SlideShare a Scribd company logo

Cybersecurity Legal Risks and Requirements Overview

Download as PPTX, PDF
Next Dimension Inc.
Next Dimension Inc.

This document summarizes key points from a presentation on current cybersecurity legal risks and requirements in Canada. It discusses the evolving privacy litigation landscape and lessons learned from privacy breach cases. Recent amendments to PIPEDA introduced mandatory breach notification requirements, including notifying affected individuals and the Privacy Commissioner if a breach creates a real risk of significant harm. Organizations must also keep records of all breaches. Non-compliance can result in penalties such as fines. The presentation emphasizes having an incident response plan and being prepared to properly respond to and document any privacy breaches.

Technology
1 of 32
Daanish Samadmoten, Fasken Martineau DuMoulin LLP April 1 and 2, 2019 Current Cybersecurity Legal Risks and Requirements
Overview • Evolving risk landscape • Lessons from the cases • PIPEDA amendments • Key takeaways
Evolving risks: privacy litigation
Legal landscape
Lessons from cases “After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. …Unless one wishes to play pretend, Home Depot was the successful party in resisting a pleaded claim of $500 million.” - Lozanski v. Home Depot, 2016 ONSC 5447
Lessons from the cases
Lessons from the cases • Condon v Canada, 2018 FC 522 • “This settlement will serve as a benchmark for future privacy breach class actions and encourage organizations throughout Canada to take privacy seriously, for fear of facing serious litigation consequences for a privacy breach.”
Lessons from the cases • Condon v Canada, 2018 FC 522 • Lost drive affecting 583,000 individuals (including. name, SIN, address, student loan) • Response: • Notification of breach to individuals • Six years of fraud flagging from Equifax and Transunion • Forensic investigation and darkweb searches
Lessons from the cases • Condon v Canada, 2018 FC 522 – $17.5 million settlement fund for: • $5.25 million to plaintiff counsel • Cost of administering settlement • $60 per individual for wasted time – Unlimited compensation for any actual losses
Lessons from the cases
Lessons from the cases • Have an Incident Response Plan • Internal incident and crisis teams • External team may include: • legal counsel “breach coach” • forensic investigation and incident response teams • crisis communications/public relations experts • other providers (e.g. IT teams, ransom payment, notification provider, call centre, identity protection)
Incident response plan template • Define incident response process: 1. Identification and escalation 2. Containment and restoration 3. Communication and notification 4. Record keeping and prevention
Privacy framework in Canada • PIPEDA applies to commercial activity but not employee personal information of law firms • BC, Alberta and Quebec have privacy laws • Health and public sector privacy laws will apply to some
What’s new with PIPEDA? • Mandatory breach notification, reporting and recording keeping provisions came into force on November 1, 2018, pursuant to the Digital Privacy Act
Triggering Event • Notification must be made in the event of a breach of security safeguards involving personal information under an organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual
“Personal Information” • Personal information is very broadly defined as information about an identifiable individual
“Real Risk of Significant Harm” • “Significant” harm includes: • bodily harm • humiliation • damage to reputation or relationships • loss of employment, business or professional opportunities, • financial loss • identity theft • negative effects on the credit record and • damage to or loss of property
“Real Risk of Significant Harm” • Relevant factors in determining risk • Sensitivity of the personal information • The probability that the personal information has been, is being or will be misused
Who Must Report the Breach? • The organization with control of the information must report and notify • Be mindful of whether your firm has “control” or if the client is in control
Notification requirements • Notification to the Commissioner, affected individuals and potentially others is mandatory if the triggering event applies • Exception: where notifying affected individuals would be prohibited by law • Keep in mind confidentiality obligations
Notification to Organizations • Organizations must also inform another organization or government institution of the breach if they may be able to reduce the risk of the harm that could result from it or mitigate that harm • Keep in mind confidentiality obligations
Timing of Notification • Notification to the Commissioner, individuals, and other organizations, if any, must be given as soon as feasible after the organization determines that the breach has occurred
Content of Notification: Commissioner • Circumstances and if known, the cause • Day or period when breach occurred • Personal information breached • Number of individuals affected • Steps taken to reduce risk of harm • Steps taken to notify affected individuals
Content of Notification: Individuals • Circumstances • Day or period when breach occurred • Personal information breached • Steps taken to reduce risk of harm • Steps individuals could take • Contact information
Method of Notification: Individuals • Direct notification is required, unless: • (a) it would be likely to cause further harm to the affected individual; • (b) it would be likely to cause undue hardship for the organization; or • (c) the organization does not have contact information for the affected individual
Keeping Records of All Breaches • Keep records of all breaches of information in your control, whether there is a real risk of significant harm or not, for two years • Provide the Commissioner with access to, or a copy of, a record, if requested
Penalties • Offence under section 28 punishable on summary conviction and liable to a fine not exceeding $10,000, or an indictable offence and liable to a fine not exceeding $100,000
Complaints • An individual may complain to the Commissioner • Matter may be referred to Federal Court
Regulators • Privacy Commissioner of Canada • Other privacy commissioners • Investment Industry Regulator Organization of Canada (IIROC) • Office of the Superintendent of Financial Institutions (OSFI) • Canadian Securities Administrators (CSA)
Key takeaways • Risks and requirements are escalating • Manage information intake and retention • Incident response plan • Privilege considerations • Escalation protocols • Record keeping • Cyber insurance
Speaker Daanish Samadmoten, Privacy and Cybersecurity Group, Fasken Daanish provides practical and strategic advice to clients in respect of privacy compliance matters and data breach incidents. With considerable experience and an ongoing practice in the fields of commercial, civil and administrative litigation, Daanish brings to bear key legal and litigation risk management considerations in relation to privacy and cybersecurity matters.
Cybersecurity Legal Risks and Requirements Overview

Recommended

Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber InsuranceHB Litigation Conferences
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2Kenny Boddye
 
Bis EO Cyber presentation
Bis EO Cyber presentationBis EO Cyber presentation
Bis EO Cyber presentationJim Booth
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Dan Michaluk
 

Recommended

Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber InsuranceHB Litigation Conferences
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2Kenny Boddye
 
Bis EO Cyber presentation
Bis EO Cyber presentationBis EO Cyber presentation
Bis EO Cyber presentationJim Booth
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Dan Michaluk
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSHB Litigation Conferences
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Lawguest8b10a3
 
ICSA CPD - Cyber breaches
ICSA CPD - Cyber breachesICSA CPD - Cyber breaches
ICSA CPD - Cyber breachesInstitute of Chartered Secretaries and Administrators
 
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...Government Technology and Services Coalition
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)Financial Poise
 
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...Government Technology and Services Coalition
 
10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance 10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance Hubbard Insurance Group
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Lisa Abe-Oldenburg, B.Comm., JD.
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
Mbs r35 b
Mbs r35 bMbs r35 b
Mbs r35 bSelectedPresentations
 
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Browne Jacobson LLP
 
Digital Information Law & Your Business - The Alternative Board
Digital Information Law & Your Business - The Alternative BoardDigital Information Law & Your Business - The Alternative Board
Digital Information Law & Your Business - The Alternative BoardShawn Tuma
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Broker presentation1 13 2
Broker presentation1 13 2Broker presentation1 13 2
Broker presentation1 13 2Cheryl Miller
 
Data Breach In The Hospitality Industry
Data Breach In The Hospitality IndustryData Breach In The Hospitality Industry
Data Breach In The Hospitality IndustryClarknuber
 
Do I really need cyber liability insurance?
Do I really need cyber liability insurance?Do I really need cyber liability insurance?
Do I really need cyber liability insurance?Crafted
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability RiskChristopher Rieser
 
Canadian Breach Regulations: Introduction and Overview
Canadian Breach Regulations: Introduction and OverviewCanadian Breach Regulations: Introduction and Overview
Canadian Breach Regulations: Introduction and OverviewResilient Systems
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 

More Related Content

What's hot

CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSHB Litigation Conferences
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Lawguest8b10a3
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)Financial Poise
 
10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance 10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance Hubbard Insurance Group
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Lisa Abe-Oldenburg, B.Comm., JD.
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Browne Jacobson LLP
 
Digital Information Law & Your Business - The Alternative Board
Digital Information Law & Your Business - The Alternative BoardDigital Information Law & Your Business - The Alternative Board
Digital Information Law & Your Business - The Alternative BoardShawn Tuma
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Broker presentation1 13 2
Broker presentation1 13 2Broker presentation1 13 2
Broker presentation1 13 2Cheryl Miller
 
Data Breach In The Hospitality Industry
Data Breach In The Hospitality IndustryData Breach In The Hospitality Industry
Data Breach In The Hospitality IndustryClarknuber
 
Do I really need cyber liability insurance?
Do I really need cyber liability insurance?Do I really need cyber liability insurance?
Do I really need cyber liability insurance?Crafted
 

What's hot (20)

CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Law
 
ICSA CPD - Cyber breaches
ICSA CPD - Cyber breachesICSA CPD - Cyber breaches
ICSA CPD - Cyber breaches
 
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security Strategies
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
 
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
 
10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance 10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
Mbs r35 b
Mbs r35 bMbs r35 b
Mbs r35 b
 
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
 
Digital Information Law & Your Business - The Alternative Board
Digital Information Law & Your Business - The Alternative BoardDigital Information Law & Your Business - The Alternative Board
Digital Information Law & Your Business - The Alternative Board
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Broker presentation1 13 2
Broker presentation1 13 2Broker presentation1 13 2
Broker presentation1 13 2
 
Data Breach In The Hospitality Industry
Data Breach In The Hospitality IndustryData Breach In The Hospitality Industry
Data Breach In The Hospitality Industry
 
Do I really need cyber liability insurance?
Do I really need cyber liability insurance?Do I really need cyber liability insurance?
Do I really need cyber liability insurance?
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability Risk
 

Similar to Cybersecurity Legal Risks and Requirements Overview

Canadian Breach Regulations: Introduction and Overview
Canadian Breach Regulations: Introduction and OverviewCanadian Breach Regulations: Introduction and Overview
Canadian Breach Regulations: Introduction and OverviewResilient Systems
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachFinancial Poise
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Cyber Response and Planning for SMBs
Cyber Response and Planning for SMBsCyber Response and Planning for SMBs
Cyber Response and Planning for SMBsMary Brophy
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitKevin Duffey
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachJim Brashear
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceFinancial Poise
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16Glenn E. Davis
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)canadianlawyer
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20Marc S. Sokol
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issuesStefan Schippers
 

Similar to Cybersecurity Legal Risks and Requirements Overview (20)

Canadian Breach Regulations: Introduction and Overview
Canadian Breach Regulations: Introduction and OverviewCanadian Breach Regulations: Introduction and Overview
Canadian Breach Regulations: Introduction and Overview
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
 
Cyber Response and Planning for SMBs
Cyber Response and Planning for SMBsCyber Response and Planning for SMBs
Cyber Response and Planning for SMBs
 
Privacy Needs to be Personal
Privacy Needs to be PersonalPrivacy Needs to be Personal
Privacy Needs to be Personal
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal Toolkit
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issues
 
Cybersecurity Workshop
Cybersecurity Workshop Cybersecurity Workshop
Cybersecurity Workshop
 

More from Next Dimension Inc.

Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Veeam: Cybersecurity protection solutions through Backup and Availability
Veeam: Cybersecurity protection solutions through Backup and AvailabilityVeeam: Cybersecurity protection solutions through Backup and Availability
Veeam: Cybersecurity protection solutions through Backup and AvailabilityNext Dimension Inc.
 
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension Inc.
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension Inc.
 
Next Dimension IIoT Presentation
Next Dimension IIoT PresentationNext Dimension IIoT Presentation
Next Dimension IIoT PresentationNext Dimension Inc.
 
Next Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart ManufacturingNext Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart ManufacturingNext Dimension Inc.
 

More from Next Dimension Inc. (10)

Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Veeam: Cybersecurity protection solutions through Backup and Availability
Veeam: Cybersecurity protection solutions through Backup and AvailabilityVeeam: Cybersecurity protection solutions through Backup and Availability
Veeam: Cybersecurity protection solutions through Backup and Availability
 
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity Strategy
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next Dimension
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA Compliance
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
 
Next Dimension IIoT Presentation
Next Dimension IIoT PresentationNext Dimension IIoT Presentation
Next Dimension IIoT Presentation
 
Next Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart ManufacturingNext Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart Manufacturing
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Cybersecurity Legal Risks and Requirements Overview

  • 1. Daanish Samadmoten, Fasken Martineau DuMoulin LLP April 1 and 2, 2019 Current Cybersecurity Legal Risks and Requirements
  • 2. Overview • Evolving risk landscape • Lessons from the cases • PIPEDA amendments • Key takeaways
  • 5. Lessons from cases “After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. …Unless one wishes to play pretend, Home Depot was the successful party in resisting a pleaded claim of $500 million.” - Lozanski v. Home Depot, 2016 ONSC 5447
  • 7. Lessons from the cases • Condon v Canada, 2018 FC 522 • “This settlement will serve as a benchmark for future privacy breach class actions and encourage organizations throughout Canada to take privacy seriously, for fear of facing serious litigation consequences for a privacy breach.”
  • 8. Lessons from the cases • Condon v Canada, 2018 FC 522 • Lost drive affecting 583,000 individuals (including. name, SIN, address, student loan) • Response: • Notification of breach to individuals • Six years of fraud flagging from Equifax and Transunion • Forensic investigation and darkweb searches
  • 9. Lessons from the cases • Condon v Canada, 2018 FC 522 – $17.5 million settlement fund for: • $5.25 million to plaintiff counsel • Cost of administering settlement • $60 per individual for wasted time – Unlimited compensation for any actual losses
  • 11. Lessons from the cases • Have an Incident Response Plan • Internal incident and crisis teams • External team may include: • legal counsel “breach coach” • forensic investigation and incident response teams • crisis communications/public relations experts • other providers (e.g. IT teams, ransom payment, notification provider, call centre, identity protection)
  • 12. Incident response plan template • Define incident response process: 1. Identification and escalation 2. Containment and restoration 3. Communication and notification 4. Record keeping and prevention
  • 13. Privacy framework in Canada • PIPEDA applies to commercial activity but not employee personal information of law firms • BC, Alberta and Quebec have privacy laws • Health and public sector privacy laws will apply to some
  • 14. What’s new with PIPEDA? • Mandatory breach notification, reporting and recording keeping provisions came into force on November 1, 2018, pursuant to the Digital Privacy Act
  • 15. Triggering Event • Notification must be made in the event of a breach of security safeguards involving personal information under an organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual
  • 16. “Personal Information” • Personal information is very broadly defined as information about an identifiable individual
  • 17. “Real Risk of Significant Harm” • “Significant” harm includes: • bodily harm • humiliation • damage to reputation or relationships • loss of employment, business or professional opportunities, • financial loss • identity theft • negative effects on the credit record and • damage to or loss of property
  • 18. “Real Risk of Significant Harm” • Relevant factors in determining risk • Sensitivity of the personal information • The probability that the personal information has been, is being or will be misused
  • 19. Who Must Report the Breach? • The organization with control of the information must report and notify • Be mindful of whether your firm has “control” or if the client is in control
  • 20. Notification requirements • Notification to the Commissioner, affected individuals and potentially others is mandatory if the triggering event applies • Exception: where notifying affected individuals would be prohibited by law • Keep in mind confidentiality obligations
  • 21. Notification to Organizations • Organizations must also inform another organization or government institution of the breach if they may be able to reduce the risk of the harm that could result from it or mitigate that harm • Keep in mind confidentiality obligations
  • 22. Timing of Notification • Notification to the Commissioner, individuals, and other organizations, if any, must be given as soon as feasible after the organization determines that the breach has occurred
  • 23. Content of Notification: Commissioner • Circumstances and if known, the cause • Day or period when breach occurred • Personal information breached • Number of individuals affected • Steps taken to reduce risk of harm • Steps taken to notify affected individuals
  • 24. Content of Notification: Individuals • Circumstances • Day or period when breach occurred • Personal information breached • Steps taken to reduce risk of harm • Steps individuals could take • Contact information
  • 25. Method of Notification: Individuals • Direct notification is required, unless: • (a) it would be likely to cause further harm to the affected individual; • (b) it would be likely to cause undue hardship for the organization; or • (c) the organization does not have contact information for the affected individual
  • 26. Keeping Records of All Breaches • Keep records of all breaches of information in your control, whether there is a real risk of significant harm or not, for two years • Provide the Commissioner with access to, or a copy of, a record, if requested
  • 27. Penalties • Offence under section 28 punishable on summary conviction and liable to a fine not exceeding $10,000, or an indictable offence and liable to a fine not exceeding $100,000
  • 28. Complaints • An individual may complain to the Commissioner • Matter may be referred to Federal Court
  • 29. Regulators • Privacy Commissioner of Canada • Other privacy commissioners • Investment Industry Regulator Organization of Canada (IIROC) • Office of the Superintendent of Financial Institutions (OSFI) • Canadian Securities Administrators (CSA)
  • 30. Key takeaways • Risks and requirements are escalating • Manage information intake and retention • Incident response plan • Privilege considerations • Escalation protocols • Record keeping • Cyber insurance
  • 31. Speaker Daanish Samadmoten, Privacy and Cybersecurity Group, Fasken Daanish provides practical and strategic advice to clients in respect of privacy compliance matters and data breach incidents. With considerable experience and an ongoing practice in the fields of commercial, civil and administrative litigation, Daanish brings to bear key legal and litigation risk management considerations in relation to privacy and cybersecurity matters.

Editor's Notes

  1. A “breach of security safeguards” means: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards. (PIPEDA, section 2(1))
  2. “About” means that the information is not just the subject of something but also relates to or concerns the subject. (Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157) Information will be about an “identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information. (Gordon v. Canada (Health), 2008 FC 258) Information will still be personal information even if it is publicly available within the meaning of the regulations and is exempt from applicable consent requirements (Englander v. TELUS Communications Inc., 2004 FCA 387)
  3. The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include: (a) the sensitivity of the personal information involved in the breach; (b) the probability that the personal information has been, is being or will be misused; and (c) any other prescribed factor. (PIPEDA, section 10.1(8)) The concept of sensitivity of personal information is discussed in Principle 4.3.4 of PIPEDA, which states: “Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.” Some questions to consider when assessing the probability of misuse: What happened and how likely is it that someone would be harmed by the breach? Who actually accessed or could have accessed the personal information? How long has the personal information been exposed? Is there evidence of malicious intent (e.g., theft, hacking)? Were a number of pieces of personal information breached, thus raising the risk of misuse? Is the breached information in the hands of an individual/entity that represents a reputation risk to the individual(s) in and of itself? (e.g. an ex-spouse or a boss depending on specific circumstances) Was the information exposed to limited/known entities who have committed to destroy and not disclose the data? Was the information exposed to individuals/entities who have a low likelihood of sharing the information in a way that would cause harm? (e.g. in the case of an accidental disclosure to unintended recipients) Was the information exposed to individuals/entities who are unknown, or to a large number of individuals, where certain individuals might use or share the information in a way that would cause harm? Is the information known to be exposed to entities/individuals who are likely to attempt to cause harm with it (e.g. information thieves)? Has harm materialized (demonstration of misuse)? Was the information lost, inappropriately accessed or stolen? Has the personal information been recovered? Is the personal information adequately encrypted, anonymized or otherwise not easily accessible? (Office of the Privacy Commissioner of Canada, What you need to know about mandatory reporting of breaches of security safeguards (Consultation) (Ottawa: Office of the Privacy Commissioner of Canada, 2018))
  4. “Commissioner” refers to the Privacy Commissioner of Canada. (Office of the Privacy Commissioner of Canada, What you need to know about mandatory reporting of breaches of security safeguards (Consultation) (Ottawa: Office of the Privacy Commissioner of Canada, 2018))
  5. Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. (PIPEDA, section 10.1(3))
  6. When notifying an individual of a data breach, an organization must also notify another organization, a government institution or a part of a government institution of the breach as soon as feasible if that organization, government institution or part concerned may be able to reduce the risk of the harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied. (PIPEDA, sections 10.2(1) and (2))
  7. The report may be sent to the Commissioner through any secure means of communication and must contain: (a) a description of the circumstances of the breach and, if known, the cause; (b) the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period; (c) a description of the personal information that is the subject of the breach to the extent that the information is known; (d) the number of individuals affected by the breach or, if unknown, the approximate number; (e) a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm; (f) a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act; and (g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach. (PIPEDA, section 10.1(2) and Breach of Security Safeguards Regulations (SOR/2018-64), sections 2(1), 2(2), and 2(3))
  8. Notice to individual must include sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of the harm that could result from it or to mitigate that harm, as well as: (a) a description of the circumstances of the breach; (b) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period; (c) a description of the personal information that is the subject of the breach to the extent that the information is known; (d) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach; (e) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and (f) contact information that the affected individual can use to obtain further information about the breach. (PIPEDA, section 10.1(4) and Breach of Security Safeguards Regulations (SOR/2018-64), section 3).
  9. The notification must be conspicuous and given directly to the individual in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances except if: (a) direct notification would be likely to cause further harm to the affected individual; (b) direct notification would be likely to cause undue hardship for the organization; or (c) the organization does not have contact information for the affected individual, in which case, indirect notification must be given by public communication or similar measure that could reasonably be expected to reach the affected individuals. (PIPEDA, section 10.1(5) and Breach of Security Safeguards Regulations (SOR/2018-64), sections 5(1) and 5(2)) Examples of indirect notification include public announcements, such as advertisements in online or offline newspapers. The measures that would be employed for other public announcements should be used for indirect notifications. For example, media messaging, a prominent notice on the organization’s website, or other online/digital presence. (Office of the Privacy Commissioner of Canada, What you need to know about mandatory reporting of breaches of security safeguards (Consultation) (Ottawa: Office of the Privacy Commissioner of Canada, 2018))
  10. Records must include, at a minimum: the date or estimated date of the breach, general description of the circumstances of the breach, nature of information involved in the breach, whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified, and if the breach was not reported to the Privacy Commissioner/individuals, a brief explanation of why the breach was determined not to pose a “real risk of significant harm” (Office of the Privacy Commissioner of Canada, What you need to know about mandatory reporting of breaches of security safeguards (Consultation) (Ottawa: Office of the Privacy Commissioner of Canada, 2018)) Records must be kept for two years, although other legal requirements may impose longer retention periods. (Breach of Security Safeguards Regulations (SOR/2018-64), section 6(1)) There is no threshold associated with the record-keeping obligation – a record of all breaches must be kept, irrespective of whether they give rise to a real risk of significant harm. Nor is there any threshold before an organization would be required to provide its 'breach file' to the Commissioner. The record-keeping requirement is an important compliance consideration and has the potential to create costs and risks for organizations. For example, in privacy-related litigation in Canada, plaintiffs' counsel often plead their claims in ways that could make a very broad swath of internal documents, policies, and information relating to previous breach incidents relevant in the discovery process. One would expect plaintiffs' counsel to request production of the 'breach file' in the course of discovery in a privacy breach litigation matter and to plead their cases to try to achieve this objective. This tactic is already prevalent in privacy breach litigation and class actions. This could be significant in the litigation (e.g. it may support claims of punitive or aggravated damages) and it may give rise to additional potential litigation. Pursuant to the regulations, organizations will be required to keep breach records for at least two years after the date on which a breach has been confirmed, which is the limitation period for bringing a civil action in most Canadian provinces. Accordingly, it is conceivable that if a plaintiff were to obtain discovery of a breach file and it reveals additional potential claims in relation to breaches (including breaches that did not result in notifications to individuals), the organization may face the risk of additional litigation in respect of those matters. (Alex Cameron et al, “Important New Rules for Mandatory Privacy Breach Notification, Reporting and Record Keeping in Canada” Fasken Martineau DuMoulin LLP (18 April 2018), online: <https://www.fasken.com/en/knowledgehub/2018/04/important-new-rules-for-mandatory-privacy-breach-notification>)
  11. An individual may make a complaint to the Commissioner or the Commissioner may initiate a complaint against an organization for contravening a provision of Division 1 or for not following a recommendation set out in Schedule 1 (PIPEDA, section 11).   A complainant may after receiving the Commissioner’s report or being notified under subsection 12.2(3) that the investigation of the complaint has been discontinued, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made. A complainant may also apply to the Court for a hearing in respect of any matter that is referred to in the Commissioner’s report, and that is referred to in the prescribed sections under section 14(1) of PIPEDA. (Office of the Privacy Commissioner of Canada, What you need to know about mandatory reporting of breaches of security safeguards (Consultation) (Ottawa: Office of the Privacy Commissioner of Canada, 2018))