Opportunities NB Webinar

Cybersecurity – The Legal Framework in Canada

Hosting: Heather Maclean

Marketing Lead

Opportunities NB

Client-focused, proactive, professional and accountable, Opportunities NB is the first point of contact for local and foreign businesses looking to grow, expand or locate. We are focused on performance, high growth opportunities and growing New Brunswick. Opportunities NB is poised to:

• Support business development inside New Brunswick, including business support services for small, medium-sized and large businesses;

• Proactively pursue high growth opportunities through exports and foreign investment; and

• Work with industry partners, economic development stakeholders and public sector partners to identify, build and support a portfolio of significant high growth opportunities both within and outside the province!

We will offer you the ideal operational expansion and labour solution tailored to your needs to grow in New Brunswick. We will go above and beyond to ensure your success in the province.

New Brunswick is built for business. We look forward to working with you to grow your business.

Our guest

Wendy Wagner ABOUT THE PRESENTER

Wendy Wagner advises companies on privacy compliance and

data protection issues. This includes compliance with the

Personal Information Protection and Electronic Documents

Act (PIPEDA), provincial privacy laws applicable to the private

sector, and laws governing protection of health information.

She also advises on cross-border data transfers and successor

obligations, and assists companies with reporting and

managing data breach incidents. She regularly advises on

compliance with Canada’s Anti-Spam Legislation and has

created anti-spam compliance policies and programs.

CANADIAN PRIVACY LAW: A LEGAL FRAMEWORK FOR CYBER-SECURITY

WENDY J WAGNER

JANUARY 19, 2017

• Cyber-security: encompasses any measures taken to

protect online information and secure the infrastructure on

which it resides. How does it relate to data privacy?

• Cyber-security measures underpin the critical

infrastructure that protects data, thereby safeguarding

personal information, or if absent, rendering it vulnerable

to threats

Key threats: malware & viruses, ransomware, sabotage,

financial fraud, phishing, theft of laptops/devices, unauthorized

access to or use of systems & websites, misuse of social

networks, denial of service, advance persistent threats…

PRIVACY & CYBER-SECURITY

• Privacy laws govern the collection, use and disclosure of personal

information. Privacy is a consent-based regime.

• Personal Information : any information, in any form, about an identifiable

individual, e.g.:

•Name, age, ID numbers

•Telephone number, physical address, email address

•Payment or financial information

•Employment, income, medical or financial history

•Ethnic origin, gender, blood type, physical description

•Opinions about the individual, evaluations, comments

•Religion, political affiliations and beliefs

• IP address or other device identifiers.

PRIVACY LAW IN CANADA

Key factors that determine what laws apply include:

1. Nature of the organization:

• Is the organization a federal government institution?

• Is it a provincial or territorial government institution?

• Is it a private-sector organization?

• Is it a federal work, undertaking or business (FWUB)?

2. Location of the organization

3. Type of information (e.g. personal information, personal health

information, employee information)

PRIVACY LAW IN CANADA

The Personal Information Protection and Electronic Documents

Act (PIPEDA)

• Canada’s federal privacy law applicable to commercial activities

of private sector organizations

• Applies in all provinces except AB, BC, and Quebec and also

applies to cross-border transfers of information

• Consent-based regime that governs the collection, use and

disclosure of personal information in the course of commercial

activities

• In the case of federal works, undertakings and businesses

(FWUBs), it also applies to employee personal information

PIPEDA

• For the private-sector, three provinces have privacy

legislation that has been deemed “substantially

similar” to PIPEDA:

1. Alberta’s Personal Information Protection Act

2. British Columbia’s Personal Information Protection Act

3. Québec’s An Act Respecting the Protection of Personal

Information in the Private Sector (Quebec Privacy Act)

PROVINCIAL PRIVATE SECTOR LAWS

Compliance with PIPEDA is overseen by the Office of the Privacy

Commissioner of Canada; provincial laws are overseen by a

provincial Commissioner

• Individuals complaint to the Commissioners about alleged privacy

breaches.

• The Commissioners may initiate investigations and audits

• Reports of findings are issued and publicized.

• Provincial Commissioners make orders and impose penalties; the

Federal Privacy Commissioner makes recommendations that may

be enforced by a Court

• The Federal Privacy Commissioner will soon have the ability to

impose onerous penalties relating to breach reporting/record

keeping

COMPLIANCE & ENFORCEMENT

Privacy Statutes in Canada (generally) offer modest

remedies, but may inform the “standard of care”:

• In Canada, privacy class action is in its infancy but actions have

been certified on grounds of: breach of privacy based on

statutory tort, common law tort and negligence. Allegations may

include:

1. Failure to create policies

2. Failure to prevent unauthorized access, including encryption

3. Failure to disclose the loss in a timely manner

4. Failure to have adequate and necessary data security measures

5. Failure to monitor, audit, test and update security measures

RISKS & DUE DILIGENCE

• Organizations may collect, use and disclose personal information only for a purpose that a reasonable person would consider appropriate in the circumstances, and adhere to 10 fair information principles :

1. Accountability

2. Identifying purposes

3. Consent

4. Limiting collection

5. Limiting use, disclosure and retention

6. Accuracy

7. Safeguards

8. Openness

9. Individual access

10.Challenging compliance

KEY PRINCIPLES

Defined as the responsibility of the organization for personal

information protection

Requires organizations to have in place appropriate policies and

procedures, including those relating to data security

Accountability begins with an organization understanding and

documenting the personal information that it holds

What personal information assets are held and where?

Why is the organization collecting, using or disclosing this personal

information and are these reasons documented?

What level of sensitivity is the personal information and is the level of

protection commensurate?

14

ACCOUNTABILITY

Other aspects include:

Risk assessments at least annually and when on-boarding any new

services that collect, use or disclose personal information

Training and education of employees : human error is the most common

cause of reported breaches

Breach and incident management response protocols for managing

personal information breaches

Oversight of service providers though contractual obligations, training

and education, audits and ongoing monitoring

Constant review and revision of policies, impact assessments, and

external communications.

15

ACCOUNTABILITY

Implementation of “need to know” principles:

employees should only have access to the minimum

amount of personal information required to perform

duties within the organization

Role based access controls limit who has access to

what information

Personal information should only be retained as long

as required for reasonable purposes of the

organization and then securely destroyed

16

LIMITING USE, DISCLOSURE,

RETENTION

In recent complaint reports, the federal Privacy Commissioner

has held that organizations holding sensitive/significant

amounts of personal information must have:

• An explicit risk management and assessment process that addresses

information security measures and draws on adequate external and

internal expertise. Must be context based; commensurate with sensitivity

of data:

• Preventative measures, e.g. key & password management practices, multi-

factor authentication for remote access

• Detective countermeasures, e.g. intrusion detection system

• Documented security policies and procedures that are updated and

reviewed based on an evolving threat landscape

• Adequate training for all employees

17

SAFEGUARDS

The Privacy Commissioners do not prescribe a required set of safeguards

but are looking for a robust and sophisticated analysis:

• Risk Identification: inventorize personal information assets; assess the

business impacts of a loss, acceptable levels of risk, and the impact of

changes to the organization, technology, business process, threat

environment

• Policies: on operational security, training, contractors, external

communication; specific issues such as network security infrastructure,

installation of hardware/software, access to systems, portable devices,

acceptable IT usage

• Records Management: personal information classification, retention and

secure destruction

18

SAFEGUARDS

• Human Resources Security: management support; training regarding

security, authorized access, use and disclosure of personal information,

proper protection and maintenance of credentials, threats such spoofing,

phishing; employee screening and confidentiality

• Contractors: contractual agreements; requirements to return or destroy

personal information; regular inspections, audits and enforcement

• Physical Security for Personal Information: locked cabinets, access

controls, intrusion detection, logging, protocols for removal of personal

information from publicly accessible locations, controlled access points

• Systems Security: locked workstations; policies on mobile and portable

devices including encryption, tracking devices, remote deletion

• Database and Operating System Security

19

SAFEGUARDS

• Network Security: segregation of personal information from public

networks, secure connections, monitoring of new vulnerabilities, testing

of cyber security defences

• Wireless Technology: encryption and authentication, firewalls &

antivirus, wireless intrusion detection, audit records of activity

• Transmission of Personal Information: policies on fax & email

transmission, use of encryption, confirmation of receipt, use of ‘bcc, use

of digital signatures

• Access Control Policies: identification, authorization and authentication

• Incident Management : privacy and security incident management policy

including notification and reporting requirements for privacy breaches.

20

SAFEGUARDS

Bill S-4 – the Digital Privacy Act, amends PIPEDA with the objective

of strengthening privacy protection and increasing compliance

Among the key amendments is the imposition of a mandatory

breach notification regime that will come into force when

regulations are passed, along with statutory penalties for failure to

report and keep records

Violations of the breach notification or breach record keeping

requirements can result in: (a) an offence punishable on summary

conviction and a $10,000 fine; or (b) an indictable offence and a fine

not exceeding $100,000. It is not clear whether a fine could be

levied in respect of each individual affected by a breach.

21

OPENNESS: BREACH REPORTING /

NOTIFICATION

Applies to any “breach of security safeguards”

• “The loss of, unauthorized access to or unauthorized disclosure of personal

information resulting from a breach of an organization’s security safeguards that

are referred to in Clause 4.7 of Schedule 1 or from a failure to establish those

safeguards.”

Personal information is lost, or accessed by an unauthorized individual

The loss or unauthorized access is the result of someone violating the

organization’s security safeguards, or the result of a failure to establish such

safeguards

NOTE: Under its Personal Information Protect Act, Alberta already has

mandatory breach notification obligations where an organization

determines that a real risk of significant harm exists to an individual as

a result of a breach of personal information

22

THE MANDATORY BREACH

NOTIFICATION REGIME

Determine if the breach poses a “real risk of significant harm” to any

individual whose personal information was involved in the breach;

Notify individuals as soon as feasible of any breach that poses a “real

risk of significant harm”;

Report any data breach that poses a “real risk of significant harm” to

the Privacy Commissioner, as soon as feasible;

Where appropriate, notify any third party that the organization

experiencing the breach believes is in a position to mitigate the risk of

harm; and

Maintain a record of the data breach and make these records available

to the Privacy Commissioner upon request

23

KEY OBLIGATIONS FOR ORGANIZATIONS

THAT EXPERIENCE A DATA BREACH

QUESTIONS?

24

Gowling WLG

160 Elgin Street

Ottawa, Ontario

K1P 1C3

613-786-0213

wendy.wagner@gowlingwlg.com

WENDY WAGNER

25

Thank you for attending

Merci de votre participation

www.onbcanada.ca info@onbcanada.ca