Cybersecurity Preparedness: It’s Time to Modernize Your Privacy Policies

Jeff AplinJune 1, 2021

Share This Article

As companies rely more and more on technology, cybersecurity is front and center for business leaders and executives. Organizations that are partnered with or operate in Canada need to be aware of the ever-changing rules and laws around cybersecurity, which poses its own challenges.

According to business law firm McMillian, data protection and cybersecurity are governed by a complex legal and regulatory framework. Failure to understand the laws and reduce your business risks have serious financial and legal consequences. In 2020, Canada’s average cost of cyber breaches increased 6.7% from 2019, a whopping total of $6.35 million.

David Aplin Group hosted an online webinar this year titled Crisis Management, IT Disruptions and Business Continuity: The Big Picture, partnered and panelled by thought leaders from Dentons LLP and Everbridge. The first half of the webinar delivered cybersecurity legal insights from Kelly Osaka, Litigation & Privacy Lawyer at Dentons LLP. This blog will focus on Kelly’s overview of the legal framework, the recommendations provided on how to handle a breach, and how to minimize future cybersecurity threats.

Canada’s Regulatory Structure

All provinces in Canada have legislation governing the protection of data collected by companies. Let’s take a look at the privacy act and enforcement regulators.

Regulation

The federal statute Personal Information Protection and Electronic Documents Acts (PIPEDA) covers the privacy obligations of private companies. This applies to businesses collecting, using or disclosing personal information, including identifiable data (names, age, SIN numbers, addresses, etc.).
There are three provinces in Canada with their own provincial privacy legislation, including Alberta, British Columbia, and Québec. However, their legislations are very similar to PIPEDA.

Enforcement

The enforcement regulator in Canada is The Office of Privacy Commissioner (OPC) which investigates any complaints made by individuals. Enforcement includes public interest disclosure, compliance agreements and reporting offences. The OPC has the authority to audit businesses and their privacy policies, and practices, and initiate an investigation, although they do not have the power to impose penalties.

Responding to a cybersecurity incident

Cybersecurity breaches can include rouge employees accessing confidential information and third-party scammers accessing systems. And in some cases, employees inadvertently release information outside the company accidentally. To protect your company from future cyber-attacks, understanding how and when the breach occurred and what the potential damages are, is critically important.

Privilege

Most companies use a third-party cybersecurity consulting firm to draft a forensic report of the breach to figure out what happened and scope out the severity of the breach. That report could be requested by a regulator if your company is under investigation, so it is imperative that you are able to provide proof of the actions taken to investigate the breach itself and determine what went wrong. Companies also have to consider whether or not a claim of privilege is an option to protect reports and documents from public disclosure.

Litigation Risk

In Canada, there has been an increased number of privacy breach class-action lawsuits filed. These cases involve:

Third-party hackers
Use without consent
Vicarious liability
Employees innocent loss of data/intentional misconduct

Does a breach need to be reported?

Before you report a cyber breach to the OPC, your company must consider the sensitivity of the information involved (Email addresses vs. SIN numbers) and the probability that the information has, is being, or will be misused. PIPEDA requires companies (subject to) to report breaches to the OPC if the circumstances of the breach create a real risk of harm to an individual. Harm can include loss of employment, affect credit scores, or identity theft.

Mandatory Breach Notification

Companies are required to notify individuals of any data breach that involves their personal information if the breach creates a real risk of harm. If the violation meets the criteria of causing harm, the breach must also be reported to the Office of Privacy Commissioner (OPC). It is always wise to use legal counsel to determine if notifying OPC is required.

Modernizing your privacy policies

In 2020, the federal government introduced a bill to implement the Customer Privacy Protection Act, which will subsequently replace PIPEDA. The CPPA will ensure companies implement privacy management programs such as policies, practices, and procedures. It’s your obligation to protect personal information. Before setting up these programs, consider what type of information your organization is collecting and the level of sensitivity in your company’s control.

Always obtain consent when requesting information and dispose of personal information when requested. Individuals can request their information be transferred to another organization (data mobility). Your privacy policies will also have to be written in plain language so that they are easy to interpret.

It’s important to note that the OPC will also be granted more power with new enforcement mechanisms and monetary penalties.

Here is a list of legal tools to ensure you are in compliance with existing regulations and prepared for the changes ahead:

Privacy Management Programs, including policies and procedures outlining your company’s obligations.
Privacy Officers manage risk and ensure compliance.
Privacy Policies that establish clear directives in plain language.
Data Inventory to assess data on file, where it is stored, how long it has been retained, and with whom it is shared.
Privacy Impact Assessment to help identify and address potential privacy risks that may occur for new projects.

Watch the full webinar here: