PracticeCybersecurity & Privacy
Cybersecurity & Privacy
Two teams. One point of contact.
Legal counsel and technical response — coordinated under privilege.
Breach response, privacy counsel, OCAP-aligned data governance, and PHIA / PIPEDA compliance for organizations operating across Canada's overlapping privacy regimes.
72h
Breach Window
3
Overlapping Regimes
LLM
Privacy & Cyber Law
01
Incident response
Legal counsel and technical response — working together.
How it works
We provide the legal counsel — breach notification obligations, regulatory communications, privilege protection, and coordinating with insurers. The cybersecurity firm we work with handles technical forensics, containment, remediation, and system recovery. One point of contact for you. Two teams working in lockstep.
01
Breach notification counsel
Mandatory notification obligations under PHIA, PIPEDA, and the federal Privacy Act — with timelines as short as 72 hours. We ensure you meet every deadline across every applicable regime.
02
Regulatory communications
Drafting and managing communications with the Office of the Privacy Commissioner, provincial regulators, and affected individuals — protecting your legal position throughout.
03
Privilege protection
Structuring the incident response to preserve solicitor-client privilege over forensic reports and internal assessments — critical for any subsequent litigation or regulatory action.
04
Technical forensics coordination
The cybersecurity firm we work with conducts the technical investigation — identifying the attack vector, containing the breach, preserving evidence, and restoring operations.
05
Insurance coordination
Working with your cyber insurance carrier on coverage, claim documentation, and the intersection between legal obligations and policy requirements.
06
Incident response planning
Before an incident happens — we help you build a response plan, establish counsel-on-call arrangements, and prepare notification templates so you're ready when it matters.
The first 72 hours after a breach are legally critical. Certain communications made without legal guidance can waive privilege or complicate your regulatory position.
02
Privacy counsel
Data governance, compliance, and sovereignty.
01
Information sharing agreements
Negotiation, drafting, and review of ISAs between health authorities and provincial bodies, research institutions, and technology vendors. OCAP-aligned as standard for First Nations organizations.
02
Data sovereignty frameworks
Governance policy development grounded in OCAP principles — ownership, control, access, and possession — for First Nations health authorities and organizations.
03
Vendor & technology contracts
EHR contracts, cloud service agreements, US CLOUD Act exposure analysis, SaaS data residency clauses, and AI tool adoption frameworks.
04
PHIA & PIPEDA compliance
Trustee obligations, mandatory breach notification, consent frameworks, and navigating the jurisdictional patchwork between provincial and federal privacy regimes.
03
The legal regime
What law applies — and where the gaps are.
Manitoba PHIA
Health information
PHIA governs personal health information held by trustees in Manitoba. Breach notification under s.19.0.1 has specific timelines and requirements.
PIPEDA
Federal private sector
Canada's federal private-sector privacy law includes mandatory breach reporting to the Privacy Commissioner and affected individuals. Manitoba's PHIA has not been declared substantially similar, creating a residual federal layer.
Federal Privacy Act
Government institutions
Applies to federal government institutions and federally-funded programs. Creates a third notification pathway for breaches involving federal health or social services data.
OCAP®
Principles, not statute
OCAP (Ownership, Control, Access, Possession) is a framework of the First Nations Information Governance Centre. It operates through contracts and governance agreements — not legislation — but carries significant force when properly implemented.
Breach notification
Three overlapping regimes
A breach at an organization operating across jurisdictions may trigger obligations under PHIA, PIPEDA, and the federal Privacy Act simultaneously. We advise on all three.
04
Our process
How a cybersecurity engagement works.
01
Immediate intake
Contact us. We assess the situation, establish privilege, and — if needed — engage our cybersecurity partner for immediate technical response.
02
Containment & investigation
The technical team contains the breach and begins forensic investigation. We manage the legal side — notification timelines, privilege, regulatory obligations.
03
Notification & compliance
We draft and deliver breach notifications to regulators and affected individuals across every applicable regime — on time and defensibly documented.
04
Remediation & recovery
Technical remediation, system recovery, and lessons-learned documentation. We help you build or update your incident response plan for next time.
05
Ongoing governance
Post-incident privacy counsel — updated policies, vendor reviews, and retainer-based support as your systems and obligations evolve.
05
Common questions
Cybersecurity & privacy questions.
We've had a cybersecurity incident. What do we do first?
Contact us immediately. The first 24–72 hours are legally critical — breach notification timelines are short, and certain communications made without legal guidance can waive privilege or complicate your regulatory position. We'll coordinate both the legal and technical response.
Do you do the technical forensics yourselves?
No — and that's by design. We provide the legal counsel; the cybersecurity firm we work with handles the technical investigation, containment, and remediation. This separation preserves privilege and ensures you get dedicated expertise on both sides.
We haven't been breached. Should we still talk to you?
Yes. Pre-incident planning is significantly cheaper and more effective than post-incident scrambling. We help organizations build incident response plans, review vendor contracts, and establish counsel-on-call arrangements before anything goes wrong.
Our EHR vendor is US-based. What does that mean for our data?
A US-based vendor creates exposure under the US CLOUD Act, which allows US law enforcement to compel disclosure of data stored anywhere in the world by US companies. We assess this risk at contract review and advise on data residency clauses and alternatives.
What is the Osgoode Certificate and why does it matter?
The Osgoode Certificate in Privacy and Cybersecurity Law is a professional credential from Osgoode Hall Law School at York University. David H. Davis holds this credential, supporting a practice that combines formal privacy and cybersecurity law training with practical incident response experience.
Work with us
Your cybersecurity posture starts with a conversation.
Tell us what happened — or what you want to prevent. We'll give you an honest assessment of your legal exposure and a clear path forward.
Book a consultation