Service

Cybersecurity and Security Incident Response

Recent high profile security breaches have served as a wake-up call for organizations. The increasing breadth and sophistication of cyber attacks have led companies from across the full spectrum of industries to place a renewed emphasis on protecting confidential data such as credit card information, health care data and social insurance numbers.

Data breaches can have significant consequences for an organization – including reputational damage and potential class action lawsuits as well as the associated financial costs of both – leaving senior executives and boards of directors justifiably concerned about their company’s level of cybersecurity preparedness. The ongoing threat of a data breach has opened the door to a series of questions for these organizations: Do we have safeguards in place to prevent a data breach? Are we prepared if we have one? How will the company survive an incident?

Osler has the answers companies need. Our industry-leading Privacy and Data Management team has extensive experience dealing with security incidents arising from a broad range of circumstances, and regularly helps organizations to prepare for security incidents and, in particular, to develop the security incident response protocols they need to protect their confidential and private data.

Security Incident Management

When a company experiences a cyber attack, it’s critical to engage a team of experts that can provide the support and guidance necessary to manage the security incident and the subsequent consequences. Osler’s lawyers have acted on many of the largest and most significant Canadian security incidents and regulatory investigations to date, assisting with breaches related to a variety of situations, including

  • state sponsored and politically motivated (e.g., Anonymous) cyber attacks
  • misplaced or stolen devices (e.g., laptops, USB keys) containing personal information
  • data extortion
  • misdirected mail and email
  • rogue employees or contractors

Security Incident Support

Dealing with security incidents effectively typically requires support on multiple fronts. Osler’s experienced team can assist with

  • providing direction for internal and external forensic investigations
  • advising on private sector and health sector statutory reporting and notification obligations and best practices, including an assessment of “real risk of significant harm” in the circumstances and the new security breach notification regime under the Personal Information Protection and Electronic Documents Act
  • offering guidance on privacy regulatory authority expectations and liaising with privacy authorities
  • crafting the narrative for verbal and written reports to applicable privacy regulatory authorities
  • drafting notifications to affected individuals
  • liaising with credit monitoring, forensic experts and other key service providers
  • drafting FAQ and other public facing statements
  • managing any privacy regulatory authority investigations
  • acting on litigation proceedings

Security Incident Readiness

Adopting a proactive approach to security incident response can be invaluable to organizations and will ensure they are prepared in the event of a breach. Members of Osler’s Privacy and Data Management team work regularly with organizations to develop, test and otherwise enhance their security incident response protocols, and assist with integrating security incident response into companies’ broader data governance frameworks.

Litigation Management

Osler’s Privacy and Data Management lawyers work closely with our National Litigation Group and our Class Actions specialty group. Our litigation group has wide-ranging experience on privacy-related proceedings and Osler’s team is currently acting for a number of high profile clients on privacy class actions that have been filed in Canada.

Representative Mandates

Our Privacy and Data Management team’s representative security incident mandates include acting for

  • a large American retailer in connection with a security incident involving millions of credit card records and email addresses
  • a multinational financial services company in a cybersecurity incident involving millions of email addresses
  • an American retailer regarding the joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Alberta privacy regulatory authority in connection with the cybersecurity incident involving millions of payment card records
  • a global technology and entertainment company in connection with the joint queries by the OPC, Alberta, BC and Québec privacy regulatory authorities in connection with the cybersecurity incident involving millions of customer records
  • a social networking site in connection with the joint queries of the above-noted Canadian privacy regulatory authorities relating to the cybersecurity incident involving the theft of millions of member passwords
  • an online company in connection with the cybersecurity incident involving millions of member passwords and other data
  • a multinational software company regarding the joint investigation of the OPC and the Irish Data protection authority in connection with the cybersecurity incident involving millions of user accounts
  • a social networking site on numerous investigations (including an investigation involving a security incident) by the OPC

Key Contacts

Adam Kardash

Partner, Privacy and Data Management, Toronto

Tina Saban, CIPP/C

Associate, Privacy and Data Management, Toronto


Latest Insights

  • Osler Update May 10, 2024

    Emerging AI security risks and considerations: key takeaways from the NIST adversarial machine learning report

    As AI systems become increasingly prevalent and their integration into organizations become more entrenched, businesses face novel and evolving...

    Read more
    Emerging AI security risks and considerations: key takeaways from the NIST adversarial machine learning report
  • Report May 7, 2024

    Privacy Jurisprudence Review

    Osler's semi-annual Privacy Jurisprudence Review is intended to help busy in-house counsel, Chief Privacy Officers and compliance professionals...

    Read more
    Privacy Jurisprudence Review
  • Blog Jan 22, 2024

    Law 25: a new enforcement scheme for protection of personal information in the private sector in Québec

    On September 22, 2023, the majority of the amendments to the Québec privacy legislation introduced in the Act to modernize legislative...

    Read more
    Law 25: a new enforcement scheme for protection of personal information in the private sector in Québec
  • Osler Update Jan 16, 2024

    Law 25: a new enforcement scheme for protection of personal information in the private sector in Québec

    Last fall, several significant amendments to Québec’s privacy legislation, Law 25, came into force. What do organizations need to consider when...

    Read more
    Law 25: a new enforcement scheme for protection of personal information in the private sector in Québec
View all Insights
Stay up to date with our latest insights
Subscribe

In the Media

  • Osler News May 21, 2024

    Prominent privacy lawyers Éloïse Gratton and François Joli-Coeur join Osler’s market-leading national Privacy and Data Management practice

    Osler is pleased to welcome prominent privacy law practitioners Éloïse Gratton and François Joli-Coeur to the firm’s market-leading national...

    Read more
    Prominent privacy lawyers Éloïse Gratton and François Joli-Coeur join Osler’s market-leading national Privacy and Data Management practice
  • Osler News May 5, 2023

    Rosario Cartagena joins Osler’s Privacy and Data Management group as counsel

    Osler welcomes Rosario Cartagena to the firm’s national Privacy and Data Management group as counsel. Rosario is a leading expert in health privacy...

    Read more
  • Media Mentions Oct 10, 2022

    Ontario’s electronic monitoring legislation must enhance privacy rights for employees, experts say – The Globe and Mail

    Improving the disclosure of provincially-regulated employers who currently do not tell their employees how they are being monitored is a benefit of...

    Read more
  • Media Mentions Apr 18, 2022

    How should legal departments prepare for, respond to and remediate data breaches? – Canadian Lawyer

    According to the panelists at a recent webinar hosted by the Canadian Legal Innovation Forum, cybersecurity risks and ransomware attacks are on the...

    Read more