The privacy regulatory landscape in Canada is changing—quickly. Gone are the days when a privacy regulatory change would be introduced and there would then be two years of industry collaboration followed by a lengthy transition period for businesses to fall in line. Although some of the newly enacted Canadian Digital Privacy Act (DPA) amendments bring welcome changes and clarity to the law (for instance, business transactions and consent exceptions), others such as valid consent and breach notification are sure to present risks and challenges for many organisations. 

Across a rapidly changing security landscape where data privacy is increasingly challenged by accelerating cybersecurity risk, businesses, regulators, and consumers alike are trying to stay ahead of the curve through innovation and technology. Businesses are increasingly challenged to both follow the current trends and be ready for the regulatory changes before they are finalised in order to avoid ensuing liability risks. It is recommended organisations examine and adjust their own practices in advance of these regulatory changes or face the probable struggle to meet compliance requirements.

Insurance regulators are subject to the oversight of the International Association of Insurance Supervisors which is looking more closely at regulator practices. In turn, regulators are increasing their oversight on business. Businesses need to be proactive in responding to the changes taking place in Canada and internationally including ensuring they have appropriate cyber-risk insurance coverage. 

Privacy and data breaches, and cyber breaches in particular, are a growing problem. Organisations need to understand their potential liability risks and develop a comprehensive plan to respond to the problem. More class actions can be expected in the coming years that target the corporation (not the individual). Beware the multipliers (modest damages x lots of claimants = $$$$$). With the increased burden placed on key employees to keep up with the regular demands of day-to-day business, the need to bring in outside expertise is increasing. (1)

Cyber-risk is any risk of damage, loss, or liability to an organisation resulting from a failure or breach of the organisation’s information technology systems. Levels of cybersecurity liability cases that are starting to hit organisations in the courts include the following:

  • Loser – portable device (phone, laptop, etc.) is lost or stolen; often no evidence that Personal Information is actually accessed or abused
  • Snooper – Personal Information accessed out of curiosity; improper access but often not disclosed; may target colleagues or clients
  • Harvester – web-based companies collate and analyze client data; seek to monetize the Personal Information; class actions focusing on adequacy of “consent”
  • Fraudster/Hacker – employee or third-party hacker illegally uses Personal Information
  • Predator – jilted boyfriend posts porn; staff member nefariously films patients; etc. (2)

The DPA makes extensive revisions to the Personal Information Protection and Electronic Documents Act(PIPEDA), and its passage and its pending breach notification and recordkeeping provisions makes clear that Canada has ushered in a new era of privacy law. 

Included in this new era are the recent changes to the Canadian Anti-Spam Legislation (CASL) The next phase of CASL is the Private Right of Action which will come into force on July 1, 2017. In order to mitigate their risks, organisations are well-advised to have a Compliance Program documented and implemented by July 1, 2017. Once a Private Right of Action is commenced, the CRTC can no longer step in to reduce the monetary impact to organisations. While the liability can be $200 for each breach per day, organisations sending out large numbers of targeted e-mails each day could have far higher liability, above and beyond any compensatory damages. Further, if implicated in the breach, officers, directors, and agents of the organisation can be jointly and severally liable for contraventions even if the business that committed the acts is not sued. (3)

Organisations need to make this a top concern with their Boards of Directors and Senior Management, have a plan in place, and ensure they deal with breaches promptly when they occur. Boards of Directors and Senior Management should do the following:

  • Understand and approach cybersecurity as an enterprise-wide risk management issue, not just an information technology (IT) issue 
  • Understand the legal implications of cyber-risks as they relate to their company’s specific circumstances 
  • Have adequate access to cybersecurity expertise
  • Give regular and adequate time to discussions about cyber-risk management on board meeting agendas 
  • Set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budgeting 
  • Ensure management identifies which risks to avoid, accept, mitigate, or transfer through insurance, as well as have specific plans associated with each approach. (4)

Organisations subject to Canadian privacy law would be well-advised to take steps now to ensure they are, and will remain, compliant with the new rules. The Office of the Privacy Commissioner of Canada (OPC) Consultation paper offers guidelines for preparedness.

For more information on what you can do to be prepared, email 4Cast Services Inc. at info@4CastServices.com or call us at (905) 691-7335.

BIOS

Sources:

  1. Privacy Law Developments Across Canada, October 25, 2016, BLG Presentation for the IBC Regulatory Affairs Symposium by Patrick J. Hawkins.
  2. Privacy Law Developments Across Canada, October 25, 2016, BLG Presentation for the IBC Regulatory Affairs Symposium by Patrick J. Hawkins.
  3. Are You Ready for CASL’s Private Right of Action?, Last Updated: February 1 2017 Article by Sharon E. Groom, Lyndsay A. Wasser, Jamieson D. Virgin, Rohan Hill and Mitch Koczerginski, McMillan LLP.
  4. Cyber-Risk Oversight Executive Summary, Director’s Handbook Series 2014 Edition, published by the U.S. National Association of Corporate Directors.

Click Here to learn more about Commercial Insurance