privacy Commissioner and plaintiffrsquos counsel seek
production of the report
Privilege in cybersecurity assessments
bull Categories of privilege
bull Solicitor-client privilege
bull Litigation privilege
bull Settlement privilege
bull Ad hoc privilege
5
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Solicitor-client privilege applies where a communication is
bull made in the context of a solicitor-client relationship
bull made in the course of either requesting or providing legal
advice and
bull intended to remain confidential
bull Solosky v The Queen [1980] 1 SCR 821
Privilege in cybersecurity assessments
bull Communications that do not specifically request or provide
legal advice are still privileged where they are a ldquopart of a
continuum aimed at keeping both [parties] informed so that
advice may be sought and given as requiredrdquo
Balabel v Air India [1988] 2 All ER 246 (CA)
bull Solicitor-client privilege extends to records (eg a lawyerrsquos
working papers) directly related to the seeking formulating or
giving of legal advice or legal assistance
Susan Hosiery v Canada (MNR) [1969] CTC 353 (Ex Ct)
6
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Litigation privilege
bull Covers documents created for the dominant purpose of
litigation either actual or contemplated (eg surveillance
witness statements investigation reports)
bull Barristerrsquos notes of a non-privileged interview of his client
by an audit committee consultant met test for litigation
privilege where litigation was anticipated
R v Dunn 2012 ONSC 2748 at paras 53-59 (Nortel case)
Privilege in cybersecurity assessments
bull The Wigmore test
bull The communications must originate in a confidence that
they will not be disclosed
bull This element of confidentiality must be essential to the full
and satisfactory maintenance of the relation between the
parties
bull The relation must be one which in the opinion of the
community ought to be sedulously fostered
bull The injury that would inure to the relation by the disclosure
of the communications must be greater than the benefit
thereby gained for the correct disposal of litigation
7
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Scenario update
bull It is learned that the Chief Privacy Officer (CPO) of the
organization spoke with IT prior to retaining the consultant
bull The CPO told IT that the security review would be useful
because the board keeps asking about cybersecurity
bull The CPO is also in-house legal counsel for the company
Privilege in cybersecurity assessments
bull In-house counsel can wear many hats
bull Legal Advisor
bull Risk Manager
bull Policy Advisor
bull Compliance Monitor
bull Manager of Lawyers (amp Legal Expenses)
bull Business Advisor
bull Corporate Investigator
8
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Lawyers employed by a corporation are covered by solicitor-
client privilege as long as they are performing the function of
a solicitor not a ldquobusiness counsellorrdquo
Canada (Privacy Commissioner) v Blood Tribe Department of Health 2008 SCC 44 at para 10
Pritchard v Ontario [2004] 1 SCR 809
IBM Canada Ltd v Xerox of Canada Ltd [1978] 1 FC 513 (CA)
R v Shirose (sub nom R v Campbell) (1999) 171 DLR (4th) 193 (SCC)
Privilege in cybersecurity assessments
bull ldquoAdvice given by lawyers on matters outside the
solicitor-client relationship is not protected A comparable
range of functions is exhibited by salaried corporate counsel
employed by business organizations hellipalthough (as in
government) the corporate context creates special problems
see hellip No solicitor-client privilege attaches to advice on
purely business matters even where it is provided by a
lawyerrdquo R v Campbell [1999] 1 SCR 565 at para 50
9
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull If a lawyer also has an official role in the management of the
company for which she works her activities relating to the
management role do not attract solicitor-client privilege Presswood v International Chemalloy Corp (1975) 11 OR (2d) 164
See also Toronto-Dominion Bank v Leigh Instruments Ltd (1997) 32 OR (3d) 575 (OC (GenDiv))
Privilege in cybersecurity assessments
bull Scenario update
bull It has been determined that on the day the report was
received it was discussed at a meeting with IT human
resources risk management and in-house counsel
bull The report itself was destroyed at the meeting and no
copies remain
bull The plaintiff calls in-house counsel as a witness in the
litigation against the company
10
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull When will a lawyerrsquos presence at a meeting render the
subject of the meeting privileged
bull The mere fact of a lawyerrsquos involvement does not establish
privilege
bull Courts have held that privilege attaches to those portions
of board meeting minutes that record counselrsquos advice Nova Scotia Power Corp v Surveyer Nenniger amp Chenevert Inc (1986) 74 NSR (2d)
327 (NS TD) affrsquod (1987) 78 NSR (2d) 217 (CA)
Privilege in cybersecurity assessments
bull Privilege is not the same as confidentiality
bull For example
bull LSUC Rule 33-1 - A lawyer at all times shall hold in strict
confidence all information concerning the business and
affairs of the client acquired in the course of the
professional relationship and shall not divulge any such
information unless
bull (a) expressly or impliedly authorized by the client
bull (b) required by law or by order of a tribunal of competent
jurisdiction to do so hellip
11
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull ldquothere is generally no assumption that legal advice was the
focus of communications between a client and in-house
counsel even when the latter is employed as in-house
counsel As in-house counsel often wear various hats a
factual foundation is required to demonstrate with respect
to each document sheltered by privilege that in-house
counsels involvement with the issue as qua-counselrdquo
bull BIE Health Products v Canada (Attorney General) 2015 ONSC 544
Privilege in cybersecurity assessments
bull Practice points for meetings
bull Limit attendance to those actually required to be there
bull Be careful regarding the content and circulation of minutes
and other documents
bull Determine the subject of meetings in advance and be
explicit if it is for the purpose of legal advice or litigation
privilege
bull See Toronto-Dominion Bank v Leigh Instruments Ltd where
excessive internal circulation was a factor in finding a lack of privilege
(1997) 32 OR (3d) 575 (OC (GenDiv))
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
5
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Solicitor-client privilege applies where a communication is
bull made in the context of a solicitor-client relationship
bull made in the course of either requesting or providing legal
advice and
bull intended to remain confidential
bull Solosky v The Queen [1980] 1 SCR 821
Privilege in cybersecurity assessments
bull Communications that do not specifically request or provide
legal advice are still privileged where they are a ldquopart of a
continuum aimed at keeping both [parties] informed so that
advice may be sought and given as requiredrdquo
Balabel v Air India [1988] 2 All ER 246 (CA)
bull Solicitor-client privilege extends to records (eg a lawyerrsquos
working papers) directly related to the seeking formulating or
giving of legal advice or legal assistance
Susan Hosiery v Canada (MNR) [1969] CTC 353 (Ex Ct)
6
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Litigation privilege
bull Covers documents created for the dominant purpose of
litigation either actual or contemplated (eg surveillance
witness statements investigation reports)
bull Barristerrsquos notes of a non-privileged interview of his client
by an audit committee consultant met test for litigation
privilege where litigation was anticipated
R v Dunn 2012 ONSC 2748 at paras 53-59 (Nortel case)
Privilege in cybersecurity assessments
bull The Wigmore test
bull The communications must originate in a confidence that
they will not be disclosed
bull This element of confidentiality must be essential to the full
and satisfactory maintenance of the relation between the
parties
bull The relation must be one which in the opinion of the
community ought to be sedulously fostered
bull The injury that would inure to the relation by the disclosure
of the communications must be greater than the benefit
thereby gained for the correct disposal of litigation
7
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Scenario update
bull It is learned that the Chief Privacy Officer (CPO) of the
organization spoke with IT prior to retaining the consultant
bull The CPO told IT that the security review would be useful
because the board keeps asking about cybersecurity
bull The CPO is also in-house legal counsel for the company
Privilege in cybersecurity assessments
bull In-house counsel can wear many hats
bull Legal Advisor
bull Risk Manager
bull Policy Advisor
bull Compliance Monitor
bull Manager of Lawyers (amp Legal Expenses)
bull Business Advisor
bull Corporate Investigator
8
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Lawyers employed by a corporation are covered by solicitor-
client privilege as long as they are performing the function of
a solicitor not a ldquobusiness counsellorrdquo
Canada (Privacy Commissioner) v Blood Tribe Department of Health 2008 SCC 44 at para 10
Pritchard v Ontario [2004] 1 SCR 809
IBM Canada Ltd v Xerox of Canada Ltd [1978] 1 FC 513 (CA)
R v Shirose (sub nom R v Campbell) (1999) 171 DLR (4th) 193 (SCC)
Privilege in cybersecurity assessments
bull ldquoAdvice given by lawyers on matters outside the
solicitor-client relationship is not protected A comparable
range of functions is exhibited by salaried corporate counsel
employed by business organizations hellipalthough (as in
government) the corporate context creates special problems
see hellip No solicitor-client privilege attaches to advice on
purely business matters even where it is provided by a
lawyerrdquo R v Campbell [1999] 1 SCR 565 at para 50
9
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull If a lawyer also has an official role in the management of the
company for which she works her activities relating to the
management role do not attract solicitor-client privilege Presswood v International Chemalloy Corp (1975) 11 OR (2d) 164
See also Toronto-Dominion Bank v Leigh Instruments Ltd (1997) 32 OR (3d) 575 (OC (GenDiv))
Privilege in cybersecurity assessments
bull Scenario update
bull It has been determined that on the day the report was
received it was discussed at a meeting with IT human
resources risk management and in-house counsel
bull The report itself was destroyed at the meeting and no
copies remain
bull The plaintiff calls in-house counsel as a witness in the
litigation against the company
10
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull When will a lawyerrsquos presence at a meeting render the
subject of the meeting privileged
bull The mere fact of a lawyerrsquos involvement does not establish
privilege
bull Courts have held that privilege attaches to those portions
of board meeting minutes that record counselrsquos advice Nova Scotia Power Corp v Surveyer Nenniger amp Chenevert Inc (1986) 74 NSR (2d)
327 (NS TD) affrsquod (1987) 78 NSR (2d) 217 (CA)
Privilege in cybersecurity assessments
bull Privilege is not the same as confidentiality
bull For example
bull LSUC Rule 33-1 - A lawyer at all times shall hold in strict
confidence all information concerning the business and
affairs of the client acquired in the course of the
professional relationship and shall not divulge any such
information unless
bull (a) expressly or impliedly authorized by the client
bull (b) required by law or by order of a tribunal of competent
jurisdiction to do so hellip
11
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull ldquothere is generally no assumption that legal advice was the
focus of communications between a client and in-house
counsel even when the latter is employed as in-house
counsel As in-house counsel often wear various hats a
factual foundation is required to demonstrate with respect
to each document sheltered by privilege that in-house
counsels involvement with the issue as qua-counselrdquo
bull BIE Health Products v Canada (Attorney General) 2015 ONSC 544
Privilege in cybersecurity assessments
bull Practice points for meetings
bull Limit attendance to those actually required to be there
bull Be careful regarding the content and circulation of minutes
and other documents
bull Determine the subject of meetings in advance and be
explicit if it is for the purpose of legal advice or litigation
privilege
bull See Toronto-Dominion Bank v Leigh Instruments Ltd where
excessive internal circulation was a factor in finding a lack of privilege
(1997) 32 OR (3d) 575 (OC (GenDiv))
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
6
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Litigation privilege
bull Covers documents created for the dominant purpose of
litigation either actual or contemplated (eg surveillance
witness statements investigation reports)
bull Barristerrsquos notes of a non-privileged interview of his client
by an audit committee consultant met test for litigation
privilege where litigation was anticipated
R v Dunn 2012 ONSC 2748 at paras 53-59 (Nortel case)
Privilege in cybersecurity assessments
bull The Wigmore test
bull The communications must originate in a confidence that
they will not be disclosed
bull This element of confidentiality must be essential to the full
and satisfactory maintenance of the relation between the
parties
bull The relation must be one which in the opinion of the
community ought to be sedulously fostered
bull The injury that would inure to the relation by the disclosure
of the communications must be greater than the benefit
thereby gained for the correct disposal of litigation
7
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Scenario update
bull It is learned that the Chief Privacy Officer (CPO) of the
organization spoke with IT prior to retaining the consultant
bull The CPO told IT that the security review would be useful
because the board keeps asking about cybersecurity
bull The CPO is also in-house legal counsel for the company
Privilege in cybersecurity assessments
bull In-house counsel can wear many hats
bull Legal Advisor
bull Risk Manager
bull Policy Advisor
bull Compliance Monitor
bull Manager of Lawyers (amp Legal Expenses)
bull Business Advisor
bull Corporate Investigator
8
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Lawyers employed by a corporation are covered by solicitor-
client privilege as long as they are performing the function of
a solicitor not a ldquobusiness counsellorrdquo
Canada (Privacy Commissioner) v Blood Tribe Department of Health 2008 SCC 44 at para 10
Pritchard v Ontario [2004] 1 SCR 809
IBM Canada Ltd v Xerox of Canada Ltd [1978] 1 FC 513 (CA)
R v Shirose (sub nom R v Campbell) (1999) 171 DLR (4th) 193 (SCC)
Privilege in cybersecurity assessments
bull ldquoAdvice given by lawyers on matters outside the
solicitor-client relationship is not protected A comparable
range of functions is exhibited by salaried corporate counsel
employed by business organizations hellipalthough (as in
government) the corporate context creates special problems
see hellip No solicitor-client privilege attaches to advice on
purely business matters even where it is provided by a
lawyerrdquo R v Campbell [1999] 1 SCR 565 at para 50
9
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull If a lawyer also has an official role in the management of the
company for which she works her activities relating to the
management role do not attract solicitor-client privilege Presswood v International Chemalloy Corp (1975) 11 OR (2d) 164
See also Toronto-Dominion Bank v Leigh Instruments Ltd (1997) 32 OR (3d) 575 (OC (GenDiv))
Privilege in cybersecurity assessments
bull Scenario update
bull It has been determined that on the day the report was
received it was discussed at a meeting with IT human
resources risk management and in-house counsel
bull The report itself was destroyed at the meeting and no
copies remain
bull The plaintiff calls in-house counsel as a witness in the
litigation against the company
10
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull When will a lawyerrsquos presence at a meeting render the
subject of the meeting privileged
bull The mere fact of a lawyerrsquos involvement does not establish
privilege
bull Courts have held that privilege attaches to those portions
of board meeting minutes that record counselrsquos advice Nova Scotia Power Corp v Surveyer Nenniger amp Chenevert Inc (1986) 74 NSR (2d)
327 (NS TD) affrsquod (1987) 78 NSR (2d) 217 (CA)
Privilege in cybersecurity assessments
bull Privilege is not the same as confidentiality
bull For example
bull LSUC Rule 33-1 - A lawyer at all times shall hold in strict
confidence all information concerning the business and
affairs of the client acquired in the course of the
professional relationship and shall not divulge any such
information unless
bull (a) expressly or impliedly authorized by the client
bull (b) required by law or by order of a tribunal of competent
jurisdiction to do so hellip
11
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull ldquothere is generally no assumption that legal advice was the
focus of communications between a client and in-house
counsel even when the latter is employed as in-house
counsel As in-house counsel often wear various hats a
factual foundation is required to demonstrate with respect
to each document sheltered by privilege that in-house
counsels involvement with the issue as qua-counselrdquo
bull BIE Health Products v Canada (Attorney General) 2015 ONSC 544
Privilege in cybersecurity assessments
bull Practice points for meetings
bull Limit attendance to those actually required to be there
bull Be careful regarding the content and circulation of minutes
and other documents
bull Determine the subject of meetings in advance and be
explicit if it is for the purpose of legal advice or litigation
privilege
bull See Toronto-Dominion Bank v Leigh Instruments Ltd where
excessive internal circulation was a factor in finding a lack of privilege
(1997) 32 OR (3d) 575 (OC (GenDiv))
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
7
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Scenario update
bull It is learned that the Chief Privacy Officer (CPO) of the
organization spoke with IT prior to retaining the consultant
bull The CPO told IT that the security review would be useful
because the board keeps asking about cybersecurity
bull The CPO is also in-house legal counsel for the company
Privilege in cybersecurity assessments
bull In-house counsel can wear many hats
bull Legal Advisor
bull Risk Manager
bull Policy Advisor
bull Compliance Monitor
bull Manager of Lawyers (amp Legal Expenses)
bull Business Advisor
bull Corporate Investigator
8
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Lawyers employed by a corporation are covered by solicitor-
client privilege as long as they are performing the function of
a solicitor not a ldquobusiness counsellorrdquo
Canada (Privacy Commissioner) v Blood Tribe Department of Health 2008 SCC 44 at para 10
Pritchard v Ontario [2004] 1 SCR 809
IBM Canada Ltd v Xerox of Canada Ltd [1978] 1 FC 513 (CA)
R v Shirose (sub nom R v Campbell) (1999) 171 DLR (4th) 193 (SCC)
Privilege in cybersecurity assessments
bull ldquoAdvice given by lawyers on matters outside the
solicitor-client relationship is not protected A comparable
range of functions is exhibited by salaried corporate counsel
employed by business organizations hellipalthough (as in
government) the corporate context creates special problems
see hellip No solicitor-client privilege attaches to advice on
purely business matters even where it is provided by a
lawyerrdquo R v Campbell [1999] 1 SCR 565 at para 50
9
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull If a lawyer also has an official role in the management of the
company for which she works her activities relating to the
management role do not attract solicitor-client privilege Presswood v International Chemalloy Corp (1975) 11 OR (2d) 164
See also Toronto-Dominion Bank v Leigh Instruments Ltd (1997) 32 OR (3d) 575 (OC (GenDiv))
Privilege in cybersecurity assessments
bull Scenario update
bull It has been determined that on the day the report was
received it was discussed at a meeting with IT human
resources risk management and in-house counsel
bull The report itself was destroyed at the meeting and no
copies remain
bull The plaintiff calls in-house counsel as a witness in the
litigation against the company
10
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull When will a lawyerrsquos presence at a meeting render the
subject of the meeting privileged
bull The mere fact of a lawyerrsquos involvement does not establish
privilege
bull Courts have held that privilege attaches to those portions
of board meeting minutes that record counselrsquos advice Nova Scotia Power Corp v Surveyer Nenniger amp Chenevert Inc (1986) 74 NSR (2d)
327 (NS TD) affrsquod (1987) 78 NSR (2d) 217 (CA)
Privilege in cybersecurity assessments
bull Privilege is not the same as confidentiality
bull For example
bull LSUC Rule 33-1 - A lawyer at all times shall hold in strict
confidence all information concerning the business and
affairs of the client acquired in the course of the
professional relationship and shall not divulge any such
information unless
bull (a) expressly or impliedly authorized by the client
bull (b) required by law or by order of a tribunal of competent
jurisdiction to do so hellip
11
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull ldquothere is generally no assumption that legal advice was the
focus of communications between a client and in-house
counsel even when the latter is employed as in-house
counsel As in-house counsel often wear various hats a
factual foundation is required to demonstrate with respect
to each document sheltered by privilege that in-house
counsels involvement with the issue as qua-counselrdquo
bull BIE Health Products v Canada (Attorney General) 2015 ONSC 544
Privilege in cybersecurity assessments
bull Practice points for meetings
bull Limit attendance to those actually required to be there
bull Be careful regarding the content and circulation of minutes
and other documents
bull Determine the subject of meetings in advance and be
explicit if it is for the purpose of legal advice or litigation
privilege
bull See Toronto-Dominion Bank v Leigh Instruments Ltd where
excessive internal circulation was a factor in finding a lack of privilege
(1997) 32 OR (3d) 575 (OC (GenDiv))
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
8
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Lawyers employed by a corporation are covered by solicitor-
client privilege as long as they are performing the function of
a solicitor not a ldquobusiness counsellorrdquo
Canada (Privacy Commissioner) v Blood Tribe Department of Health 2008 SCC 44 at para 10
Pritchard v Ontario [2004] 1 SCR 809
IBM Canada Ltd v Xerox of Canada Ltd [1978] 1 FC 513 (CA)
R v Shirose (sub nom R v Campbell) (1999) 171 DLR (4th) 193 (SCC)
Privilege in cybersecurity assessments
bull ldquoAdvice given by lawyers on matters outside the
solicitor-client relationship is not protected A comparable
range of functions is exhibited by salaried corporate counsel
employed by business organizations hellipalthough (as in
government) the corporate context creates special problems
see hellip No solicitor-client privilege attaches to advice on
purely business matters even where it is provided by a
lawyerrdquo R v Campbell [1999] 1 SCR 565 at para 50
9
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull If a lawyer also has an official role in the management of the
company for which she works her activities relating to the
management role do not attract solicitor-client privilege Presswood v International Chemalloy Corp (1975) 11 OR (2d) 164
See also Toronto-Dominion Bank v Leigh Instruments Ltd (1997) 32 OR (3d) 575 (OC (GenDiv))
Privilege in cybersecurity assessments
bull Scenario update
bull It has been determined that on the day the report was
received it was discussed at a meeting with IT human
resources risk management and in-house counsel
bull The report itself was destroyed at the meeting and no
copies remain
bull The plaintiff calls in-house counsel as a witness in the
litigation against the company
10
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull When will a lawyerrsquos presence at a meeting render the
subject of the meeting privileged
bull The mere fact of a lawyerrsquos involvement does not establish
privilege
bull Courts have held that privilege attaches to those portions
of board meeting minutes that record counselrsquos advice Nova Scotia Power Corp v Surveyer Nenniger amp Chenevert Inc (1986) 74 NSR (2d)
327 (NS TD) affrsquod (1987) 78 NSR (2d) 217 (CA)
Privilege in cybersecurity assessments
bull Privilege is not the same as confidentiality
bull For example
bull LSUC Rule 33-1 - A lawyer at all times shall hold in strict
confidence all information concerning the business and
affairs of the client acquired in the course of the
professional relationship and shall not divulge any such
information unless
bull (a) expressly or impliedly authorized by the client
bull (b) required by law or by order of a tribunal of competent
jurisdiction to do so hellip
11
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull ldquothere is generally no assumption that legal advice was the
focus of communications between a client and in-house
counsel even when the latter is employed as in-house
counsel As in-house counsel often wear various hats a
factual foundation is required to demonstrate with respect
to each document sheltered by privilege that in-house
counsels involvement with the issue as qua-counselrdquo
bull BIE Health Products v Canada (Attorney General) 2015 ONSC 544
Privilege in cybersecurity assessments
bull Practice points for meetings
bull Limit attendance to those actually required to be there
bull Be careful regarding the content and circulation of minutes
and other documents
bull Determine the subject of meetings in advance and be
explicit if it is for the purpose of legal advice or litigation
privilege
bull See Toronto-Dominion Bank v Leigh Instruments Ltd where
excessive internal circulation was a factor in finding a lack of privilege
(1997) 32 OR (3d) 575 (OC (GenDiv))
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
9
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull If a lawyer also has an official role in the management of the
company for which she works her activities relating to the
management role do not attract solicitor-client privilege Presswood v International Chemalloy Corp (1975) 11 OR (2d) 164
See also Toronto-Dominion Bank v Leigh Instruments Ltd (1997) 32 OR (3d) 575 (OC (GenDiv))
Privilege in cybersecurity assessments
bull Scenario update
bull It has been determined that on the day the report was
received it was discussed at a meeting with IT human
resources risk management and in-house counsel
bull The report itself was destroyed at the meeting and no
copies remain
bull The plaintiff calls in-house counsel as a witness in the
litigation against the company
10
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull When will a lawyerrsquos presence at a meeting render the
subject of the meeting privileged
bull The mere fact of a lawyerrsquos involvement does not establish
privilege
bull Courts have held that privilege attaches to those portions
of board meeting minutes that record counselrsquos advice Nova Scotia Power Corp v Surveyer Nenniger amp Chenevert Inc (1986) 74 NSR (2d)
327 (NS TD) affrsquod (1987) 78 NSR (2d) 217 (CA)
Privilege in cybersecurity assessments
bull Privilege is not the same as confidentiality
bull For example
bull LSUC Rule 33-1 - A lawyer at all times shall hold in strict
confidence all information concerning the business and
affairs of the client acquired in the course of the
professional relationship and shall not divulge any such
information unless
bull (a) expressly or impliedly authorized by the client
bull (b) required by law or by order of a tribunal of competent
jurisdiction to do so hellip
11
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull ldquothere is generally no assumption that legal advice was the
focus of communications between a client and in-house
counsel even when the latter is employed as in-house
counsel As in-house counsel often wear various hats a
factual foundation is required to demonstrate with respect
to each document sheltered by privilege that in-house
counsels involvement with the issue as qua-counselrdquo
bull BIE Health Products v Canada (Attorney General) 2015 ONSC 544
Privilege in cybersecurity assessments
bull Practice points for meetings
bull Limit attendance to those actually required to be there
bull Be careful regarding the content and circulation of minutes
and other documents
bull Determine the subject of meetings in advance and be
explicit if it is for the purpose of legal advice or litigation
privilege
bull See Toronto-Dominion Bank v Leigh Instruments Ltd where
excessive internal circulation was a factor in finding a lack of privilege
(1997) 32 OR (3d) 575 (OC (GenDiv))
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
10
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull When will a lawyerrsquos presence at a meeting render the
subject of the meeting privileged
bull The mere fact of a lawyerrsquos involvement does not establish
privilege
bull Courts have held that privilege attaches to those portions
of board meeting minutes that record counselrsquos advice Nova Scotia Power Corp v Surveyer Nenniger amp Chenevert Inc (1986) 74 NSR (2d)
327 (NS TD) affrsquod (1987) 78 NSR (2d) 217 (CA)
Privilege in cybersecurity assessments
bull Privilege is not the same as confidentiality
bull For example
bull LSUC Rule 33-1 - A lawyer at all times shall hold in strict
confidence all information concerning the business and
affairs of the client acquired in the course of the
professional relationship and shall not divulge any such
information unless
bull (a) expressly or impliedly authorized by the client
bull (b) required by law or by order of a tribunal of competent
jurisdiction to do so hellip
11
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull ldquothere is generally no assumption that legal advice was the
focus of communications between a client and in-house
counsel even when the latter is employed as in-house
counsel As in-house counsel often wear various hats a
factual foundation is required to demonstrate with respect
to each document sheltered by privilege that in-house
counsels involvement with the issue as qua-counselrdquo
bull BIE Health Products v Canada (Attorney General) 2015 ONSC 544
Privilege in cybersecurity assessments
bull Practice points for meetings
bull Limit attendance to those actually required to be there
bull Be careful regarding the content and circulation of minutes
and other documents
bull Determine the subject of meetings in advance and be
explicit if it is for the purpose of legal advice or litigation
privilege
bull See Toronto-Dominion Bank v Leigh Instruments Ltd where
excessive internal circulation was a factor in finding a lack of privilege
(1997) 32 OR (3d) 575 (OC (GenDiv))
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
11
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull ldquothere is generally no assumption that legal advice was the
focus of communications between a client and in-house
counsel even when the latter is employed as in-house
counsel As in-house counsel often wear various hats a
factual foundation is required to demonstrate with respect
to each document sheltered by privilege that in-house
counsels involvement with the issue as qua-counselrdquo
bull BIE Health Products v Canada (Attorney General) 2015 ONSC 544
Privilege in cybersecurity assessments
bull Practice points for meetings
bull Limit attendance to those actually required to be there
bull Be careful regarding the content and circulation of minutes
and other documents
bull Determine the subject of meetings in advance and be
explicit if it is for the purpose of legal advice or litigation
privilege
bull See Toronto-Dominion Bank v Leigh Instruments Ltd where
excessive internal circulation was a factor in finding a lack of privilege
(1997) 32 OR (3d) 575 (OC (GenDiv))
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
12
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in cybersecurity assessments
bull Practice points for documents (including emails and
attachments)
bull Appropriately mark documents as being ldquoprivileged and
confidentialrdquo
bull Limit the circulation of legal advice to necessary recipients
bull Communicate legal advice separately from the
communication of business advice
bull When acting as counsel (as opposed to acting in some
business capacity) identify that capacity clearly in
communications
Privilege in data breach response
bull Does your organization have formal protocols in place to
ensure that legal counsel is involved and privilege issues are
considered in data breach response
bull Yes 29
bull No 34
bull I donrsquot know 37
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
13
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
Privilege in data breach response
bull Target suspects a breach and retains outside counsel
bull Target forms a Data Breach Task Force (at request of in-
house and outside counsel) to educate the lawyers for legal
advice and to prepare for litigation
bull Target takes a two-track approach
bull Outside counsel set up the DBTF and engaged Verizon to
educate the lawyers about the breach for the purpose of
providing legal advice to Target
bull Target conducted its own ordinary-course investigation and
a second team from Verizon investigated the breach on
behalf of credit card brands so that they and Target could
learn how the breach happened
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
14
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull ldquoTarget demonstrated through the declaration of [Chief Legal
Officer] Timothy Baer that the work of the Data Breach
Task Force was focused not on remediation of the
breach as Plaintiffs contend but on informing Targetrsquos
inhouse and outside counsel about the breach so that
Targetrsquos attorneys could provide the company with legal
advice and prepare to defend the company in litigation that
was already pending and was reasonably expected to followrdquo
In re Target Corp Customer Data Security Breach Litigation No 014-md-
02522 (D Minn Oct 23 2015)
Privilege in data breach response
bull ldquoSolicitor-client privilege also extends to communications and
circumstances where the third party employs an expertise
in assembling information provided by the client and in
explaining that information to the solicitor The third party
in such a situation is making the information relevant to the
legal issues on which the solicitors advice is sought The third
partys role in a situation of this nature is akin to a translator
The third party is an ldquoagent of transmissionrdquo of communication
between the client and the lawyerrdquo
Redhead Equipment Ltd v Canada (Attorney General) 2014 SKQB 172
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
15
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Privilege in data breach response
bull Consider using external litigation counsel for investigations
bull Clearly state in the investigatorrsquos retainer letter that legal
advice is sought and that privilege is asserted
bull Where litigation is contemplated consider retaining litigation
counsel and marking documents appropriately (ldquoprepared on
instructions from litigation counsel and in anticipation of
litigationrdquo)
Privilege in data breach response
bull Consider having all communications flow through counsel
buthellip it has been held that a process of routinely submitting
copies of documents to a lawyer in the hope of shielding
relevant and non-privileged documents is improper
bull Guelph v Super Blue Box Recycling (2004) 2 CPC (6th) 276
(Ont SCJ)
bull Cusson v Quan (2004) 10 CPC (6th) 308 (Ont SCJ)
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
16
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What is a breach
bull ldquobreach of security safeguardsrdquo means the loss of
unauthorized access to or unauthorized disclosure of
personal information resulting from
bull a breach of an organizationrsquos security safeguards or
bull from a failure to establish those safeguards
Key changes to PIPEDA
bull What is the threshold for notice
bull Notice is required where it is reasonable in the
circumstances to believe that there is a ldquoreal risk of
significant harmrdquo
bull ldquosignificant harmrdquo includes humiliation ID theft damage to
reputation or relationships
bull ldquoreal riskrdquo requires consideration of sensitivity of the
information probability of misuse and prescribed factors
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
17
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Who must notice be given to
bull Notice to individuals except where prohibited by law
bull If notice given to individuals notice must be given to other
organizations and government if (a) notifying
organization believes it may reduce risk or mitigate harm
or (b) in prescribed circumstances
bull Report to Commissioner in prescribed form and manner
where ldquoreal risk of significant harmrdquo
Key changes to PIPEDA
bull When and how to give notices and reports
bull Notice to individuals and other organizations and report to
Commissioner must be given ldquoas soon as feasiblerdquo after
it is determined that a breach occurred
bull Notice must be conspicuous and direct in the prescribed
form and manner except where indirect notice is
prescribed
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
18
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull What must notices contain
bull Notice must contain (a) sufficient information to allow an
individual to understand the significance of the breach to
them and to take steps if possible to reduce the risk of
harm or mitigate it and (b) any other prescribed
information
Key changes to PIPEDA
bull Mandatory breach record keeping
bull Organizations must keep a record of every breach in
accordance with any prescribed requirements
bull No threshold for record keeping requirement
bull The Commissioner may obtain access to or a copy of
all breach records at any time for any reason and publish
such information
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
19
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key changes to PIPEDA
bull Each knowing contravention of the breach reporting and
notice rules or the breach record-keeping rules can result in
bull A summary offence and a $10000 fine or
bull An indictable offence and a fine of up to $100000
Ethical and professionalism issues
bull Scenario update
bull It is known that the hackers stole the following
bull Name address date of birth email password phone number
purchase history and credit card information
bull A few customers have called to report fraudulent activity
bull An office manager has instructed you to send the following
notice which he discussed with the CEO
ldquoWe recently learned that some of your personal information
might have been affected in a security incident but we do not
have any reason to suspect that it will be misusedrdquo
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
20
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Ethical and professionalism issues
As in-house counsel would you decide to
1 Send the notice as instructed
2 Send the notice as you think it should be written
3 Raise the issue with the CEO and GC
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
21
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Unprecedented activity and certifications
bull Privacy class actions certified
bull LaRose v National Bank 2010 QCCS 5385
bull Elkoby v Google 2011 QSC No 500-06-000567
bull Rowlands v Durham Region 2012 ONSC 3948
bull Albilia v Apple Inc 2013 QCCS 2805
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
bull Condon v Canada 2015 FCA 159
bull Doe v The Queen 2015 FC 916
Individual damage awards
bull Early statutory tort claims
bull Numerous PIPEDA cases
bull Nammo v TransUnion 2010 FC 1284
bull Girao v Zarek Taylor LLP 2011 FC 1070
bull Landry v Royal Bank of Canada 2011 FC 687
bull Biron v RBC Royal Bank 2012 FC 1095
bull Chitrakar v Bell TV 2013 FC 1103
bull Henry v Bell Mobility 2014 FC 555
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
22
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Individual damage awards (contrsquod)
bull Jones v Tsige 2012 ONCA 32
bull Alberta v Union of Provincial Employees 2012 CanLII 47215
bull Action Auto Leasing v Gray [2013] OJ No 898
bull McIntosh v Legal Aid Ontario 2014 ONSC 6136
bull Albayate v Bank of Montreal 2015 BCSC 695
Business practice claims
bull Plimmer v Google 2013 BCSC 681
bull Albilia v Apple inc 2013 QCCS 2805
bull Douez v Facebook Inc 2015 BCCA 27
bull Bell 2015 (Relevant Ads Program litigation)
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
23
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Employees cause issues
bull MacEachern v Ford Ontario SCJ No CV-13-18955
bull Hynes v Western Regional Health 2014 NLTD(G) 137
bull Broutzas v Rouge Valley Centenary 2014
bull Hopkins v Kay 2015 ONCA 112
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Doe v The Queen 2015 FC 916
bull Condon v Canada 2015 FCA 159
Incident response matters
bull Townsend v Sun Life Financial 2012 FC 550
bull Jones v Tsige 2012 ONCA 32
bull Chitrakar v Bell TV 2013 FC 1103
bull Evans v The Bank of Nova Scotia 2014 ONSC 7249
bull Belley v TD Auto Finance 2015 QCCS 168
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
24
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Theories of liability
bull Claims have been based on
bull Intrusion upon seclusion
bull Breach of contract
bull Negligence
bull Statutory privacy torts
bull Breach of data protection laws
bull Public disclosure of private facts
bull Waiver of tort
bull Misrepresentation
bull Breach of warranty
bull Breach of confidence
bull Nuisance
bull Vicarious liability
Key issues on the horizon
bull Impact of PIPEDA amendments and breach regulations
including on provincial laws
bull Potential impacts of EU Safe Harbour decision
bull Continued progress (and settlements) of privacy class actions
bull Impact of CASL
bull actual loss or damage suffered or expenses incurred and
bull a maximum of
bull $200 for each contravention of section 6 not exceeding
$1000000 for each day on which a contravention occurred
bull $1000000 for each day on which a contravention of section 7
or 8 occurred and
bull $1000000 for each contravention of section 9
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
25
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
Key issues on the horizon
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
26
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Collier v Steinhafel Case No 14ndash00266 (D Minn Jan 29
2014)
bull Kula v Steinhafel Case No 14ndash00203 (D Minn Jan 21
2014)
bull Palkon etc v Holmes et al United States District Court
District of New Jersey Civil Action No 214 - CV ndash 01234
(SRC)
bull Louisiana Mun Police Employees Retirement Fund v
Alvarez 2010 Del Ch LEXIS 160 (Del Ch July 14 2010)
Key issues on the horizon
bull Cyber insurance
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
27
Cybersecurity and Data Breaches
Essentials for Corporate Counsel
A joint presentation by Canadian Corporate Counsel Association
The Canadian Bar Association and Fasken Martineau LLP
November 25 2015
Key issues on the horizon
bull Ensure that your role as counsel is clearly defined
bull Legal risk is a crucial consideration - consider
bull Privacy policy and consent reviews
bull Vendor contract reviews
bull MampA transactions
bull Risk transfer (contracts and insurance)
bull Policies and procedures meet legal standards
bull Incident response plan is implemented and tested
bull Protocols regarding legal role in vendor contracts
cybersecurity reviews and incident response plans
