Administrators and cybersecurity: responsibilities, risks, and incident response

The IT team is mobilized, initial analyzes are underway, and questions are starting to pour in. What are your duties as a director?

A cybersecurity incident goes far beyond the technical scope. It is a legal, financial and reputational issue that puts the organization’s governance to the test. Directors and officers must not only support internal and external teams but also demonstrate that they have fulfilled their legal and fiduciary obligations.

Their responsibility is not limited to responding to incidents: it is based on a fiduciary duty, as defined by the Civil Code of Québec (CCQ) and the incorporating acts of corporations, and reinforced by the requirements of the Act respecting the protection of personal information in the private sector (“Private Sector Act”). Loyalty, diligence, prudence and good faith are not just abstract principles—they are concrete obligations that take on their full meaning in the event of an incident.

General Obligations of Directors

Every director of a legal person is vested with a fiduciary duty, pursuant to sections 321 and 322 CCQ. This fiduciary duty is also provided for in the incorporating acts of corporations.[1] More specifically, the fiduciary duty requires the director to demonstrate:

-       Loyalty and good faith: The director must act in the best interests of the corporation, with honesty and loyalty, and without conflict of interest.
-       Prudence and diligence: It must take the actions that a reasonable and informed person would take in similar circumstances, particularly in terms of risk management, including data governance and cybersecurity oversight.

Even in the absence of a direct operational role, the director must:

-       Actively seek information on issues and measures in place;
-       Verify the corporation’s compliance with legal obligations;
-       Confirm that mitigation measures are in place;
-       Ask the right questions to management and experts;
-       Document its interventions and decisions within the board of directors.

Cybersecurity and Fiduciary Duty

The board of directors plays a key role in overseeing risks related to the corporation’s strategy, performance and reputation. Cybersecurity and privacy are no exceptions to this responsibility. Threats evolve rapidly, as do regulatory expectations, which requires directors to update their knowledge and ensure that the corporation adapts its practices accordingly.

Directors who act in an informed manner, by consulting the right experts and documenting their actions, are generally considered to have fulfilled their fiduciary duty.

Specific Obligations in the Event of an Incident | Private Sector Act

Under the Private Sector Act, the corporation, and by extension its directors, is required to implement a diligent and structured response to any incident. The Private Sector Act minimally requires the following actions:

-       Assess the risk of serious injury to the persons involved;
-       Notify the Commission d’accès à l’information (“CAI”) and the persons involved if such a risk is identified;
-       Maintain a register of incidents, even when the incident does not result in a notification;
-       Implement corrective measures, including: administrative or organizational, governance, tactical, operational, physical or technical, to mitigate immediate impacts and avoid similar incidents in the future;
-       Adapt security measures as the circumstances of the incident become clearer;
-       Document all decisions, communications and actions taken in connection with the incident.

Personal Liability of the Director

In the event of an incident, directors may be held liable on several grounds. Under civil law and the Civil Code of Québec, they may be held personally liable if they have committed a fault, harm has been caused, and a causal link can be established between the two.

Section 93 of the Private Sector Act provides for the possibility of holding directors personally liable for any offence under the Act if they ordered or authorized the act or omission constituting the offence.For example, a director who fails to report a confidentiality incident or to take the security measures necessary to ensure the protection of the personal information may face penal sanctions ranging from $5,000 to $100,000[2]. If the board of directors lacks visibility into the information security program, it is time to address this issue.

It is important to note that liability does not lie in the occurrence of an incident, but in how it was anticipated, managed and documented. Directors may not be held liable if they demonstrate that they acted diligently and ensured that reasonable prevention and response measures were in place.

Possible Defences

Courts recognize that directors are not expected to be infallible. Instead, they assess whether the decision made fell within a range of reasonable options, based on the information available at the time.

To benefit from this protection, directors must demonstrate that they have:

-       examined the facts appropriately;
-       acted in good faith, in the best interest of the corporation;
-       made an informed decision, even if the outcome was unfavourable.

In other words, directors must be able to demonstrate that they have acted with prudence, diligence and loyalty in the best interests of the corporation.[3]

Best Practices to Implement

When a security incident occurs, a director is expected to act diligently, even without a complete picture of the situation. Certain actions ensure rigorous governance and responsible risk management:

• Assess the incident: Verify whether the incident is ongoing, resolved or officially closed, and ensure that this closure is based on a comprehensive analysis validated by technical and legal experts.
• Establish a notification frequency: A notification frequency adapted to the nature and scope of the incident must be established to ensure that directors have regular visibility into the actions taken by internal teams and external experts, without encroaching on operations.
• Ensure post-incident follow-up: Following an incident, directors must monitor progress on the roadmap incorporating the recommendations from the technical experts’ report to ensure the implementation of corrective measures and the prevention of similar incidents, thereby strengthening the organization’s security posture.
• Ensure traceability: Document the interventions and decisions made within the board of directors, and keep a written record of communications and follow-ups related to the incident.

Proactive Governance = Increased Protection

Proactive governance and informed board involvement not only protect the organization but also reduce the risk of personal liability for directors.

The board of directors’ understanding of the issues and ability to respond effectively in the event of an incident are now essential.

Our Privacy, Technology and Cybersecurity team assists boards of directors with the following:

-       Training and promoting awareness of their members;
-       Implementation of appropriate governance mechanisms;
-       Strategic management of security incidents.

Do not hesitate to contact us to discuss your needs and improve your organization’s resilience.