This document discusses privacy, data security, and anti-spam compliance. It covers privacy legislation in Canada including PIPEDA, and outlines new provisions regarding applicants for employment and sharing personal information to investigate breaches of law. Regarding data security, it discusses regulatory frameworks and standards from OSFI, CSA, and PIPEDA. Breach notification requirements are outlined. Finally, the document discusses CASL spam regulation including express consent requirements and recent enforcement actions.

1. Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
March 29, 2017
Dan Michaluk

2. Privacy, Data Security and Anti-Spam Compliance
Dan Michaluk I daniel-michaluk@hicksmorley.com

3. Privacy, Data Security and Anti-Spam Compliance
Overview
• Privacy compliance
• Data security
• Anti-spam

4. Privacy, Data Security and Anti-Spam Compliance
Privacy Compliance

5. Privacy, Data Security and Anti-Spam Compliance
Commercial sector privacy legislation
• PIPEDA (federal)
• BC PIPA
• Alberta PIPA
• Manitoba PIPA
• Quebec Act

6. Privacy, Data Security and Anti-Spam Compliance
Privacy legislation in four bullet points
• Regulates flows of personal information – collection, use and
disclosure
• Flows must be authorized, for reasonable purpose and
necessary
• Accountability – structural, mandated openness, via access
• Reasonable data security – accuracy/integrity + protection
6

7. Privacy, Data Security and Anti-Spam Compliance
What’s new – PIPEDA now applies to applicants
• S-4 amendment changed the application provision of
PIPEDA – 4(1)(b)
• Now applies to “an applicant for employment”
• Creates new constraint on Bank screening processes
• OPC can judge if a collection and use is reasonable
• Beware of Mark’s Work Wearhouse in Alberta regarding
the use of credit profile information (P2010 IR 001)
7

8. Privacy, Data Security and Anti-Spam Compliance
What’s new – Guidance on investigations
• Can now share PI to investigate and to prevent breaches of law
• OPC issued warning in March 2017
• Carry out due diligence and exercise good judgement when
availing themselves of these exceptions
• Carefully consider each of the requirements explicitly outlined
in the provisions
• Take care to ensure the limits set out in these provisions are
respected
8

9. Privacy, Data Security and Anti-Spam Compliance
Data Security

10. Privacy, Data Security and Anti-Spam Compliance
The context
10
Applying paragraphs 7(3)(d.1)
and 7(3)(d.2) of PIPEDA

11. Privacy, Data Security and Anti-Spam Compliance
The regulatory framework
• Privacy legislation
• Reasonable security
• Breach notification in Alberta and soon under
PIPEDA
• Bank Act and OSFI
• Securities and market participant regulation
11

12. Privacy, Data Security and Anti-Spam Compliance
The standard – Ashley Madison report
• Having documented security policies and procedures is
a basic organizational security safeguard
• Conducting regular and documented risk assessments
is an important organizational safeguard in and of itself
• Use multi-factor authentication for remote administrative
access
12

13. Privacy, Data Security and Anti-Spam Compliance
The standard – OSFI self-assessment guide
“Desirable properties
and characteristics of
cybersecurity practices”
in six areas
• Organization and resources
• Cyber risk and control assessment
• Situational awareness
• Threat and vulnerability risk
management
• Cybersecurity incident
management
• Cybersecurity governance
13

14. Privacy, Data Security and Anti-Spam Compliance
The standard – OSFI Guideline B-10 (Outsourcing)
• FRFIs are to
• Evaluate the risks associated with all existing and proposed outsourcing
arrangements;
• Develop a process for determining the materiality of arrangements;
• Implement a program for managing and monitoring risks, commensurate with
the materiality of the arrangements;
• Ensure that the board of directors, chief agent or principal officer receives
information sufficient to enable them to discharge their duties under this
Guideline; and
• Refrain from outsourcing certain business activities to the external auditor
14

15. Privacy, Data Security and Anti-Spam Compliance
The Standard – CSA Staff Notice 11-332
• CSA says, “Hey! This is important!”
• Refers to 13 documents as “useful”
• No one size fits all, but here are 11 very general
prescriptions – including on employee awareness,
incident response, vendor management
15

16. Privacy, Data Security and Anti-Spam Compliance
Notification – Under PIPEDA (Pending)
• Reasonable to believe a real risk of significant harm
• To individuals and to OPC as soon as feasible
• To other organizations and government if could reduce
risks or mitigate harm
• Record of all breaches of security safeguard to be kept
and provided to OPC on request
16

17. Privacy, Data Security and Anti-Spam Compliance
Notification – CSA Staff Notice 51-347
In considering whether and when to disclose a cyber security
incident, the issuer must determine whether it is a material
fact or material change that requires disclosure in
accordance with securities legislation… Materiality depends
on the contextual analysis of the cyber security incident.
While an isolated cyber attack may not be material, a series
of or frequent minor incidents may become material in light
of the level and type of disruption caused.
17

18. Privacy, Data Security and Anti-Spam Compliance
CASL

19. Privacy, Data Security and Anti-Spam Compliance
How CASL spam regulation works
• Everything’s a CEM – a commercial electronic message
– unless it isn’t
• Default – express consent to send a CEM
• Implied consent deemed in some circumstances
• Convey certain information in a CEM
• Provide and administer an opt out
19

20. Privacy, Data Security and Anti-Spam Compliance
CASL enforcement activity to date
• Compufinder (2015 notice of violation) - $1.1 mill
• Porter (2015 undertaking) - $150,000
• Plentyoffish (2015 undertaking) - $200,000
• Rogers (2015 undertaking) - $48,000
• Blackstone Learning Corp (CRTC 2016-428) - $50,000
• William Rapanos (CRTC 2017-65) - $15,000
20

21. Privacy, Data Security and Anti-Spam Compliance
What’s new – Pending private right of action
• Implements (essentially) a private prosecution regime
• Three year limitation period
• Barred by pre-emptive regulator enforcement
• Order may be made
• Compensation for special damage (if any)
• Defined amounts per contravention
• Orders guided by factors
21

22. Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
March 29, 2017
Dan Michaluk