According to business law firm McMillian, data protection and cybersecurity are governed by a complex legal and regulatory framework. Failure to understand the laws and reduce your business risks have serious financial and legal consequences. In 2020, Canada’s average cost of cyber breaches increased 6.7% from 2019, a whopping total of $6.35 million.
David Aplin Group hosted an online webinar this year titled Crisis Management, IT Disruptions and Business Continuity: The Big Picture, partnered and panelled by thought leaders from Dentons LLP and Everbridge. The first half of the webinar delivered cybersecurity legal insights from Kelly Osaka, Litigation & Privacy Lawyer at Dentons LLP. This blog will focus on Kelly’s overview of the legal framework, the recommendations provided on how to handle a breach, and how to minimize future cybersecurity threats.
Canada’s Regulatory Structure
There are three provinces in Canada with their own provincial privacy legislation, including Alberta, British Columbia, and Québec. However, their legislations are very similar to PIPEDA.
The enforcement regulator in Canada is The Office of Privacy Commissioner (OPC) which investigates any complaints made by individuals. Enforcement includes public interest disclosure, compliance agreements and reporting offences. The OPC has the authority to audit businesses and their privacy policies, practices, and initiate an investigation, although they do not have the power to impose penalties.
Responding to a cybersecurity incident
Most companies use a third-party cybersecurity consulting firm to draft a forensic report of the breach to figure out what happened and scope out the severity of the breach. That report could be requested by a regulator if your company is under investigation, so it is imperative that you are able to provide proof of the actions taken to investigate the breach itself and determine what went wrong. Companies also have to consider whether or not a claim of privilege is an option to protect reports and documents from public disclosure.
- Third-party hackers
- Use without consent
- Vicarious liability
- Employees innocent loss of data/intentional misconduct
Does a breach need to be reported?
Mandatory Breach Notification
Companies are required to notify individuals of any data breach that involves their personal information if the breach creates a real risk of harm. If the violation meets the criteria of causing harm, the breach must also be reported to the Office of Privacy Commissioner (OPC). It is always wise to use legal counsel to determine if notifying OPC is required.
MODERNIZING YOUR PRIVACY POLICIES
It's important to note that the OPC will also be granted more power with new enforcement mechanisms and monetary penalties.
Here is a list of legal tools to ensure you are in compliance with existing regulation and prepared for the changes ahead:
- Privacy Management Programs, including policies and procedures outlining your company's obligations.
- Privacy Officers to manage risk and ensure compliance.
- Privacy Policies that establish clear directives in plain language.
- Data Inventory to assess data on file, where it is stored, how long it has been retained, and with whom it is shared.
- Privacy Impact Assessment to help identify and address potential privacy risks that may occur for new projects.
David Aplin Group is a private family and employee-owned Canadian staffing agency founded in Alberta in 1975, recognized as one of Canada's most accomplished recruiting firms. Our mission is to positively impact lives. Blog author, Jeff Mercer, is a Business Development Manager at David Aplin Group, based in Calgary, Alberta. Visit www.aplin.com
Photos from Unsplash