In 2019’s online environment, experts in cybersecurity say businesses that handle personal information need to know that protecting themselves from liability is not a matter of if a data breach occurs but when.
In 2019’s online environment, experts in cybersecurity say businesses that handle personal information need to know that protecting themselves from liability is not a matter of if a data breach occurs but when.
In 2017, hackers broke in and accessed the names, addresses, social insurance numbers and other personal information of 143 million people, including 19,000 Canadians, in their assault on Equifax Inc. On April 9, the Office of the Privacy Commissioner released its report on the incident. The OPC’s findings indicate an intention to push Canada’s privacy regime toward stricter consent requirements and provide a cautionary tale to organizations that handle Canadians’ personal data, say privacy lawyers.
Equifax Inc. and its Canadian subsidiary, Equifax Canada, were responsible for inadequate security, holding information too long, a lack of accountability and weak protection measures offered to those affected after the breach, according to the OPC.
Canadians became ensnared because Equifax — the credit-reporting and data analytics company — sent credit monitoring and fraud alerts to the U.S.-based parent company for processing. This led the OPC to recommend that, despite previous guidance to the contrary, an organization handling the personal data of Canadians needs to get consent from everyone whose data is being held before that data is sent outside of Canada.
OPC communications advisor Corey Larocque says that, during the OPC’s investigation into Equifax, “several complainants” said they were surprised their information had been sent to the U.S., so the OPC examined its trans-border data-transfer policy under the Personal Information Protection and Electronic Documents Act. The OPC initiated a consultation period that was supposed to run until June 4. However, on May 31, Canadian Lawyer reported that the OPC had suspended the consultation.
Lisa Lifshitz is a partner at Torkin Manes LLP and her practice focuses on information technology and business law. She says it appears the OPC is reinterpreting PIPEDA to keep it from falling behind the European Union’s General Data Protection Regulation. If PIPEDA is not in line with the GDPR — seen around the world as the gold-standard data-security regime — the EU may impose additional obligations on European data coming into Canada, which would be a headache for businesses, she says.
But if PIPEDA is going to be made stricter, it must happen through an amendment to the act via Parliament, Lifshitz says, adding that the OPC risks going beyond interpreting the law to making the law.
“My issue is that they’re trying to do what Parliament’s not doing. They sense a lack, so they’re trying to fix it,” she says. But “how far can they really go before they start to essentially create something that’s not there?”
The findings on cross-border data transfers reverse 10 years worth of the OPC’s public guidance, says Bernice Karn, a partner at Cassels Brock & Blackwell LLP. According to the OPC’s previous guidance, a company could send a Canadian’s personal information outside of Canada for processing if the appropriate protections were in place, she says.
“That’s huge,” she says. “I just think that’s going to throw the whole of outsourcing into disarray. . . . I can’t really think of a situation nowadays where organizations process their own data.”
She says that a requirement to give consent to processing is not likely to “have much of an effect on whether or not a data breach is going to affect that information in the hands of the processor.”
Larocque says the OPC’s change in position came through the Equifax investigation, where it “became apparent” that the opinion that a transfer of personal information between organizations was not a “disclosure” — which Lifshitz says was the position of previous OPC guidance — was “likely not correct as a matter of law.”
“In other words, our view is that PIPEDA — as the law is currently written — requires consent for such disclosures,” says Larocque.
Pop-up notifications asking for cookie-use consent have become common on website home pages, and Imran Ahmad, a partner at Blake Cassels & Graydon LLP, says they could be coming for trans-border data transfers. This will create the operational challenge of segregating data where there is no consent for crossing the border from data where there is.
Ahmad says the Equifax findings show that the OPC is becoming “very specific” and technical in its expectations, while previously allowing organizations to identify industry best practices to establish standards and certifications. As to what to tell clients about their data, Ahmad says, the interpretation by the OPC remains in force until it is officially revised. He says he expects the private sector to pepper the OPC with submissions during the consultation period, detailing the difficulty of implementing these consent requirements.
“This is just a revisit to get comments in; it is not the official position just yet,” he says. “. . . You don’t need to move to the consent model just right away. Put it on your radar. It may be coming down the pipe.
“And I always remind folks, the regulator’s position is their interpretation of the law; it is not binding necessarily,” he says. “And if we have a different view on it, certainly we can voice that view, because the law hasn’t changed. PIPEDA remains the same.”
Larocque says the government recognizes Canada’s privacy regime needs an update and a conversation about legislative reform “may touch on the issue of trans-border data flows.”
But apart from cross-border data transfers, Equifax made several “classic errors,” says Lifshitz. There were too few resources devoted to data security, there was not a sufficient internal system of vulnerability notification, it kept data for too long and it had no point person with authority on data security processes. Like many organizations, Equifax had a good “paper policy,” as opposed to an active set of practices and standards that was familiar to those in the organization from top to bottom.
“Clients can have wonderful [policy on paper], but there really need to be resources devoted [to] making sure these things are living, breathable, reflect the reality and are actually implemented. Training is critical, too,” Lifshitz says.
Another key detail from the Equifax findings was that the OPC said it was inappropriate for Equifax to rely on third-party audits, Lifshitz says. An outside auditor had given it a clean bill of health, but its own internal audits had come up with multiple security deficiencies. The OPC said Equifax should not have been relying on the certification it got from the outside auditor when it knew it was vulnerable.
“There’s an additional step required. If you are privy to additional information [that] would cast doubt on that audit, then you still have legal obligations to take additional steps to correct the deficiencies,” she says.
Ronald Toledano is a partner at Spiegel Sohmer in Montreal and his practice focuses on intellectual property, corporate and commercial law and includes providing advice to clients on their legal responsibilities when subject to a data breach.
Toledano’s post-breach game plan begins with notifying anyone whose personal information was accessed; investigating, containing and mitigating the damage of the breach with an IT forensic team; addressing the public relations aspect to minimize reputational damage; notifying the privacy commissioner; and every one of these steps and everyone involved must be documented and kept for 24 months.
“Then let’s move forward and see how we can go and mitigate potential future beaches. Because the cyberattacks aren’t going to stop,” he says.
Toledano deals mostly with clients in IT and pharma. It is organizations handling citizens’ health records that the privacy commissioner is most attentive toward, but he says organizations are often reluctant to set up pre-breach protection measures. Toledano recommends his clients hire a privacy officer — someone to conduct audits and be the point of first contact when a breach occurs and to liaise with the privacy commissioner and other government agencies — a tough sell as companies don’t tend to want to hire anyone unless it’s essential.
“It’s very challenging to go and get their buy-in on it before they’ve actually had the breach. Once they have the breach, they’re all buying in,” he says.
Since Nov. 1, 2018, private sector organizations hit with a breach have strict reporting requirements. If there is risk of significant harm to those whose data is compromised — the ROSH test — all individuals affected and the office of the privacy commissioner need to be notified. But also within 2015 amendments to PIPEDA, says Ahmad, is a requirement to track any cyber-incident or breach that has occurred within their organization, even if the incident doesn’t meet the ROSH threshold. This can even include an employee who lost a laptop with encrypted data but found it soon after, says Ahmad.
“But you need to now, in a ledger, keep a record of that incident for a period of two years. And the regulator can literally knock on your door and say, ‘Can I see your register, please?’ And you have to basically present it to them; it’s a real compliance requirement and potentially there are fines for non-compliance if you don’t,” he says.
In his practice, Ahmad is now seeing more proactivity by data-holding organizations. While organizations traditionally focused on cyber-incident response, in the past 18 months, he’s seen time and money spent on designing a comprehensive pre-breach plan. A data inventory is key, he says, because knowledge of where the data is kept, how it is kept and what kind of data is kept will be essential when the breach occurs. A pre-breach plan includes vendor management and proper vetting of any other third party with which an organization shares data because, if the breach occurs with them, according to Canadian and other privacy laws around the world, the organization is on the hook. Ahmad’s clients are revising contracts to include clauses to require third parties to notify the organization within 24 hours, to co-operate with them in the investigation and agree on an indemnification if a breach occurs. The function provided by breach coaches — lawyers who guide organizations through data breaches when they occur — are beginning to be handled before the problem and this makes the problem less serious when it happens, he says.
It also ensures that “that response is much more effective because we’ve invested time on the front end and significantly reduced our costs,” he says.
The less data an organization stores, the less serious is a security breach, says Susan Wortzman, a partner at McCarthy Tétrault LLP in Toronto. She founded Wortzmans, a law firm specializing in the management of digital information, which is now called MT>3. It was acquired by McCarthy Tétrault in 2016. Wortzman is now the firm’s go-to on e-discovery and information management.
Wortzman says a key to protecting against data breaches is the same advice she used to give clients who were hiring her to handle their e-discovery and wanted to reduce their costs — better data governance and stop hoarding.
“Stop keeping everything forever,” she says. “Everybody thinks they need to keep all this information forever. All it’s really doing is creating this huge risk.
“Most of our clients are sitting on . . . between 15 and 30 copies of every email [and] every document. . . . If you just did better data governance and you got rid of all of that, you can be getting rid of 70 per cent of your data,” she says. “[Clients say,] ‘This was so important. I worked on this transaction — it was two years of my life. There’s no way I’m getting rid of all these records relating to this deal.’ And 10 years later, they’ve still got some PST file stashed away with all this data that they’re never going to look at again. . . . It’s definitely the hoarder mentality.”