In August 2023, the U.S. National Institute of Standards and Technology released a public draft of an updated Cybersecurity Framework with significant changes, including an emphasis on governance and supply chain risk management that align with Canadian legal requirements and regulatory guidance. The updated Framework will be an important benchmark resource for Canadian organizations of all kinds and sizes. Background The National Institute of Standards and Technology (NIST) is a U.S. Department of Commerce agency whose mission is to promote American innovation and industrial competitiveness ..read more

Cyber risk management is a fundamental issue for universities, public bodies, and other organizations. The Auditor General of British Columbia recently issued an audit report finding a university’s board of governors had not provided adequate oversight of the university’s cybersecurity risk management practices. The report provides helpful guidance for university boards and other public boards of directors in British Columbia and across Canada. Background Cyber risks – risks of losses and costs/liabilities suffered or incurred by an organization as a result of an incident that adversely affect ..read more

Cybersecurity is a significant challenge for organizations of all kinds and sizes, including small organizations with limited resources for a cybersecurity program. Each of the Canadian Centre for Cyber Security (CCCS), the United States Cybersecurity & Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre (ACSC) have issued recent guidance to help small organizations implement foundational cybersecurity measures to begin building cybersecurity resilience. The cybersecurity challenge Cybersecurity is important for all Canadian organizations. The CCCS’s National Cy ..read more

Cyber risk management is a fundamental issue for organizations of all kinds and sizes. Directors of Canadian corporations have a legal responsibility to ensure their corporations effectively manage cyber risks and are prepared to respond effectively to cybersecurity incidents. Recently refreshed guidance can help corporate directors fulfil their cyber risk management duties. Directors’ duties – Cyber risk management Cyber risks – risks of losses and costs/liabilities suffered or incurred by an organization as a result of an incident that adversely affects the organization’s information technol ..read more

Ransomware attacks are an increasingly common and serious risk for Canadian organizations of all kinds and sizes. The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2023-2024 warns: “… ransomware is almost certainly the most disruptive form of cybercrime facing Canadians”. This bulletin provides practical suggestions, based on real-world experience, for responding to a ransomware attack. Ransomware attacks Ransomware is malicious software that prevents access to or use of an infected information technology system or device (an IT Resource) or related data, and demands (t ..read more

Data minimization is a fundamental principle of Canadian personal information protection laws and can reduce privacy and cyber risks. Consequently, Canadian organizations should establish and implement written policies and procedures to minimize the personal information they collect and retain. Data minimization Data minimization refers to limiting the collection of information to that which is necessary for specified purposes and disposing of information that is no longer required for the purposes for which it was collected. Information should not be collected or retained on a “just in case ..read more

Privacy and cyber risks are essential considerations for almost all merger, acquisition and financing (“M&A”) transactions. Privacy and cyber risks can affect the viability and value of a transaction, influence the nature and terms of a transaction and, in some circumstances, cause the parties to abandon a transaction. In addition, parties to an M&A transaction and their directors and officers (if applicable) might be legally obligated to address privacy and cyber risks in connection with the transaction and incur potentially significant liabilities if they fail to do so. In Canada, pr ..read more

The U.S. Federal Trade Commission’s 2022 privacy and data security enforcement action regarding the CafePress online retail platform resulted in orders against both parties to a 2020 transaction for the sale of the CafePress business and assets. The enforcement action is a cautionary tale for parties to M&A transactions. The data breach and the transaction CafePress is a popular online platform that allows consumers to purchase officially licensed merchandise and stock and user-customized on-demand products (e.g., clothing, accessories, drinkware and stationary) from virtual shopkeepers. C ..read more

Cybersecurity is a fundamental issue for Canadian organizations of all kinds and sizes, including organizations that use information technology services managed by independent service providers. The Canadian Centre for Cyber Security has issued guidance to help organizations manage cyber risks when procuring and using managed information technology services. Managed IT services and cyber risks Many organizations engage specialist service providers – known as managed service providers (MSPs) – to manage some or all of the organization’s information technology (IT) infrastructure and services (i ..read more

Cybersecurity is a fundamental issue for organizations of all kinds and sizes, but many organizations have limited financial and human resources available to implement comprehensive cybersecurity measures. In October 2022, the Canadian Centre for Cyber Security issued guidance to help Canadian organizations assess and improve their cybersecurity posture and effectively outsource cybersecurity to a managed security service provider. The cybersecurity challenge Cybersecurity is important for all Canadian organizations. The Canadian Centre for Cyber Security’s National Cyber Threat ..read more