Privacy and Cybersecurity Bulletin

Cybersecurity is on everyone's lips as dawn breaks on the new decade. Cyberattacks are becoming more and more frequent, complex and costly for organizations. In parallel, it is widely expected that PIPEDA will be substantially revised in 2020 and Quebec's privacy landscape will soon be reinvigorated as the bill aimed at reforming its legislative framework is to be introduced.

In addition to legislative amendments regulating mandatory reporting of breach of security safeguards and cybersecurity incidents, self-regulatory efforts are being made in several specific industries. However, adoption of such self-regulation standards, although being considered by many as advantageous because of their ease to adapt to ever-changing technological trends, entails challenges for organizations which need to be clear on their obligations. Indeed, there is not necessarily equivalence between these non-statutory, self-regulation standards and the legislative requirements in place, hence the interest for organizations to be well informed.

Different requirements for IIROC Dealer Members

After making cybersecurity a priority in their 2016-2019 Strategic Plan(PDF), the Canadian Securities Administrators (the "CSA") approved on November 14, 2019 certain amendments to Rules 3100 and 3703 of the Dealer Member Rules (the "Rules") of the Investment Industry Regulatory Organization of Canada ("IIROC"). These amended rules, which came into force on the same date, impose, among other things, mandatory reporting of "cybersecurity incidents" affecting IIROC-regulated dealers and investment firms (the "Dealer Members").

IIROC is a national self-regulatory organization whose primary function is to oversee Canadian investment dealers and firms, equity and debt trading activities as well as debt securities markets in Canada. It operates under Recognition Orders from the CSA, which is the umbrella for Canada's provincial and territorial securities regulators such as the Autorité des Marché Financiers, financial markets watchdog for the province of Quebec.

Circumstances triggering the reporting obligations as well as the formalities required in order to comply with the amended Rules differ very significantly from the privacy-specific obligations set out in the Personal Information and Electronic Documents Act1 . It is therefore essential for Dealer Members to be prepared to respond to cybersecurity incidents in accordance with these new requirements, in addition to those already in place.

(a) Circumstances and "cybersecurity incidents" triggering the obligation to report to IIROC

The amended text of the Rules defines the concept of "cybersecurity incident" as including "any act to gain unauthorized access to, disrupt or misuse a Dealer Member's information system or information stored therein" [2], which must, or has reasonable likelihood to:

  • cause substantial harm to any person;
  • have a material impact on any part of the normal operations of the Dealer Member;
  • invoke the Dealer Member's continuity plan or disaster recovery plan; or
  • require such Dealer Member, in accordance with applicable laws, to provide notice to any government body, securities regulatory authority or other self-regulatory organization.

(b) IIROC reporting requirements

Dealer Members experiencing a "cybersecurity incident" must initially report such incident in writing to IIROC within three days from discovering such incident, which report must at least include:

  • a description of the cybersecurity incident;
  • the date on which, or time period during which, the cybersecurity incident occurred and the date on which it was discovered by the Dealer Member;
  • a preliminary assessment of the cybersecurity incident, including the risk of harm to any person and/or the impact it may have on the operations of the Dealer Member;
  • a description of the immediate incident response steps the Dealer Member has taken to mitigate the risk of harm to persons and impact on its operations; and
  • the name and contact information of an individual who can answer, on behalf of the Dealer Member, any of IIROC's follow-up questions regarding the cybersecurity incident.

Dealer Members facing a cybersecurity incident are also required, within 30 days of the discovery of such incident, to provide a written investigation report on the events. However, if such Dealer Member ends up concluding that no "cybersecurity incident" has occurred, and despite transmission of an initial report, it is not required to prepare an investigation report. Affected Dealer Members may also request additional time to submit the investigation report by notifying IIROC. The latter acknowledges that, depending on the gravity and complexity of the "cybersecurity incident", an investigation may extend well beyond the 30-day deadline. Where the investigation report is required, it must include the following information:

  • a description of the cause of the cybersecurity incident;
  • an assessment of the scope of the cybersecurity incident, including the number of persons harmed and the impact on the operations of the Dealer Member;
  • a detailed description of the steps taken by the Dealer Member to mitigate the risk of harm to persons and the impact on its operations;
  • a detailed description of the steps taken by the Dealer Member to remediate any harm to any persons; and
  • the steps the Dealer Member has or will take to improve its cybersecurity incident preparedness.

Comparative analysis: How many rules apply in Canada?

The aforementioned mandatory reporting of cybersecurity incident, although distinguished by its two-step process, adds to a series of other reporting mechanisms implemented over the past two years by different legislative, governmental or self-regulatory authorities. Although these various mechanisms have distinct scopes of application and do not necessarily serve the same purposes (ensuring privacy, financial markets' integrity, etc.), this does not prevent them to be cumulatively triggered upon the same given situation.

Therefore, Canadian organizations are now facing a regulatory mosaic composed of many distinct reporting mechanisms, with various scopes and requirements regarding both the form and the substance of documents to be provided to different authorities. The comparative table below summarizes five of them to which Canadian organizations may be subject, although there are a range of additional requirements which exist in Canada, including pursuant to health privacy laws and other laws.

IIROC - Dealer Member Rules

OSFI - Advance notice of Technology and Cyber Security Incident Reporting

Personal Information and Electronic Documents Act, CA 2000, c. 5

Personal Information Protection Act (Alberta), SA 2003, c P-6.5

General Data Protection Regulation (EU 2016/679)

Effective Date

November 14, 2019

March 31, 2019

November 1, 2018

November 26, 2009

May 25, 2018

Organizations to which reporting obligations apply

All IIROC regulated investment firms and dealers.

All federally regulated financial institutions ("FRFI"), including banks, federally regulated trust companies and insurance companies.

All organizations that collect, use or disclose personal information in the course of commercial activities, excluding federal institutions subject to the Privacy Act (RSC 1985, c P-21).

All provincially regulated private sector organizations and businesses operating within the jurisdiction of the Province of Alberta and, in some cases, not-for-profit organizations located within this province.

Extraterritorial application to any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, relating to (a) the offering of goods or services to data subjects in the European Union ("EU"), whether a payment by the data subject is required or not; (b) the monitoring of their behaviour as far as such behaviour takes place within the EU.

Nature and definition of the information that must be protected

Any information stored in a Dealer Member's information system.

Operational or customer data of any FRFI.

"Personal information", which is any information about an identifiable individual, regardless of the medium or format.

"Personal information", which is any information about an identifiable individual, regardless of the medium or format.

"Personal data", i.e. any information relating to an identified or identifiable natural person ("data subject"), whatever the medium or format

Triggering incident

A "cybersecurity incident", i.e. any act to gain unauthorized access to, disrupt or misuse a Dealer Member's information system or information stored therein.

A technology or cybersecurity incident that could have a significant impact on a FRFI's normal operations, including the confidentiality, integrity or availability of its systems or information, which FRFI considers to be of a high or critical severity level should be reported to OSFI. Incident materiality

"[A] breach of security safeguards involving personal information under the control of an organization".

An incident involving the loss, unauthorized access or disclosure of personal information under the control of an organization.

A personal data breach.

Criteria for reporting

Must, or has reasonable likelihood to cause:

· Substantial harm to any person;

· Material impact on any part of the normal operations of the Dealer Member

· Initiation of the Dealer Member's continuity plan or disaster recovery plan; or

· Initiation of the obligation for the affected Dealer Member, in accordance with applicable laws, to notify a government body, securities regulator or other self-regulatory organization.

· Significant operational impact on information systems or key/critical data;

· Material impact on FRFI operational or customer data, including confidentiality, integrity or availability of such data;

· Significant operational impact for internal users, which is important for customers or business operations;

· Significant levels of system or service interruptions;

· Prolonged disruptions of critical business systems/operations;

· The number of external clients affected is significant or growing;

· Negative impact on reputation is imminent (e.g., public or media disclosure);

· Significant impact on critical deadlines/obligations in financial market settlement or payment systems;

· Significant impact on a third party considered important to the FRFI;

· Significant consequences for other FRFIs or the Canadian financial system; or

· An FRFI incident has been reported to the Office of the Privacy Commissioner or to local or foreign regulatory authorities;

When it is reasonable in the circumstances to believe that the breach will create a "real risk of significant harm" to individuals. T

The notion of "significant harm" is broadly interpreted, including a wide range of situations such as bodily harm, humiliation, damage to reputation or relationships, financial loss, identity theft, negative impact on credit history, damage to or loss of property, and loss of employment opportunities or business or professional activities.

Notice to the Commissioner:

· where a reasonable person would consider that there is a real risk of significant harm to a person as a result of the incident.

Notice to the individuals concerned:

· where a reasonable person would consider that there is a real risk of significant harm to a person as a result of the incident; and

· the Commissioner, once notified, so requests.

If the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.

Who to report to?

Investment Industry Regulatory Organization of Canada ("IIROC")

Office of the Superintendent of Financial Institutions ("OSFI")

· Office of the Privacy Commissioner of Canada; and

· Any individual to whom there is a real risk of "significant harm" as a result of the incident.

· Information and Privacy Commissioner of Alberta (the "Commissioner"); and

· Any individual to whom there is a real risk of significant harm as a result of the incident.

· Competent supervisory authority specific to each Member State (CNIL, ICO, etc.); and

· Any person to whom the breached personal data is relating ("data subject").

Reporting delay

Within three calendar days of the discovery of the incident.

As soon as possible, and no later than 72 hours after determining that the incident should be reported.

"As soon as feasible" after the organization has concluded that the breach has occurred.

"Without unreasonable delay".

Notification to the competent supervisory authority:

· Without undue delay and where feasible, not later than 72 hours after having become aware of it. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Notice to the data subject:

· Without undue delay..

Particularities

Two-step reporting. In addition, the Dealer Member who is the victim of the cyber security incident must, within 30 calendar days of the discovery of the incident, provide a written investigation report on the events.

OSFI expects that FRFIs will provide subsequent updates on a regular basis (e. g. daily) as new information becomes available and until all relevant details of the incident have been provided to OSFI. OSFI may request an FRFI to change the method and frequency of updates.

Organizations that discover a breach of security safeguards must keep and maintain a record of all such breaches, whether or not they conclude from their situation analysis that the breach poses a "real risk of serious harm".

The controller must document any violation of personal data, indicating the facts concerning the violation of personal data, its effects and the measures taken to remedy it. The documentation thus compiled shall enable the supervisory authority to verify compliance with this Article.

Footnotes

1 S.C. 2000, c. 5.

2 Dealer Member Rules, Rule 3100, para. I B. 1.1

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.