In a world where generative AI is driving innovation and technology is outpacing legislation, there’s a lot for companies to consider to maintain operational effectiveness and minimize risk. To help provide some guidance, Norton Rose Fulbright Canada hosted its 2023 technology, privacy and cybersecurity virtual summit. Our leading lawyers were joined by prominent industry leaders to discuss and explore the latest developments, challenges and opportunities in the technology, privacy, and cybersecurity landscape.
We’ve prepared a summary of the themes and key takeaways from the summit.
Session 1 – Artificial Intelligence
Part 1 – Fireside chat with Marcus Brown, President of Theia Markerless: A conversation on AI
In the first part of the session, Marcus Brown (President, Theia Markerless) joined Imran Ahmad for a conversation about the history and future of AI, providing advice for CEOs on adapting to the rapidly evolving regulatory environment for AI. Marcus and Imran discussed legal challenges that may arise when implementing AI into a business and how to address those challenges.
Part 2 – Artificial Intelligence: Minimizing legal risk to maximize value
In the second part, Norton Rose Fulbright’s Jesse Beatson is joined by Maya Medeiros, Justine Gauthier (Director, Corporate and Legal Affairs, Mila – Quebec Artificial Intelligence Institute), and Handol Kim (Co-Founder and CEO, Variational AI) for a discussion on minimizing the risk associated with using AI. Handol Kim provided a technical definition of AI and addresses the hype surrounding AI. Justine set out the key legal risks AI poses to organizations and described the evolving regulatory environment, including comparing regulatory approaches among jurisdictions such as Canada, the US, and the UK. Maya explained how businesses can manage the risks associated with AI both during project development and after project deployment.
Session 2 – Regulatory update: What do I need to know about managing my organization’s records?
In Session 2, the panel featuring Andrea L. D’Ambra, Sara A. Levine, and Al Hounsell (moderated by Sarah Nasrullah) discussed the critical aspects of managing an organization’s records from a regulatory perspective. They emphasized that understanding the whereabouts of your data and effectively managing it is not only essential for regulatory compliance but also carries significant legal and cost implications. Clients typically achieve this through data mapping or cataloging, which becomes especially crucial when growing a business or acquiring entities with legacy data.
One of the key takeaways was the importance of knowing where your data resides to comply with data protection and localization laws, facilitating responses to data subject access requests, aiding in legal cases, and assessing potential data breaches. The discussion highlighted the need to retain data only for as long as necessary, factoring in legal and business requirements. Specific retention periods were mentioned, varying by jurisdiction, and the panel emphasized the need to destroy or anonymize data after these periods or upon an individual’s request, subject to limited exceptions.
Additionally, the panel cautioned against blindly adopting industry or generally accepted best practices and stressed the importance of tailoring retention policies to an organization’s specific needs. The session concluded with practical strategies for implementing and updating records retention policies, including gathering key stakeholders, establishing first principles, conducting information audits, and finalizing retention schedules.
Session 3 – Compliance in practice: How companies are adapting to new privacy requirements (in French)
The panel discussed new legislative additions to protecting personal information in Quebec and protecting personal information globally. The discussion focused on Bill 25, which adapts and modernizes the regulatory framework protecting personal information to the new challenges created by advances in the digital and technological environment. While some changes came into force in September 2022, new requirements were recently implemented in September 2023. More will come in September of next year. Of note, this bill creates new rights for individuals, imposes new obligations for businesses, and allows hefty sanctions for infractions.
The panel also discussed the practical implementation by companies of plans to comply with personal information protection laws. Companies should update policies and procedures, document new procedures and the process for their implementation, familiarize all parties with new practices, and continue to review practices as laws and regulations evolve. Lastly, companies should ensure their policies and procedures comply with requirements for sharing personal information with third parties and that partners also respect their obligations.
Session 4 – Effectively managing cybersecurity risks: How boards of directors can prepare and respond to cybersecurity incidents
In this session, Imran Ahmad is joined by Olga Farman, John Cassell, and Marc Lafrance (VP Technological Risks, Caisse de dépôt et placement du Québec) for a discussion about the role of boards of directors in managing cybersecurity risks. The panel discussed a board’s role in preventing and managing cybersecurity risk, as well as its role in responding to cybersecurity incidents.
For cybersecurity risk prevention, the panel discussed the importance of board members being sufficiently educated to make informed decisions on any associated risk. Apart from board governance, boards can also mitigate cybersecurity risks at an operational level through management oversight and ensuring preparation in advance of a cyber incident. John Cassell recommended that boards oversee risk by implementing a cyber incident response plan. Olga emphasized the importance of clear and transparent communication between the board and all stakeholders about cybersecurity risks.
Once a cyber breach has occurred, boards of directors’ roles may vary according to the level of involvement a particular board wishes to have in a cyber incident. Marc recommended that boards prepare for incidents by using playbooks to determine when board involvement is needed.
In general, to effectively mitigate cyber risks, boards should make sure they are prepared, educated on potential and actual risks, and communicate clearly.
As always our sessions are available on demand
• Watch on demand: 2023 Technology privacy and cybersecurity summit
• Presentation materials and resources are available for download within each session
English and French closed captions are available on all sessions.
The authors wish to thank Julia Kafato and Emma March articling students for their assistance in preparing this update.