February 24, 2017
Updated January 29, 2024.
Most organizations (72%) store the personal information of customers. employees, suppliers, vendors or partners, according to the 2023 Canadian Internet Registration Authority (CIRA) Survey. Yet organizations, officers and directors are facing a heightened prevalence of cybersecurity risks attacks. according to CIRA’s 2023 Survey, in the 12 months preceding the survey:
The incidence of cyber attacks attempts and their related costs isn’t the only driver of increased concern about cyber security risks and the related liability exposure:
Privacy Breach Class Action Surge. The surge in privacy breach class actions in Canada is one driving force. For example, on August 5, 2022 the Federal Court of Canada certified a class action in Sweet v. Her Majesty the Queen for two data breaches in which hacker(s) gained access to the personal, financial and other information of what appears to be thousands of Canadians through Government of Canada websites.
Regulatory Action. Regulatory action is another driving force. For example, on January 19, 2017, the Canadian Securities Administrators (CSA) issued Multilateral Staff Notice 51-347 disclosure of cyber security risk and incidents that, while only applicable to reporting issuers, reflects a broader prevalence of, and heightened concern about, cyber security risks and the related liability exposure that all organizations, officers and directors face. And with the rise in statutorily mandated ESG (Environment, Social and Governance) reporting, more organizations will be subject to disclosure obligations.
Generative AI. Concerns about the cyber security risks generative AI poses seems to have bumped concerns posed by concerns about the risks of remote workers. According to CIRA’s 2023 Survey, 68% of organizations worried about potential cyber threats from generative AI. And while only 32% have an AI policy, 41% are currently developing one. That doesn’t mean there are no valid concerns, however, about remote workers. According to CIRA’s 2022 Survey, of the 65% of organizations surveyed with remote workers, 55% considered their organization more vulnerable to cyber threats.
Here’s a five-step cybersecurity mitigation plan that organizations and their board of directors can and should implement now to minimize the growing data breach liability risks of suspected and actual cyber-attacks.
1. Make it a (priority) corporate governance matter
The liability exposure for cybersecurity risks is high and getting higher. These risks warrant high-level attention: have a board member or committee take this on as an important and a priority project – and allocate the necessary resources to do the project well.
Quasi-criminal liability. Failure to follow the Canadian data breach rules under the Digital Privacy Act can lead to quasi-criminal liability (it’s not a criminal offence but it’s subject to a penalty that’s similar to a criminal offence, although the court procedures are less complicated) for both organizations and for directors personally. The Digital Privacy Act amends the federal Personal Information and Protection of Electronic Documents Act (PIPEDA) to mandate a data breach response that includes reporting, notification and record-keeping requirements. When Bill C-27 passes, PIPEDA will be replaced with the Consumer Privacy Protection Act (CPPA), dramatically changing how Canada will protect individuals’ personal information – and regulate organizations’ privacy practices. Among the many changes: more and larger penalties for non-compliance. Yet according to CIRA’s 2022 Survey, only 55% of organizations surveyed were aware of Bill C-27, and of those, 18% remain unready to implement the new requirements – and 7% don’t know whether they’re ready or not. Similarly, if Bill C-26 An Act Respecting Cyber Security (ARCS) passes, “critical industries” will be subject to mandatory cybersecurity, review and assessment of and even intervention by the federal government in cyber compliance and operational situations, and to enforcement mechanisms. According to the 2023 CIRA Survey, 78% support Bill C-26’s objectives.
Civil Liability. Then there are the potential civil lawsuits resulting from the breach: consumers suing the organization for losing their personal (often sensitive financial) information; banks suing the organization for the cost of compensating consumers for financial losses or replacement of financial information (e.g., credit card replacements); and shareholders/investors suing the corporation and the corporate directors personally (derivative actions) for decreased share values. These lawsuits are now par for the course in the U.S. and are migrating to Canada. There are over 80 pending data breach class actions in Canada; several have been or are being certified (authorized by a court to proceed). More are sure to follow as cyber attacks and data breaches become more frequent, people become more knowledgeable about their legal rights, and privacy laws become more developed. And though none (but one in Quebec) of these cases have yet been decided by a court, it’s only a matter of time … and win, lose or draw, the organizations will bear the hefty legal costs associated with defending the legal actions.
Negative Publicity. And don’t underestimate the impact of negative media scrutiny, above and beyond any direct financial liability exposure. to CIRA’s 2023 Survey, 24% of organizations surveyed mentioned reputational damage as an impact of cyber attacks in the last 12 months. With the pervasive and real-time power of the media, all eyes (actual and prospective customers, actual and prospective investors and privacy regulators) will be on the organization.
2. Get a good handle on your legal notification obligations
When a data breach is suspected or actually occurs, organizations need to know who they must – and who they should – tell. According to CIRA’s 2023 Survey, of organizations that experienced a data breach 63% informed management or senior leadership, 52% informed the Board, 44% informed customers – and 42% informed a regulatory body. The trend in these numbers suggests organizations are getting somewhat better at internal and even regulatory reporting – though not necessarily customer notification. Understanding who to notify and when is a critical pre-cursor to creating a response plan that meets the organization’s legal obligations.
Privacy Laws. Only seven Canadian statutes currently specify data breach responses in the private sector. All require notification of the individual(s) whose data has been breached. Most deal specifically with health-related data; only one (Alberta) applies to all personal information held by private organizations:
In addition, the Digital Privacy Act mandates a data breach response including reporting, notification and record-keeping requirements:
Negligence Laws. In addition to the notification requirements under privacy legislation, the organization could also have a broader legal duty under negligence law to notify an individual whose data has been breached if that breach could harm, or could materially increase the risk of harm to, that individual. This broader legal obligation to notify could exist even if there’s no such obligation under privacy legislation.
International Laws. Many organizations will need to also think beyond Canadian borders: the laws of other countries could apply, imposing different notification and disclosure obligations and carrying significant consequences for the organization. For example, on February 3, 2017, the Québec Superior Court authorized a consumer privacy class action in Zuckerman v. Target seeking financial compensation for a data/privacy breach; it was Target’s actions in the U.S. that created significant liability exposure in Canada. Similarly, an organization’s actions in Canada could create significant liability exposure in another country. Many foreign breach notification laws depend on the place of ordinary residence of the individual the breach affects. For example, a Canadian company with information about a California resident who vacations in Canada might have obligations under California’s laws if there’s a breach of the California resident’s information. To complicate things, different jurisdictions have different definitions of “breach” and different notification requirements.
3. Have a good handle on your risk and incident disclosure obligations
Reporting issuers (organizations subject to ongoing public disclosure obligations under securities laws and securities of which are generally traded on a public stock exchange) have additional obligations. Generally, securities laws require reporting issuers to publicly disclose all material changes, material facts and material risks to their business. Multilateral Staff Notice 51-347 disclosure of cyber security risk and incidents is just one of a series of publications the CSA has issued noting the increased frequency, complexity and costs of cyber attacks on organizations, and highlighting the importance of understanding, mitigating and providing effective disclosure of such risks (see also the CSA’s 2016-2019 Business Plan and Staff Notice 11-332). The Staff Notice identifies cybersecurity as a priority area for issuers, reviews previous disclosure practices and offers issuers assistance in discharging their cybersecurity-related disclosure obligations. Staff Notices aren’t “laws”, so they aren’t mandatory per se, but the fact the CSA issued this Staff Notice suggests it’s concerned that reporting issuers aren’t adequately disclosing cyber risks.
Risk Factor Disclosure. Sixty-one percent of the 240 issuers the CSA reviewed mentioned cybersecurity as part of their risk factor disclosure, mainly becuase of their reliance on information technology systems and third-party risk exposure. The potential impacts of data breaches that issuers identified included: operational delays (for example, production downtimes or plant and utility outages); inability to manage the supply chain; inability to process customer transactions or otherwise service customers; inventory management disruptions; lost R&D data; and intellectual property devaluation. The CSA concluded the ubiquity of cybersecurity concerns led issuers to use generalized “boilerplate” language in their risk factor disclosure. It admonished issuers for doing so and suggested they instead pay attention to their specific circumstances, particularly in terms of exposure and preparedness. There’s an express expectation that the issuer will disclose specific risks rather than generic risks applicable to all issuers and will tailor disclosure to their specific circumstances. But issuers shouldn’t confuse tailoring disclosure to their specific circumstances with disclosing cybersecurity strategies or vulnerabilities that could compromise it. When determining what information to disclose, issuers need to balance the probability of a breach taking place and the consequences of such a breach.
Cyber Security Incidence Disclosure. Multilateral Staff Notice 51-347 disclosure of cyber security risk and incidents reminds issuers that they must disclose only those security breaches that constitute a material change (requiring immediate disclosure) or a material fact (requiring disclosure as part of its ongoing reporting obligations) to their business. For example, an issuer dealing with highly sensitive data could consider a minor breach to constitute a material change; an issuer dealing with the delivery of services might not. A non-exhaustive list of factors for issuers to consider in determining whether there’s been a material change includes the nature of the issuer and the frequency, scope and consequences of the breach. And since the discovery of cybersecurity breaches tends to be after the breach has occurred, the issuer may have to disclose the incident before resolving the cause to comply with its reporting obligations.
4. Assess your current situation
Once you know what your obligations are, conduct a risk assessment: determine the assets that are most susceptible to a data breach, and determine the greatest cyber threats to which they are exposed. Each risk assessment will be unique to the organization, but all should consider:
Remote Workers. A contingent of remote workers, whether working from home or otherwise, and whether employees or gig workers, increases an organization’s cyber security risk – and most employers know this. Yet according to CIRA’s 2022 Survey, while 86% of organizations surveyed reported they were prepared to address the cyber threats remote work poses, only 26% were “very prepared”. The majority (61%) were only “somewhat prepared” – and 10% were “not very prepared”.
Third-Party Validation. Using third-party experts to validate the risk assessment usually results in more credibility, with the additional benefit of the ability to benchmark against others in your industry.
Insurance. Carefully assess your situation with your insurance broker too because specialized lines of cyber risk insurance are increasingly available – and advisable. According to CIRA’s 2023 Survey, 77% of organizations have cyber security insurance coverage (up from 59% in 2021) but a steady 36% have a cyber security-specific policy. And 84% of those with insurance report their insurance provider has changed the coverage, including increased premiums and requiring new forms of proof or verification of security measures in place. Victims of cyber breaches often discover, too late, that general insurance doesn’t cover their data breach incident.
5. Be well-prepared, well in advance
Poor – or no – planning will lead to a poor response, and a poor response will make the breach and its fallout much, much worse. In contrast, good planning makes a good response more likely, and a good response can make the fallout – or at least the liability – of the breach much, much better. For example, in Lozanski v. The Home Depot, Canadian customers of Home Depot sued in a class action as the result of the theft of their email addresses when Home Depot’s computer system was hacked. The parties settled the lawsuit, but the Ontario Superior Court of Justice had to approve the settlement and the legal fees. A significant factor in the settlement approval, and reduction in the agreed-upon fees, was Home Depot’s response following the data breach, which the court described as “responsible, prompt, generous and exemplary” and which, the court noted, would have led to the approval of a discontinuance of the class action altogether had the parties not settled. According to CIRA’s 2023 Survey, 84% of organizations have a cyber incident response plan – but of these, only 44% have a “comprehensive” plan. Create a well-conceived, thorough data breach action plan to deal with and mitigate an actual or a suspected data breach. Then train all relevant staff on it and rehearse it periodically. The specifics of the plan will vary depending on the nature of the risk exposure uncovered in the assessment, but every plan should:
Act Fast. Mandate that the organization take immediate steps to contain the breach and to mitigate the harm that could result. The exact steps will depend on the nature of the breach but should always include an attempt to retrieve the breached information and limit the further circulation of it and taking all systems offline.
Third Parties. Involve major contractors and service providers in both creating the plan and incorporate them into the plan.
Insurance. Allow for immediate notification to your insurer.
Retain Legal Counsel. Provide for retention of legal counsel (ideally, counsel that will be as ready as the organization and is teed up in advance). Since litigation after a privacy breach is highly likely, it’s critical to take steps to establish and preserve privilege over the organization’s communications and information generated about the breach to prevent it from being used against the organization in litigation.
Law Enforcement. Consider whether the response will include making a report to law enforcement. There’s sometimes a little legal benefit to be gained from doing so, but there may be some public relations benefit.
Communications Plan. Have a communications plan about a breach ready. Don’t let fumbles in the response become the story. Line up internal and/or external resources to create and implement a communications plan about the breach. And assume both that you don’t know the true extent of the breach, and that “outsiders” know more than you do. Provide sufficient detail, including who to call for assistance at the organization.
Legal Notifications & Disclosures. Know who the organization must notify and how – and plan to do it promptly. Delay in the notification will be noticed and become the story and the complaint. So, if there is any delay, be ready to explain it, although most breaches become smaller the more you investigate them. And since the notification is likely to trigger complaints to relevant privacy regulators, provide copies of the mandatory breach report to other Privacy Commissioners who might have an interest in the incident.
Sweat the small stuff. It’s not a requirement but consider whether the organization will offer credit monitoring and in what circumstances (i.e., depending on the nature of the information that’s breached). Anticipate complaints as a result of the disclosures and have a plan to be able to handle the resulting volume of calls/emails. Plan to respond to complaints clearly and directly; advance scripting is beneficial. And apologies go a long way – but don’t accept liability.
Please contact your McInnes Cooper lawyer or any member of our Privacy, Data Protection and Cyber Security Team @ McInnes Cooper to discuss how we can help your organization prepare your data breach risk mitigation plan.
McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.
© McInnes Cooper, 2017. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at [email protected] to request our consent.
Oct 29, 2024
On September 9, 2024, a unanimous Federal Court of Appeal decided consent is to be determined on an objective standard. In an unusual move, in…
Aug 15, 2024
On June 21, 2024, the Supreme Court of Canada concluded – decisively - that the Canadian Charter of Rights and Freedoms applies to protect the…
Jul 16, 2024
The Canadian Security Intelligence Service (CSIS) has been looking for a new production order power; it’s on its way. The role of CSIS is to…
Jun 26, 2024
An increasing number of municipalities in Canada are using public video camera surveillance to promote public safety and help deter crimes like…
Jun 20, 2024
On April 30, 2024, the Ontario Divisional Court decided the victim of a serious cyber security incident was required to produce to privacy…
Apr 30, 2024
Bill C-63, if passed, will create the hotly anticipated Online Harms Act to regulate certain online platforms, create new Criminal Code of…
Mar 14, 2024
On March 1, 2024, the Supreme Court of Canada decided a police request for disclosure of an IP address is a “search” under section 8 of the…
Mar 1, 2024
Updated April 17, 2024. By May 31, 2024 (or possibly earlier for federally incorporated Reporting Entities), Reporting Entities under the…
Dec 15, 2023
Over four years after it began, the federal government still hasn’t finalized its overhaul of the private sector privacy law regime that both…
Sep 25, 2023
There’s a new scam on the web: Electronic Fund Transfer (EFT) scams. Most are familiar with established scams like phishing and ransomware and…
Aug 10, 2023
Canada’s first Tech Talent Strategy aims to aggressively attract tech talent to “fuel innovation and drive emerging technologies forward”.…
Jun 21, 2023
Updated April 17, 2024. On January 1, 2024 the federal Fighting Against Forced Labour and Child Labour in Supply Chains Act (Bill S-211)…
Jun 9, 2023
You arrive at the legendary Madison Square Garden to catch the Mariah Carey concert. It’s the big event of the trip – the reason you came to…
Apr 27, 2023
The benefits to employees, and often to employers, of remote work has made it a staple of today’s workplace. But the move to remote work…
Feb 1, 2023
On January 26, 2023, the Office of the Privacy Commissioner of Canada (OPC) released a report of findings requiring companies using targeted…
Jan 27, 2023
Updated July 7, 2023. Bill 24 An Act to Amend the Business Corporations Act effected significant amendments to the New Brunswick Business…
Jan 26, 2023
In November 2022, the Ontario Court of Appeal definitively decided an organization whose information systems are breached by a malicious third…
Jan 16, 2023
2022 is in the rearview mirror, but the past year left lasting implications for employers. Here’s a retrospective on five of the key 2022…
Dec 6, 2022
On September 22, 2022, the N.L. Supreme Court confirmed the Nunatsiavut Assembly is a legislative body that holds all privileges, immunities,…
Dec 1, 2022
Updated September 5, 2024. The COVID-19 pandemic drove remote work to unprecedented heights. Employee calls for greater flexibility, and cost…
Oct 28, 2022
Finally closing on October 27, 2022, the tumultuous Elon Musk/Twitter M&A deal drama has been unfolding for months, with both sides making…
Jul 20, 2022
There’s a new privacy law coming to Canada. In June, the federal government introduced a complete overhaul of the privacy law regime that both…
Jun 30, 2022
On June 16, 2022, the federal government took a second shot at a complete overhaul of the private sector privacy law regime that both protects…
May 20, 2022
On May 22, 2010 (affectionately known as “Bitcoin Pizza Day”), a Floridian bought two Papa John's pizzas with Bitcoin. The day is famous…
Apr 20, 2022
If you’ve reached the stage in your financing lifecycle where you’re ready to take your company public, you might think you’ve only got…
Feb 23, 2022
On April 1, 2022, changes to the Newfoundland and Labrador Corporations Act proposed in Bill 24 An Act to Amend the Corporations Act will take…
Feb 8, 2022
Updated June 17, 2024. On May 17, 2022, the P.E.I. Non-disclosure Agreements Act took effect, significantly restricting the use of…
Jan 25, 2022
More and more people are using smart contracts: the global smart contracts market was valued at USD $145M in 2020; it’s projected to be valued…
Dec 16, 2021
Updated October 7, 2024. The name of the game is to have a plan to mitigate the risk that a data breach will happen – but be ready when it…
Jul 21, 2021
Updated February 9, 2024. It’s now widely accepted: it’s imperative that workplaces be both diverse and inclusive. Perhaps the most oft…
Jun 24, 2021
Many employers use equity compensation plans like employee stock option plans to attract, motivate, and retain talent. One reason stock options…
Mar 26, 2021
Merger and acquisition deals are still happening across all sectors, perhaps at an even higher rate than pre-COVID-19 pandemic, even if the…
Jan 26, 2021
Updated March 4, 2022. Privacy is critical to every business in every sector, including startups and growing businesses: to comply with the…
Dec 2, 2020
Using social media influencers and micro-influencers is an increasingly effective marketing strategy. Social media use is pervasive; 94% of…
Nov 24, 2020
An economic downturn can result in an M&A uptick: there can be more attractive targets on the market, and sellers can be more motivated to…
Nov 19, 2020
We updated this publication on June 30, 2022. NOTE: On June 16, 2022, the Government of Canada introduced Bill C-27: Digital Charter…
Nov 17, 2020
We updated this publication on July 11, 2023. Spurred by the COVID-19 Pandemic and bricks-and-mortar closures, businesses – from SMEs to…
Sep 29, 2020
Updated November 21, 2024. The rapid adoption of ESG (Environment, Social and Governance) principles and the growth of mandatory disclosure…
Aug 12, 2020
This publication has been updated as of May 5, 2021. The ongoing COVID-19 pandemic has led many employees to continue working from home, by…
Jul 6, 2020
On June 26, 2020, the Supreme Court of Canada released Uber Technologies Inc. v. Heller, a much-awaited decision regarding the enforceability of…
Jun 12, 2020
The financial technology (Fintech) industry uses technology to support and enhance financial and banking services.
Mar 17, 2020
Business corporations laws and stock exchange policies mandate that issuers hold annual general meetings (AGM) and set requirements for when and…
Jan 30, 2020
NOTE: The new tax rules for employee stock option plans take effect on July 1, 2021. Learn more at Limited Options: New Employee Stock Option…
Jan 22, 2020
All issuers must comply with both periodic and ongoing securities law corporate governance (and other) disclosure requirements. This can,…
Jun 26, 2019
Information disclosure is a key theme that emerges from Canada’s new cannabis regulatory regime: the government wants lots of information from…
May 21, 2019
Updated July 10, 2024. If you “own” a company incorporated under either the Canada Business Corporations Act or under the corporate…
Mar 28, 2019
Organizations subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – those that collect, use or…
Feb 20, 2019
On February 14, 2019, the Supreme Court of Canada decided yet another criminal law decision that will likely have broader ramifications for…
Dec 19, 2018
On December 13, 2018, the Supreme Court of Canada confirmed that a third party can’t waive a person’s right to privacy or their rights under…
Nov 16, 2018
Companies engaged in the cannabis supply chain are highly regulated by federal and provincial cannabis-specific laws as well as a myriad of…
Aug 20, 2018
Updated July 8, 2024. Every organization subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA, soon to…
Aug 3, 2018
Updated June 28, 2024. As of November 1, 2018, organizations in Canada subject to the Personal Information Protection and Electronic…
Jul 18, 2018
Most businesses – from startups to SMEs to multi-nationals, and from private family-owned businesses to public corporations – will use…
Jul 18, 2018
Updated January 26, 2023. Prince Edward Island corporations were formerly governed by the P.E.I. Companies Act – legislation that was…
Jun 13, 2018
Updated September 26, 2024. Businesspeople (and their legal counsel) are on the road more than ever before: according to Statistics Canada,…
Jun 12, 2018
This publication has been updated as at July 8, 2022. Changes to the Canada Business Corporations Act (CBCA) over the past several years have…
Apr 2, 2018
Equity compensation plans are a valuable and versatile tool for many corporations, from early-stage startups to established blue-chips.…
Jan 12, 2018
Whether a provincial court will grant police a “production order” under the Criminal Code of Canada requiring a non-Canadian company to…
Dec 22, 2017
Blockchain technology has already been a transformative force in a number of sectors. Its most prominent use to date has been as the…
Nov 17, 2017
It’s official: as of October 31, 2017, “facilitation payments” contravene Canada’s Corruption of Foreign Public Officials Act (CFPOA).…
Nov 16, 2017
Corporations are the leading business vehicle in modern commerce. For startups, properly structuring and incorporating is critical to avoid…
Oct 31, 2017
Intellectual Property (IP) can be a valuable asset – even the most valuable asset – of a business. So it’s worth making sure the business…
Aug 16, 2017
In the not-so-distant past, Canadian enforcement of its anti-corruption and anti-bribery legal regime has been relatively laid-back. But the…
Jul 28, 2017
Updated June 10, 2022. The rapid rise in ESG (Environment, Social and Governance) principles has increased focus on workplace diversity and…
Jul 17, 2017
A corporation does not always sail in calm or safe waters. Cash shortages, unattainable or unmet goals, Board disagreements over the best course…
Jul 13, 2017
When growing your business, you face many decisions, including choosing the business structure that is right for you. Your legal team can be…
Jun 28, 2017
On June 28, 2017, the Supreme Court of Canada confirmed a Canadian court can issue an interlocutory injunction (an order requiring an entity or…
Jun 23, 2017
On June 23, 2017, the Supreme Court of Canada decided that in a contest between the choice of forum clause in Facebook’s online terms of use…
Jun 7, 2017
On June 7, 2017, the federal government repealed the regulations that would have brought into effect the sections of Canada’s Anti Spam…
May 11, 2017
The Extractive Sector Transparency Measures Act is one of several anti-bribery and anti-corruption laws aimed at fighting corruption in the…
Apr 20, 2017
On April 13, 2017, Canada’s federal government introduced legislation that, if passed into law, will legalize recreational cannabis in Canada.…
Mar 30, 2017
Social media platforms, like Instagram, Twitter, LinkedIn, YouTube, Facebook and GooglePlus, arguably have more followers and are more closely…
Jan 25, 2017
Doing business with the public sector creates an often overlooked – but very real – risk that the confidential information a business…
Dec 7, 2016
Updated February 7, 2024. We live in a world of change. New ideas and new industries are rapidly developing and the list keeps growing: tidal…
Nov 22, 2016
On November 17, 2016 the Supreme Court of Canada decided a mortgagee has the mortgagor’s implied consent to disclose its discharge statement…
Oct 19, 2016
We updated this publication on January 17, 2023. For many businesses, large and small, their “Intellectual Property” (IP) is one of their…
Oct 19, 2016
Business owners wear many hats – including employer. Your employees may be your business’s greatest asset, but they could also be your…
May 31, 2016
You’re on a tight timeline to issue a press release. You finish your draft and ‘cut & paste’ your standard “forward-looking…
May 10, 2016
This publication has been updated as at April 18, 2022. Access to sufficient capital is always a business issue, from the startup stage right…
Mar 24, 2016
When a business responds to a public sector Request for Proposal or Expression of Interest (both of which we’ll refer to as an RFP for these…
Mar 9, 2016
On January 11, 2016, the Ontario Superior Court of Justice sentenced a front-line supervisor to imprisonment for 3½ years for four counts of…
Jan 27, 2016
On January 21, 2016, the Ontario Superior Court of Justice dramatically expanded the scope of legal privacy protection – and the liability…
Jun 25, 2015
Updated October 4, 2023. Most people know a company itself has occupational health and safety (OHS) obligations and risks corporate liability…
Mar 31, 2015
Updated June 24, 2021. Women make up close to half of the employed workforce: in 2019, Canadian women 15 years and older represented 47.4% of…
Mar 25, 2015
On March 3, 2015 Canada’s Privacy Commissioner determined that Health Canada breached privacy laws by mailing letters to over 40,000 Marihuana…
Mar 6, 2015
On March 5, 2015, the Canadian Radio and Television Commission (the CRTC, the main agency charged with administering and enforcing most of CASL)…
Dec 11, 2014
On December 11, 2014 the Supreme Court of Canada continued its trend to recognize privacy rights – and develop the law to protect them –…
Dec 11, 2014
On January 15, 2015, the software provisions of Canada’s Anti-Spam Legislation (CASL) will take effect. CASL’s anti-spam sections, touted…
Dec 10, 2014
“Corporate Social Responsibility” (CSR) as a concept has been floating around in business-speak for years – but stakeholders in the mining…
Dec 1, 2014
The construction industry - project owners, contractors, subcontractors and trades - might be relaxing, ignoring the hype around Canada’s…
Oct 14, 2014
CASL’s anti-spam sections came into force on July 1, 2014. Every organization that CASL affects should now be complying with it – and their…
Sep 16, 2014
Updated August 25, 2022. Many believe that only public companies or large, established companies with many shareholders need to be concerned…
Aug 1, 2014
Most Canadians have heard about Canada’s Anti-Spam Legislation (CASL): we’ve been bombarded with “CASL Compliant” emails asking us to…
Jun 16, 2014
On June 13, 2014 the Supreme Court of Canada decided that Canadians have a reasonable expectation of privacy in their online activities, and…
Jun 12, 2014
The countdown to CASL is almost over: there are only 13 business days until the anti-spam provisions of CASL – and most of the penalties for…
May 8, 2014
On July 1, 2014 – less than two months from now - the anti-spam sections of Canada’s Anti-Spam Legislation (CASL) take effect. Individuals…
Apr 15, 2014
The countdown to CASL is on: on July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (“CASL”) take effect. Individuals…
Feb 28, 2014
On July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (aka “CASL”) will take effect. CASL is: Broad. It applies…
Feb 28, 2014
On July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (aka “CASL”) take effect. CASL will apply to just about every…
Nov 8, 2013
On November 7, 2013, the Supreme Court of Canda decided police require specific authorization in a search warrant to search the data in a…
Nov 28, 2012
On October 19, 2012 the Supreme Court of Canada (SCC) decided a teacher criminally charged with possession of child pornography and unauthorized…
Subscribe to McInnes Cooper to stay current with our leading insights on legal updates, trends, news, events, and services.