Stay informed about our most recent articles, training activites and job offers.

Therrien Couture Joli-Coeur Newsletter

Stay informed about our most recent articles, training activites and job offers.

By clicking "Sign me up", I confirm my registration to the subscription list and I consent to TCJ processing my email in order to send me newsletters on an ad hoc basis. I confirm that I have read and consented to the Privacy Policy.

Write us

By filling out this form, you enable our team to fully understand your needs and offer you the service best suited to your expectations. We thank you for your trust and promise to provide you with a follow up as soon as possible.

By clicking "Send", I confirm that I have read and consented to the Privacy Policy.

Privacy and cybersecurity

Cybersecurity: What You Don’t Know Might Come at a High Price

  • Élyse Rioux
  • Dany Guimond-Valcourt
By Élyse Rioux and Dany Guimond-Valcourt
A cybersecurity incident without personal data exposure may seem less concerning at first glance. However, in several sectors—including government, military, technology and industrial—legal and contractual risks remain very real.

1. Cybersecurity Incident Without Privacy Breach: What Now?

A cybersecurity incident without personal data exposure may seem less concerning at first glance. However, in several sectors—including government, military, technology and industrial—legal and contractual risks remain very real.

Even in the absence of personal data, the incident may have compromised:

  • confidentiality agreements (NDAs) with partners or suppliers;
  • contractual clauses requiring the protection of sensitive information;
  • protected prototypes, algorithms or technical data;
  • information subject to export controls;
  • confidential client or government data.

These elements may result in a breach of your contractual obligations and could even lead to significant regulatory consequences. It is essential to:

  • Review your contracts: many carry a notification obligation in the event of an incident, with no distinction between security and confidentiality.
  • Comply with industry requirements: in fields such as defence, aerospace or critical technology sectors, a breach could lead to contract termination or loss of certifications.
  • Verify government obligations: if the compromised information is classified or protected, you may need to notify the Treasury Board Secretariat or other authorities of competent jurisdiction.
  • Preserve the business relationship: even without an explicit legal obligation, failing to inform a client of the potential exposure of their confidential data can undermine trust and open the door to claims.

Ultimately, the absence of personal data does not eliminate the risks or the need for action. A rigorous legal analysis remains essential.

2. Ransomware: The Illusion of Control

A ransomware attack occurred. Your data was encrypted, but you were ready. You restored your backups, relaunched your operations and reassured your clients. No external chatter. No visible damage. You did not pay the ransom. Mission accomplished? Not quite.

In the turmoil of a cybersecurity incident, it is tempting to measure success by the speed of recovery. However, legal compliance does not always follow the same pace as operational recovery.

A ransomware attack is not just a system hang. It is often a gateway to your data. Even if you have regained control, a malicious actor may have accessed personal information—clients, employees, partners—without leaving visible traces.

Your Obligations Do Not Disappear With the Threat

In Canada, privacy laws impose clear obligations as soon as there is a risk of serious harm. This means that even in the absence of a complaint or evidence of malicious use, you may have to:

  • notify competent authorities (CAI, OPCC);
  • send a structured and compliant notification to the persons concerned;
  • maintain a detailed record of the incident, ready for consultation in the event of an investigation.

Why take action when everything appears to be under control?

  1. Preserve your insurance coverage
    Failure to report the incident could be interpreted as negligence, especially if an unresolved flaw is exploited again.
  2. Avoid sanctions
    Post-incident management is coming under growing regulatory scrutiny. Failure to notify the persons concerned may result in fines or remedial orders.
  3. Build trust
    A well-executed notification, accompanied by concrete actions, can become a lever for credibility rather than an admission of weakness.

In cybersecurity, the success of a well-managed incident is not measured in hours of recovery, but in terms of a strategic response.

Need legal support in the event of a security or confidentiality incident?

We assist you every step of the way: assessment, notification, documentation, post-mortem, communication and relationship with the insurer.

Share this article
2