With multiple infamous instances of law firm data breaches over the last few years, implementing security measures to protect electronically stored information has been a hot topic.
Recent government action reiterates the importance of robust data protection. The federal government recently proposed the Breach of Security Safeguards Regulations, which would trigger the Personal Information Protection and Electronic Documents Act's mandatory notice and record-keeping requirements. Though consequences of contravening PIPEDA can be severe, small firms are not excluded from obligations imposed under the legislation.
PIPEDA applies to the collection, use or disclosure of personal information by every organization in the course of a commercial activity. It attempts to balance privacy rights of individuals with the needs of businesses to use or share information.
While PIPEDA has been around since 2000, reporting data breaches has been voluntary up until the passing of the Digital Privacy Act in 2015. In fact, in response to recommendations in 2006 to create a system of breach notification, the Office of the Privacy Commissioner took the position that it should be up to the breached organization to voluntarily notify affected individuals and the privacy commissioner. In 2011, the second five-year review of PIPEDA again recommended mandatory notification obligations to no avail. The Digital Privacy Act finally succeeded in incorporating into PIPEDA mandatory notice and record-keeping requirements for data breaches.
The provisions of PIPEDA to come into force include the following procedures in the event of a data breach:
- The organization must conduct a risk assessment to determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach. The assessment must consider the sensitivity of the information involved and the probability that the information will be misused;
- When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada;
- The organization must notify any other organization that may be able to mitigate harm to affected individuals; and
- The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the commissioner upon request.
These provisions will come into effect when regulations outlining specific requirements are passed. The federal government has proposed such regulations — the proposed Breach of Security Safeguard Regulations, which outline the content, form and manner of reporting and record-keeping for each instance of a breach of security safeguards. PIPEDA defines breach of security safeguards as "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards . . . or from a failure to establish those safeguards."
The impact on small firms and their clients is potentially substantial. Contravention of PIPEDA results in fines of up to $10,000 for a summary offence and up to $100,000 for an indictable offence.
Updating law firm security measures
Given that law firms are in a particularly vulnerable position due to the vast amount of sensitive information they hold and the outdated or lax security measures taken by many lawyers, the proposed regulations should be a final wake-up call to revisit security measures to ensure that they properly protect personal information.
Some common and cost-effective measures that small firms can take include:
- use two-factor authentication for all accounts that offer such a feature (and those that do not should be scrutinized carefully before adopting such services);
- ensure all software is up to date;
- use a password manager and generator;
- any portable media, such as hard drives or USB keys, should be encrypted; and
- ensure procedures for storing, securing and destroying personal information are in place and ensure that staff are well trained in these procedures.
The mandatory reporting requirements and associated regulations have not come into force yet, though they will be a fact sooner rather than later. As such, now is a great opportunity for your firm to audit its security measures, as well as update policies and procedures to comply with upcoming legislative changes.