EMERGING RISKS
“ Organizations need to make this a top concern with their Boards of Directors and Senior Management, have a plan in place, and ensure they deal with breaches promptly when they occur.”
liability cases that are starting to hit organizations in the courts include the following:
• Loser – portable device( phone, laptop, etc.) is lost or stolen; often no evidence that personal information is actually accessed or abused
• Snooper – personal information accessed out of curiosity; improper access but often not disclosed; may target colleagues or clients
• Harvester – web-based companies collate and analyze client data; seek to monetize the personal information; class actions focusing on adequacy of“ consent”
• Fraudster / Hacker – employee or third-party hacker illegally uses personal information
• Predator – jilted boyfriend posts porn; staff member nefariously films patients; etc.( 2)
The DPA makes extensive revisions to the Personal Information Protection and Electronic Documents Act( PIPEDA), and its passage and its pending breach notification and recordkeeping provisions makes clear that Canada has ushered in a new era of privacy law.
Included in this new era are the recent changes to the Canadian Anti-Spam Legislation( CASL) The next phase of CASL is the Private Right of Action which will come into force on July 1, 2017. In order to mitigate their risks, organizations are well-advised to have a Compliance Program documented and implemented by July 1, 2017. Once a Private Right of Action is commenced, the CRTC can no longer step in to reduce the monetary impact to organizations.
While the liability can be $ 200 for each breach per day, organizations sending out large numbers of targeted e-mails each day could have far higher liability, above and beyond any compensatory damages. Further, if implicated in the breach, officers, directors, and agents of the organization can be jointly and severally liable for contraventions even if the business that committed the acts is not sued.( 3)
Organizations need to make this a top concern with their Boards of Directors and Senior Management, have a plan in place, and ensure they deal with breaches promptly when they occur. Boards of Directors and Senior Management should do the following:
• Understand and approach cybersecurity as an enterprise-wide risk management issue, not just an information technology( IT) issue
• Understand the legal implications of cyber-risks as they relate to their company’ s specific circumstances
• Have adequate access to cybersecurity expertise
• Give regular and adequate time to discussions about cyber-risk management on board meeting agendas
• Set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budgeting
• Ensure management identifies which risks to avoid, accept, mitigate, or transfer through insurance, as well as have specific plans associated with each approach( 4)
Organizations subject to Canadian privacy law would be well-advised to take steps now to ensure they are, and will remain, compliant with the new rules. The Office of the Privacy Commissioner of Canada( OPC) Consultation paper offers guidelines for preparedness.
For more information on what you can do to be prepared, email 4Cast Services Inc. at info @ 4CastServices. com or call us at( 905) 691-7335. +
BY: SHANNON DELENARDO SENIOR LEADER, COMPLIANCE, REGULATORY AFFAIRS, AND PETER MACMILLAN, CEO, 4CAST SERVICES INC.
1. Privacy Law Developments Across Canada, October 25, 2016, BLG Presentation for the IBC Regulatory Affairs Symposium by Patrick J. Hawkins.
2. Privacy Law Developments Across Canada, October 25, 2016, BLG Presentation for the IBC Regulatory Affairs Symposium by Patrick J. Hawkins.
3. Are You Ready for CASL’ s Private Right of Action?, Last Updated: February 1 2017 Article by Sharon E. Groom, Lyndsay A. Wasser, Jamieson D. Virgin, Rohan Hill and Mitch Koczerginski, McMillan LLP.
4. Cyber-Risk Oversight Executive Summary, Director’ s Handbook Series 2014 Edition, published by the U. S. National Association of Corporate Directors.
31