Organizations today face an evolving and increasingly complex landscape of legal obligations at the intersection of privacy, cybersecurity, and digital operations. Our Privacy and Cybersecurity Law practice provides comprehensive advisory services across the full spectrum of these challenges: from proactive compliance and governance to crisis response and regulatory engagement.

We advise clients of all sizes: from small and medium enterprises to large multinational corporations, public sector bodies, and critical infrastructure operators, across a broad range of industries including financial services, healthcare, energy, technology, retail, and telecommunications. Our counsel spans Canadian federal and provincial privacy law, including Quebec’s Act respecting the protection of personal information in the private sector (Law 25), PIPEDA and its successor framework, as well as the EU General Data Protection Regulation (GDPR) and applicable U.S. state and federal privacy regimes, recognizing that organizations operating in Quebec may nonetheless be subject to extraterritorial obligations.

We provide strategic and operational counsel on data governance, privacy program development, and cybersecurity risk management. Our team assists clients in embedding privacy-by-design and security-by-design principles into their operations, advising on data collection and retention practices, cross-border data transfers, cloud services, data localization requirements, and regulatory readiness. We also counsel clients on third-party and supply chain risk, supporting organizations in assessing and managing the legal exposure arising from their vendor and technology ecosystems.

Our practice encompasses the full incident response lifecycle: from pre-incident preparedness and ransomware readiness planning to leading the investigation, containment, and remediation of complex cybersecurity incidents. We act as breach counsel, coordinating forensic experts, insurers, communications advisors, regulators, and law enforcement to ensure a structured and legally defensible response. We advise on breach notification obligations, regulatory reporting requirements, and the legal consequences of incidents across multiple jurisdictions, and are available to our clients on a 24/7/365 basis.

We are also active at the intersection of cybersecurity and insurance: advising organizations, insurers, and brokers on cyber risk posture, underwriting questionnaires, and coverage evaluation in both pre-incident and claims contexts. Our team brings particular expertise in Quebec’s distinct regulatory environment, including bilingual French and English mandates.

Minimizing legal exposure, financial loss, and reputational damage for our clients is our highest priority. Our counsel is direct, operationally grounded, and calibrated to the realities of business in an era of rapidly escalating cyber risk.

Specialty: Tabletop Exercises & Incident Preparedness

Effective incident response begins long before an incident occurs. We design and facilitate tabletop exercises and simulation-based preparedness programs for boards, senior leadership, and operational teams, stress-testing response protocols, identifying organizational blind spots, and building the decision-making reflexes that matter most in the critical first hours of a crisis. Our exercises are grounded in real incident experience and calibrated to the specific regulatory, operational, and reputational exposure of each organization. We help clients move from theoretical frameworks to practiced, defensible readiness, and ensure that governance structures, communication chains, and legal obligations are understood and operational before they are needed.

• Proactive incident response planning and tabletop exercises
• Tabletop exercises for boards, senior leadership, and operational teams
• Scenario-based simulation design grounded in real incident experience
• Protocol testing: communication chains, regulatory obligations, decision authority
• Identification of organizational blind spots and governance gaps
• Ransomware readiness and business continuity planning
• Post-exercise reporting and remediation roadmaps

Specialty: Privacy & Access to Information in Health

The intersection of privacy law and healthcare in Quebec presents some of the most technically demanding compliance challenges facing organizations today. Our team advises hospitals, healthcare providers, and private companies operating in the health sector on all aspects of federal and provincial privacy and access to information legislation as it applies to health data.

Since July, 2024, Quebec’s Act respecting health and social services information (Law 5) governs the protection and sharing of health data in the province, establishing a framework for the unified digital health record (DSN) and prohibiting the commercialization of health data. Our team advises clients on compliance with this framework alongside the broader obligations arising under Law 25, federal privacy legislation, and sectoral standards.

We work alongside hospitals, private health service providers, and technology companies operating in the health sector to embed privacy-by-design into their operations, assess data governance practices, and navigate access to information requests. Our counsel covers sensitive health data, and the legal particularities of emerging technologies including AI-assisted diagnostics and digital health tools, in the clinical and administrative context.

We regularly represent organizations before the Commission d’accès à l’information and advise on proceedings before the Federal Court in respect of access to information decisions. Our team’s deep familiarity with health sector operations allows us to deliver counsel that is both legally rigorous and operationally grounded.

Specialty: Access to Information

Organizations subject to access to information requests: whether under Quebec’s Act respecting Access to Documents held by Public Bodies and the Protection of Personal Information, the federal Access to Information Act, or sector-specific regimes, face complex procedural and strategic obligations that require experienced counsel.

We advise public bodies, enterprises, and organizations at every stage of the access to information process, from initial request assessment and response strategy through to representation before the Commission d’accès à l’information and judicial review proceedings before the Federal Court. Our counsel focuses on identifying and asserting applicable restrictions, including the protection of industrial and financial information, trade secrets, personal information, and other legally protected categories, while ensuring that responses are defensible, timely, and consistent with applicable obligations. We are familiar with the specificities of most major industries, including health, energy, technology, financial services, and pharmaceuticals.