onb webinar: cybersecurity - the legal framework in canada
TRANSCRIPT
Client-focused, proactive, professional and accountable, Opportunities NB is the first point of contact for local and foreign businesses looking to grow, expand or locate. We are focused on performance, high growth opportunities and growing New Brunswick. Opportunities NB is poised to:
• Support business development inside New Brunswick, including business support services for small, medium-sized and large businesses;
• Proactively pursue high growth opportunities through exports and foreign investment; and
• Work with industry partners, economic development stakeholders and public sector partners to identify, build and support a portfolio of significant high growth opportunities both within and outside the province!
We will offer you the ideal operational expansion and labour solution tailored to your needs to grow in New Brunswick. We will go above and beyond to ensure your success in the province.
New Brunswick is built for business. We look forward to working with you to grow your business.
Our guest
Wendy Wagner ABOUT THE PRESENTER
Wendy Wagner advises companies on privacy compliance and
data protection issues. This includes compliance with the
Personal Information Protection and Electronic Documents
Act (PIPEDA), provincial privacy laws applicable to the private
sector, and laws governing protection of health information.
She also advises on cross-border data transfers and successor
obligations, and assists companies with reporting and
managing data breach incidents. She regularly advises on
compliance with Canada’s Anti-Spam Legislation and has
created anti-spam compliance policies and programs.
• Cyber-security: encompasses any measures taken to
protect online information and secure the infrastructure on
which it resides. How does it relate to data privacy?
• Cyber-security measures underpin the critical
infrastructure that protects data, thereby safeguarding
personal information, or if absent, rendering it vulnerable
to threats
Key threats: malware & viruses, ransomware, sabotage,
financial fraud, phishing, theft of laptops/devices, unauthorized
access to or use of systems & websites, misuse of social
networks, denial of service, advance persistent threats…
PRIVACY & CYBER-SECURITY
• Privacy laws govern the collection, use and disclosure of personal
information. Privacy is a consent-based regime.
• Personal Information : any information, in any form, about an identifiable
individual, e.g.:
•Name, age, ID numbers
•Telephone number, physical address, email address
•Payment or financial information
•Employment, income, medical or financial history
•Ethnic origin, gender, blood type, physical description
•Opinions about the individual, evaluations, comments
•Religion, political affiliations and beliefs
• IP address or other device identifiers.
PRIVACY LAW IN CANADA
Key factors that determine what laws apply include:
1. Nature of the organization:
• Is the organization a federal government institution?
• Is it a provincial or territorial government institution?
• Is it a private-sector organization?
• Is it a federal work, undertaking or business (FWUB)?
2. Location of the organization
3. Type of information (e.g. personal information, personal health
information, employee information)
PRIVACY LAW IN CANADA
The Personal Information Protection and Electronic Documents
Act (PIPEDA)
• Canada’s federal privacy law applicable to commercial activities
of private sector organizations
• Applies in all provinces except AB, BC, and Quebec and also
applies to cross-border transfers of information
• Consent-based regime that governs the collection, use and
disclosure of personal information in the course of commercial
activities
• In the case of federal works, undertakings and businesses
(FWUBs), it also applies to employee personal information
PIPEDA
• For the private-sector, three provinces have privacy
legislation that has been deemed “substantially
similar” to PIPEDA:
1. Alberta’s Personal Information Protection Act
2. British Columbia’s Personal Information Protection Act
3. Québec’s An Act Respecting the Protection of Personal
Information in the Private Sector (Quebec Privacy Act)
PROVINCIAL PRIVATE SECTOR LAWS
Compliance with PIPEDA is overseen by the Office of the Privacy
Commissioner of Canada; provincial laws are overseen by a
provincial Commissioner
• Individuals complaint to the Commissioners about alleged privacy
breaches.
• The Commissioners may initiate investigations and audits
• Reports of findings are issued and publicized.
• Provincial Commissioners make orders and impose penalties; the
Federal Privacy Commissioner makes recommendations that may
be enforced by a Court
• The Federal Privacy Commissioner will soon have the ability to
impose onerous penalties relating to breach reporting/record
keeping
COMPLIANCE & ENFORCEMENT
Privacy Statutes in Canada (generally) offer modest
remedies, but may inform the “standard of care”:
• In Canada, privacy class action is in its infancy but actions have
been certified on grounds of: breach of privacy based on
statutory tort, common law tort and negligence. Allegations may
include:
1. Failure to create policies
2. Failure to prevent unauthorized access, including encryption
3. Failure to disclose the loss in a timely manner
4. Failure to have adequate and necessary data security measures
5. Failure to monitor, audit, test and update security measures
RISKS & DUE DILIGENCE
• Organizations may collect, use and disclose personal information only for a purpose that a reasonable person would consider appropriate in the circumstances, and adhere to 10 fair information principles :
1. Accountability
2. Identifying purposes
3. Consent
4. Limiting collection
5. Limiting use, disclosure and retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual access
10.Challenging compliance
KEY PRINCIPLES
Defined as the responsibility of the organization for personal
information protection
Requires organizations to have in place appropriate policies and
procedures, including those relating to data security
Accountability begins with an organization understanding and
documenting the personal information that it holds
What personal information assets are held and where?
Why is the organization collecting, using or disclosing this personal
information and are these reasons documented?
What level of sensitivity is the personal information and is the level of
protection commensurate?
14
ACCOUNTABILITY
Other aspects include:
Risk assessments at least annually and when on-boarding any new
services that collect, use or disclose personal information
Training and education of employees : human error is the most common
cause of reported breaches
Breach and incident management response protocols for managing
personal information breaches
Oversight of service providers though contractual obligations, training
and education, audits and ongoing monitoring
Constant review and revision of policies, impact assessments, and
external communications.
15
ACCOUNTABILITY
Implementation of “need to know” principles:
employees should only have access to the minimum
amount of personal information required to perform
duties within the organization
Role based access controls limit who has access to
what information
Personal information should only be retained as long
as required for reasonable purposes of the
organization and then securely destroyed
16
LIMITING USE, DISCLOSURE,
RETENTION
In recent complaint reports, the federal Privacy Commissioner
has held that organizations holding sensitive/significant
amounts of personal information must have:
• An explicit risk management and assessment process that addresses
information security measures and draws on adequate external and
internal expertise. Must be context based; commensurate with sensitivity
of data:
• Preventative measures, e.g. key & password management practices, multi-
factor authentication for remote access
• Detective countermeasures, e.g. intrusion detection system
• Documented security policies and procedures that are updated and
reviewed based on an evolving threat landscape
• Adequate training for all employees
17
SAFEGUARDS
The Privacy Commissioners do not prescribe a required set of safeguards
but are looking for a robust and sophisticated analysis:
• Risk Identification: inventorize personal information assets; assess the
business impacts of a loss, acceptable levels of risk, and the impact of
changes to the organization, technology, business process, threat
environment
• Policies: on operational security, training, contractors, external
communication; specific issues such as network security infrastructure,
installation of hardware/software, access to systems, portable devices,
acceptable IT usage
• Records Management: personal information classification, retention and
secure destruction
18
SAFEGUARDS
• Human Resources Security: management support; training regarding
security, authorized access, use and disclosure of personal information,
proper protection and maintenance of credentials, threats such spoofing,
phishing; employee screening and confidentiality
• Contractors: contractual agreements; requirements to return or destroy
personal information; regular inspections, audits and enforcement
• Physical Security for Personal Information: locked cabinets, access
controls, intrusion detection, logging, protocols for removal of personal
information from publicly accessible locations, controlled access points
• Systems Security: locked workstations; policies on mobile and portable
devices including encryption, tracking devices, remote deletion
• Database and Operating System Security
19
SAFEGUARDS
• Network Security: segregation of personal information from public
networks, secure connections, monitoring of new vulnerabilities, testing
of cyber security defences
• Wireless Technology: encryption and authentication, firewalls &
antivirus, wireless intrusion detection, audit records of activity
• Transmission of Personal Information: policies on fax & email
transmission, use of encryption, confirmation of receipt, use of ‘bcc, use
of digital signatures
• Access Control Policies: identification, authorization and authentication
• Incident Management : privacy and security incident management policy
including notification and reporting requirements for privacy breaches.
20
SAFEGUARDS
Bill S-4 – the Digital Privacy Act, amends PIPEDA with the objective
of strengthening privacy protection and increasing compliance
Among the key amendments is the imposition of a mandatory
breach notification regime that will come into force when
regulations are passed, along with statutory penalties for failure to
report and keep records
Violations of the breach notification or breach record keeping
requirements can result in: (a) an offence punishable on summary
conviction and a $10,000 fine; or (b) an indictable offence and a fine
not exceeding $100,000. It is not clear whether a fine could be
levied in respect of each individual affected by a breach.
21
OPENNESS: BREACH REPORTING /
NOTIFICATION
Applies to any “breach of security safeguards”
• “The loss of, unauthorized access to or unauthorized disclosure of personal
information resulting from a breach of an organization’s security safeguards that
are referred to in Clause 4.7 of Schedule 1 or from a failure to establish those
safeguards.”
Personal information is lost, or accessed by an unauthorized individual
The loss or unauthorized access is the result of someone violating the
organization’s security safeguards, or the result of a failure to establish such
safeguards
NOTE: Under its Personal Information Protect Act, Alberta already has
mandatory breach notification obligations where an organization
determines that a real risk of significant harm exists to an individual as
a result of a breach of personal information
22
THE MANDATORY BREACH
NOTIFICATION REGIME
Determine if the breach poses a “real risk of significant harm” to any
individual whose personal information was involved in the breach;
Notify individuals as soon as feasible of any breach that poses a “real
risk of significant harm”;
Report any data breach that poses a “real risk of significant harm” to
the Privacy Commissioner, as soon as feasible;
Where appropriate, notify any third party that the organization
experiencing the breach believes is in a position to mitigate the risk of
harm; and
Maintain a record of the data breach and make these records available
to the Privacy Commissioner upon request
23
KEY OBLIGATIONS FOR ORGANIZATIONS
THAT EXPERIENCE A DATA BREACH