Cyber Risks and M&A Transactions

We have just posted all the content for our BLG series “Privacy & Cyber Risks, Trends & Opportunities for Business.” See here for some very good content by our privacy and data security team.

Here is a direct link to our most recent webinar, which I delivered together with my partner Patrice Martin. It was very rewarding to work with and learn from Patrice, a very well established technology industry and transactions lawyer.

Enjoy. Learn. Get in touch.

Cyber, secrecy and the public body

Here’s a copy of a presentation I gave yesterday at the High Technology Crime Investigation Association virtual conference. It adresses the cyber security pressures on public bodies that arise out of access-to-information legislation, with a segment on how public sector incident response differs from incident response in the private sector

Cyber insurance and incident response practice

Here’s a deck from a Monday panel presentation that I participated in with some colleagues from the sector.  It features a cyber incident scenario and some questions. See if you can answer them, and if you’d like to have a discussion, please comment or get in touch.

Privacy incidents, risks and liability – a legal update

Today I did short update-style presentation at a session jointly-sponsored by the Canadian Insurance Adjusters Association, the Canadian Defence Lawyers and the Canadian Insurance Claims Managers Association. It includes content on breach notification statutory changes and notable case law. Slides below.

Better breach response – how to be good when things go bad

Here’s a presentation my partner Ian Dick and I gave today to an audience of in-house counsel. It’s about the why’s and how’s of breach response planning. The wonderful Karen Gordon of Squeaky Wheel Communications also presented on communicating a data breach, and her slides are attached.

Cyber liability issues – risks, prevention and response

Here’s a one hour private presentation my partner Jeff Goodman and I gave to a group of risk management professionals yesterday. I’d be happy to come to your organization and conduct a similar presentation if you’re interested. Please get in touch.

Intrusive mobile application class action certified in Québec

On June 27, the Superior Court of Québec certified a class action about the alleged intrusive nature of free applications offered through Apple’s “App Store.”

The petitioner alleges that Apple breached various Québec statutes by failing to inform users that free applications would facilitate the collection and use of their personal information, including their “geolocation.” The petitioner also claims that individuals were harmed (a) by the loss of computing resources and (b) by being led to overpay for their Apple devices, such devices being “inextricably linked” to undesirable characteristics associated with free applications distributed through the App Store. The petitioner asked the Court to grant certification so he could prosecute Apple on on behalf of all residents in Canada who downloaded free applications from December 1, 2008 to present.

Apple attacked the action’s suitability for certification on a number of bases. Most fundamentally, it complained that the action provided for an “infinite variety of classes” – for example (and at the least), classes of individuals who were exposed to applications with different information-gathering characteristics. Nonetheless, the Court granted certification of a Québec only class. Its analysis is very forgiving, especially in addressing Apple’s (very valid) concerns about the individualized nature of a consent dispute, which the Court dismissed as follows:

In the Court’s view, all of the Respondents’ arguments regarding the consent or lack thereof, the voluntary provision of information by Class Members and other similar elements that distinguish Class Members between them can be raised by them in their defence or alternatively when dealing with the « lien de causalité ».

Hat tip to BLG and its privacy law blog for this post.

Albilia c Apple Inc, 2013 QCCS 2805 (CanLII).

Settlement approved in Canadian cyber attack suit

On June 10th, the Ontario Superior Court of Justice approved a settlement in a class action brought against Sony of Canada Ltd. and others. The action (for breach of contract) followed an April 2011 cyber attack that targeted accountholder information of approximately 4.5 million individuals enrolled in various Sony online services. The following is the Court’s summary of the settlement:

  • Class Members who had a credit balance in their PSN or SOE account at the time of the Intrusions but have not used any of their accounts shall receive cash payments for credit balances.
  • The Sony Entities will make available online game and service benefits to class members geared principally to the type of account (PSN, Qriocity, and/or SOE) held by the class member at the time of the Intrusions.
  • The settlement benefits are available through a simple process. To become entitled to benefits, Class Members need only to complete a claim form.
  • The Sony Entities will reimburse any Class Members who can demonstrate that they suffered Actual Identity Theft, as defined in the Settlement Agreement. Class Members that prove Identity Theft can submit claims for reimbursement of out-of-pocket payments (not otherwise reimbursed) for expenses that are incurred as a direct result of the Actual Identity Theft, up to a maximum of $2,500.00 per claim.
  • The Sony Entities are to pay for the costs associated with providing notice of the Settlement Agreement and the settlement approval hearing, all administration costs, as well as an agreed amount for plaintiffs’ lawyers’ fees and expenses ($265,000).

The parties sent a notice of certification and notice of motion for settlement approval to 3.5 million e-mail addresses. Fifteen percent of the e-mails were returned as undeliverable, 28 individuals opted out and nobody objected.

Justice Perell noted that the agreement was premised on the understanding that there has in fact been no improper use of personal information resulting in identity theft. He also said, “The Settlement Agreement reflects the state of the law, including possible damage awards, for breach of privacy/intrusion upon seclusion and loss/denial of service claims.”

Maksimovic v Sony of Canada Ltd, 2013 CanLII 41305 (ON SC).

The science of breach prevention and the art of breach response

Data loss prevention and response is a big topic now! The HRSDC lost hard drive is about a huge (but seemingly benign) incident that has attracted great attention. We also have the Obama administration’s attention to corporate network security – such attention given at a time in which sacrifices are being made to corporate network security based on trends such as BYOD.

Here is a practical guide that we’ve prepared to address the salient issues. We hope it’s useful to you.