By subscribing to our newsletter you agree to receive periodic e-mails from Dubé Latreille Avocats Inc.
An error has occurred. Please try again later.
In recent years, the pervasiveness of computers and the Internet have brought about what has come to be known as the « Digital Age », a new era characterized by unprecedented interconnectivity and interoperability between individuals, machines and networks around the world.
One of the most remarkable aspects of this technological revolution is the ability to convert any type of information (words, images, sounds, etc.) into a standard form, that is « data », and exchange same over the Internet with other entities anywhere in the world almost instantaneously.
In the span of 2-3 decades, this revolution has completely upended our society, in particular the way we interact, communicate and conduct business. This is why a growing majority of businesses have come to depend on computer networks and information systems connected to the Internet to run their operations. This data driven dependency is only the beginning as it is expected to increase further with artificial intelligence, automation (industry 4.0), the development of the Internet of things (IoT) devices, and the rolling out of 5G technology.
While these technological innovations provide significant advantages to their users, they also raise important legal issues pertaining to data security and privacy with far-reaching consequences. This is why cybersecurity plays such a determinant role in risk management strategies of modern organizations.
At DUBÉ LATREILLE, our mission is to guide our clients in this complex world so that their businesses benefit from technological progress while minimizing their risks.
The most fundamental change that the Digital Age has brought about is our relationship to data. With its standardization through digitization, businesses and organizations have been processing, collecting and storing a growing volume of data in the normal course of their operations (whether for programs, applications, databases, trade secrets, privileged information, billing, HR, research and development, etc.). This trend (data dependency) is only the beginning as technological developments will continue to require an ever-growing volume of data to maintain or enhance interoperability and interconnectivity between people and systems.
While data has become associated with growth, progress and competitiveness, it also represents a liability as the breach thereof might be the source of significant harm and damages (loss of data, privacy, ID usurpation, fraud, data leak on the Internet, theft of IP, threat to human life, interruption of operations, financial losses, devaluation of shares, etc.). As a result, data constitutes and must be seen as a critical asset to organizations. This is why confidentiality, integrity and accessibility of data are key elements at the very core of cybersecurity.
What is cybersecurity? According to the National Institute of Science and Technology (NIST), cybersecurity can be defined as « the process of protecting information by preventing, detecting, and responding to attacks ». This includes prevention, protection and restoration of computers as well as various electronic communication systems, and, obviously, the protection of information.
However, this is easier said than done for three reasons.
First, cybersecurity is a complex, technical and intangible environment. Second, all Internet facing or connected organizations are exposed to the threats to data that swarm the web in one form or another. And third, given that the Internet and all the components of the computer industry (firmware, hardware, software, components, etc.) do not have built-in security by design, the responsibility of data protection, ultimately, rests in the hand of the end user (that is, individuals or and organizations) who often do not have the awareness, skills or resources to act accordingly. In addition, cybersecurity is often considered an IT problem and not an operational issue, which explains why cybercrime in recent years has become a growth industry that costs billions of dollars to organizations every year.
In light of the above, cybersecurity law is not so much a field of practice per se but rather a risk management approach from a legal perspective designed to minimize the potential liabilities to which are exposed Internet-connected organizations.
It is generally a well accepted fact amongst IT and cybersecurity professionals that organizations and businesses which are connected to the Internet (that is most if not all) are regularly exposed to various types of threats which eventually will manage to compromise their information systems and networks. Therefore, the issue is not whether an organization is likely to suffer a cyberattack but rather when this will occur... As a result, the question that ought to be on the mind of any operation-minded C-suite executive is the following:
Are we prepared to withstand a cyberattack?
Despite the occurrence of several spectacular cyberattacks and data breaches that made the news in recent months (Desjardins, Equifax, Maddison, Microsoft, Yahoo, LinkedIN, Target, etc.), and the likelihood that most organizations will suffer cyber incidents with potentially dramatic consequences in costs and reputation (as is often the case with ransomware attacks and massive theft of Personal Identifying Information), a majority of Canadian and Quebec businesses still neglect to address this clear and present danger with the gravity and urgency that it deserves. This is often due to a lack of awareness of the risks, lack of resources, and to the inherent technical and abstract nature of cybercriminality.
Cybersecurity is like an armour or last line of defense meant to protect an organization’s systems and data from intrusions. These intrusions can be perpetrated either by individuals (for profit, fame or a cause), organized crime, Nation States, or insiders (often an overlooked risk, as was the case with Desjardins). The means to execute these intrusions can take various forms : phishing, social engineering, theft of credentials, human error, system vulnerabilities, and unlawful/illegitimate access to data, to name a few.
If an organization’s cyberdefense fails, the consequences may translate into 4 categories :
That being said, there are a number of strategies, techniques and measures that organizations ought to consider/introduce in the elaboration of their risk management strategy, such as:
Note of encouragement : Although the process of developing and integrating a risk management strategy pertaining to cybersecurity may seem tedious, time consuming and costly, any effort in that regard will help your organization develop its awareness and capacity to plan, fend off and/or recover from a cyber incident.
At DUBE LATREILLE, we are aware of this challenge, and it is therefore our mission to demonstrate that it is worthwhile for your organization to adopt a proactive posture on these matters and seek to improve same over time.