Data protection and cybersecurity law

In the normal course of business operations, organizations tend to gather potentially vast amounts of sensitive, privileged and/or confidential information or data pertaining to their employees, clients, third-party suppliers, business partners, trade secrets, etc., in order to be more efficient and competitive.

Over time, this data stockpiling phenomenon has accelerated to translate into a major trend with the democratization of computer use and the internet as both means facilitate as never before the storage, management and communication of data. As a result, organizations in just about every field of human activity have developed a quasi-total dependency to computers and the internet without which most could not operate as the data they manage now constitutes a critical asset to business operations.

This dependency makes them vulnerable to attacks and raises fundamental questions:

• Who owns this sensitive, privileged and/or confidential data?
• How is this data to be treated, protected, modified and accessed?            
• And in the event this data is altered, stolen, destroyed or lost, what is the liability of organizations that managed it?
  

In recent years, Canadian businesses and institutions indiscriminately have seen a sharp rise in cyber criminality considering the remote risk of getting caught, the relative ease with attacks can be perpetrated, and the potential for financial gain. While this phenomenon still remains widely misunderstood and reveals how ill-prepared, most organizations are to defend against cyber attacks (theft of data, ransomware, denial of service, etc.), none can afford to remain passive and take a chance as cyber threats could seriously disrupt their business operations. Moreover, with the introduction by the Quebec Government of bill 64 (An Act to modernize legislative provisions as regards the protection of personal information), major changes in the legal obligations and liability of organizations are to be anticipated in the management of the collected data.

Consequently, in order to mitigate operational, reputational and compliance/liability risks, it is essential for organizations to address the issues of data management, cybersecurity and compliance as they constitute, in a digital age, an integral part of business operations.