In Canada, data protection and cybersecurity are governed by a complex legal and regulatory framework. Failure to understand this framework and take active steps to reduce risks (or the impact of such risks when they materialize) can have serious legal and financial consequences for an organization. Therefore, it is crucial for organizations that operate in Canada (in whole or in part), or that have business partners operating in Canada, to understand this rapidly evolving area of law and governance.
The following paper provides a brief overview of the evolving Canadian landscape governing data protection and cybersecurity. The purpose of this overview is to provide an introduction to the sources of law and governance that would impact organizational decision making with respect to the development of a plan to address cybersecurity risks. Specifically, this paper introduces the statutory framework of Canadian privacy and data management laws affecting cybersecurity, the regulatory and governance framework for certain regulated organizations and institutions and the current state of relevant common law. Following a brief review of the legal landscape, we provide recommendations on how to minimize the risk of cyber threats.
In the private sector, there are a number of statutes that require organizations to protect personal information within their possession or control. Of particular importance is the Personal Information Protection and Electronic Documents Act ("PIPEDA"),1 which is the Federal legislation that applies to protection of employee personal information by federally-regulated organizations (such as banks and telecommunications companies), as well as protection of personal information in the course of commercial activities in all jurisdictions that do not have substantially similar legislation.
Currently only Alberta,2 British Columbia3 and Quebec4 have substantially similar legislation. Such provincial legislation is applicable in place of PIPEDA, and contains implicit or explicit accountability and security obligations similar to the PIPEDA obligations outlined above (although only the Alberta legislation contains breach reporting requirements).5
PIPEDA contains a number of provisions applicable to data protection and cybersecurity, including:
- Organizations are responsible for personal information under their control and must designate an individual or individuals who are accountable for compliance with the principles set out in Schedule 1 of PIPEDA.6
- Personal information must be protected by security safeguards appropriate to the sensitivity of the information.7
- Security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, regardless of the format in which it is held.8
- The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.9
- The methods of protection should include (a) physical measures – e.g., locked filing cabinets and restricted access to offices; (b) organizational measures – e.g., security clearances and limiting access on a "need-to-know" basis; and (c) technological measures – e.g., the use of passwords and encryption.10
In June 2015, PIPEDA was amended to require that organizations notify the Office of the Privacy Commissioner of Canada (the "OPC") and affected individuals of a breach of security safeguards,11 if it is reasonable to believe in the circumstances that the breach poses a "real risk of significant harm"12 to the affected individuals. Also, organizations will be required to keep a record of all breaches. Knowingly failing to report or record a breach will be an offence punishable by fines of up to C$100,000. These new provisions have not yet come into force, but will become mandatory once the associated regulations have been enacted.
Other relevant statutory requirements/restrictions include:
- Almost every jurisdiction throughout Canada has specific legislation governing protection of personal health information that is collected,13 used or disclosed by health information custodians, as well as protection of personal information held by government bodies/institutions.14
- Certain provinces have also created statutory torts, pursuant to which individuals can bring a claim for breach of their privacy (without proof of damages).15
- Canada's Criminal
Code16 sets out the following offences:
- using a device willfully to intercept a private communication without the express or implied consent of the originators or intended recipient;17 and
- intercepting fraudulently and without colour of right any function of a computer system.18
- Canada's Anti-Spam Law
("CASL")19 contains provisions governing
software installation in the course of commercial activities,
including provisions aimed at viruses and spyware, including
- installation of computer programs on another person's computer system20 without the express consent of the owner or an authorized user of that system,
- causing a computer program to be installed without consent, and
- having installed a computer program, causing that program to communicate with other electronic devices without the consent of the owner or authorized user.
Finally, there are some sector-specific statutes that include provisions relevant to protection of personal information, such as provisions in the Bank Act21 that regulate use and disclosure of personal financial information by federally regulated financial institutions.
Regulatory and Governance Framework
The Office of the Superintendent of Financial Institutions ("OSFI") and the Canadian Securities Administrators ("CSA") each provide guidance to address the cybersecurity risks for organizations subject to their regulation.
1. OSFI Guidance
OSFI regulates Federally Regulated Financial Institutions ("FRFIs"), including banks, most insurance companies and federal pension plans. OSFI does not currently have in place regulations requiring specific actions by FRFIs with respect to cybersecurity. However, Guideline B-10: Outsourcing of Business Activities, Functions and Processes sets out OSFI's expectations with respect to technology-based outsourcing and informs of OSFI's expectations with respect to cybersecurity risk management.22
In 2013, OSFI released the Cybersecurity Self-Assessment Guidance for FRFIs to assess their level of preparedness and to assist in the implementation of useful cybersecurity practices.23 The template focuses on six categories for assessment: organization and resources; cyber risk and control assessment; situational awareness; threat and vulnerability risk management; cybersecurity incident management; and cybersecurity governance. In releasing the self-assessment guidance, OSFI indentified that it "expects FRFI Senior Management to review cyber risk management policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks". In addition, OSFI released Draft Guideline E-21: Operational Risk Management in August of 2015, which proposes that FRFIs develop a framework for operational risk management based on the following four principles:24
- Operational risk management should be fully integrated within the FRFIs overall risk management program and appropriately documented;
- Operational risk management serves to support the overall corporate governance structure of the FRFI.
- FRFIs should ensure effective accountability for operational risk management, by using, for instance, a 'three lines of defence' approach to separate the key practices of operational risk management and provide adequate independent overview and challenge; and
- FRFIs should ensure comprehensive identification and assessment of operational risk through the use of appropriate management tools.
2. CSA Guidance
The CSA is an umbrella organization of Canada's provincial and territorial securities regulators whose objective is to improve, coordinate and harmonize regulation of the Canadian capital markets. The CSA has recently identified cybersecurity as a major concern to the Canadian capital markets. On September 26, 2013, the CSA released CSA Staff Notice 11-326 titled "Cyber Security".25 The CSA emphasized the need for issuers, registrants and regulated entities to be aware of the challenges of cyber crime and take appropriate measures to safeguard themselves and their clients or stakeholders. In particular, the denial of service attacks and advanced persistent threats were identified as two major types of cyber threats that were increasing in frequency and sophistication.
In particular, in Staff Notice 11-326 the CSA suggested that:
- Issuers, registrants and regulated
entities who had not yet considered the risks of cyber crime, give
consideration to how best address the risks. Suggested steps
- Educating staff with respect to the importance of, and their role in, information and computer security.
- Following guidance and best practices from industry associations and recognized security organizations.
- Conducting regular third party vulnerability and security tests and assessments.
- Issuers, registrants and regulated entities who had already taken steps to address the issue, should review their cybersecurity risk control measures on a regular basis.
- Issuers should consider whether cyber crime risks, incidents, and related controls constitute matters that need to be disclosed in a prospectus or continuous disclosure filing.
- Registrants should consider whether risk management systems provide for management of cyber crime risks in accordance with prudent business practices.
- Regulated entities should consider the measures necessary to manage the risks of cyber crime.
Staff Notice 11-326 cautioned that the CSA "will consider these issues in its reviews of issuer disclosure and in its oversight of registrants and regulated entities."
The Common Law (Case Law)
In addition to the statutory and regulatory frameworks described above, there is an evolving body of case law in Canada that is developing in response to individual and class action claims related to privacy and data protection breaches.
For example, in January 2012, the Ontario Court of Appeal recognized a new tort of "Intrusion Upon Seclusion", whereby:
One who intentionally [or recklessly] intrudes, physically or otherwise, upon the seclusion of another or his [or her] private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.26
According to the Court, a central rationale for the recognition of this new cause of action was the unprecedented power of organizations to capture and store vast amounts of personal information using modern technology. Highly sensitive personal information can now be accessed and collated with relative ease, including financial and health information as well as data related to individuals' whereabouts, communications, shopping habits and more. The Court found that the common law must evolve in response to the modern technological environment.27
Intrusion upon seclusion now frequently forms part of the allegations in lawsuits involving unauthorized access to or disclosure of personal information. Some lawsuits have also included allegations of other privacy-related torts, which have not yet been officially recognized (but have also not yet been rejected) by Canadian courts. One such tort is "publicity given to private life", a cause of action which, in other jurisdictions, has generally involved situations where a person or organization publicizes a matter concerning the private life of another person, if the matter is of a kind that would be highly offensive to a reasonable person and it is not of legitimate concern to the public.
Lawsuits involving data breaches also include more traditional allegations, such as claims of negligence, breach of contract and statutory breach (e.g., breach of consumer protection legislation).
Although individual lawsuits related to data protection and cybersecurity are possible in Canada, the bigger concern for most organizations is the rise in class action lawsuits. In Canada these lawsuits tend to fall under three broad categories: (1) employee errors; (2) employee "snooping" and other misconduct; and (3) data breaches. Examples of each are set out below.
1. Employee Errors
Some examples of class action lawsuits that involved mistakes by one or more employees of an organization include:
- Class action lawsuits filed in several provinces following the loss of an unencrypted external hard drive containing sensitive personal information of approximately 583,000 individuals who participated in the Canada Student Loans Program, by an employee of Human Resources and Skills Development Canada.28
- Class action lawsuits filed in Ontario and British Columbia after a mailing was sent to approximately 40,000 individuals, which identified them as participants in a federal program for access to medical marihuana.29
Although some of these class actions have not yet been certified, and none of them have yet been decided on their merits, it is clear that plaintiffs are seeking to hold organizations accountable for mistakes made by employees.
2. Employee "Snooping" and other Misconduct
In addition to cases involving mistaken loss or disclosure of personal information, Canada has seen a number of class actions following intentional unauthorized access to or disclosure of personal information by employees. For example:
- In Newfoundland and Labrador a class action lawsuit was filed against the Health Authority after an employee allegedly accessed approximately 1,043 medical records without authorization;30
- In Ontario a class action has been filed alleging that employees of the Peterborough Regional Health Centre accessed patients' personal health information and distributed it to third parties without their consent;31 and
- In Ontario a class action was filed after a mortgage officer gave customers' confidential information to his girlfriend who then distributed it to persons who used it to commit identity theft and fraud.32
The above is just a sampling of the class actions that have been filed following employee "snooping" or other misconduct. The extent to which courts will hold organizations vicariously liable for this type of employee misconduct is still unsettled law in Canada.
3. Data breaches
Class action lawsuits were filed in 2014, in Quebec and Ontario, following data breaches affecting Target and Home Depot.33
More recently, in August 2015, class proceedings were commenced in Ontario following the high profile cyber attack targeting the dating website Ashley Madison. The plaintiffs have alleged that Ashley Madison's parent companies, Avid Dating and Avid Life, are liable to the representative plaintiff and class members for breach of contract, breach of Ontario's Consumer Protection Act,34 negligence, intrusion upon seclusion, breach of privacy, and publicity given to private life, and the plaintiffs are seeking general damages in the amount of $750 million dollars, special damages (including for mental distress, emotional upset, anguish, anxiety and depression) and punitive damages of $10 million dollars. The plaintiffs have alleged that Ashley Madison failed to exercise reasonable care or take reasonable or appropriate steps to safeguard member data before or after breach, failed to disclose the breach in a timely and transparent manner and made false representations, or breached contract, with respect to the companies' paid data deletion service.
Although this action is still at a very early stage, it will be useful to monitor this litigation to see whether and to what extent courts will hold organizations responsible for data breaches.
Reducing Legal Risk
Liability for insufficient or ineffective cybsersecurity practices can arise in a number of ways. Breaches of the various statutes discussed above may result in complaints filed by groups or individuals, as well as audits or investigations initiated by the relevant privacy commissioner or other regulatory body. Penalties under the various statutes vary, but can include substantial fines in some cases, as well as prosecution of individual offenders. In addition, the regulators can disclose the identity of organizations that are prosecuted or investigated, which can result in harm to the organization's reputation. Civil disputes respecting cybersecurity issues may result in lengthy and expensive class action litigation, potentially large damage awards or settlement costs, and significant reputational harm.
Therefore, organizations should conduct an audit of their existing cybersecurity status, including an evaluation of: (i) who and what is connected to their systems and networks; (ii) what is running on their systems and networks; and (iii) whether they have technology in place to prevent most breaches, rapidly detect breaches that do occur, and minimize the damage of such breaches (e.g., automatic shutdown when data leaks are detected).
Organizations should also take into account the advice of cybersecurity experts. For example, the Australian Government's Department of Defence (along with other cyber experts)35 has suggested the following four mitigation strategies, which it has found can significantly reduce the risk of a cyber intrusion:36
- Application whitelisting
- Timely patching of applications
- Timely patching of operating system
- Minimize administrative privileges
Still, despite an organization's best efforts, it is not possible to entirely eliminate the risk of a successful cyber attack. Therefore, organizations may wish to consider insurance options to mitigate the risk of financial loss as a result of cyber attacks.
With cyber attacks regularly featuring in headline news, and class action lawsuits proliferating at an alarming speed, all organizations would be well advised to consider the state of their "cyber hygiene" and takes steps to remedy any deficiencies.
Cybersecurity is an area that requires a multi-disciplinary approach, with input from a variety of experts. Therefore, a cyber audit will necessarily involve an evaluation of an organization's information technology systems, but must also include consideration of applicable legal and regulatory requirements as well as options to reduce or mitigate risks (including insurance options). Although this will require an initial investment of time and resources, organizations that fail to actively address cyber risk may be exposed to serious reputational, financial and legal repercussions if and when a data breach occurs.
1 Personal Information Protection and Electronic Documents Act, SC 2000, c 5
2 Personal Information Protection Act, SA 2003, c P-6.5.
3 Personal Information Protection Act, SBC 2003, c 63.
4 An Act respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1.
5 Manitoba has also passed The Personal Information Protection and Identity Theft Prevention Act, SM2013, C.17, but as at the date of writing this legislation was not yet in force.
6 PIPEDA Schedule 1, Article 4.1
7 PIPEDA Schedule 1, Article 4.7
8 PIPEDA Schedule 1, Article 4.7.1
9 PIPEDA Schedule 1, Article 4.7.2.
10 PIPEDA Schedule 1, Article 4.7.3.
11 "Breach of security safeguards" means "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in clause 4.7 of Schedule 1 or from failure to establish those safeguards. PIPEDA, s.2(1).
12 Defined to include "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. PIPEDA, s.10.1(7).
13 Every jurisdiction other than Prince Edward Island.
14 The Federal public sector legislation is the Privacy Act, RSC 1985, c P-21.
15 i.e., British Columbia, Manitoba, Newfoundland and Saskatchewan
16 An Act respecting the Criminal Law, R.S.C., 1985, c. C-46 (the "Criminal Code").
17 Criminal Code at s.184.
18 Ibid at s.342.1.
19 An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act. S.C. 2010, c. 23.
20 Broadly defined, and would include smartphones, tablets, desktops and laptops, wearable technology, and smart cars and appliances.
21 Bank Act, SC 1991, c 46 ("Bank Act").
26 Jones v. Tsige, 2012 ONCA 32.
28 See for example Condon v. Canada, 2015 FCA 159.
29 See for example John Doe and Suzie Jones v. Her Majesty the Queen., which includes the novel tort "publicity given to private life".
30 Hynes v. Western Regional Integrated Health Authority, 2014 CanLII 67125.
31 Hopkins v. Kay, 2014 ONSC 321.
32 Evans v. The Bank of Nova Scotia, 2014 ONSC 2135.
33 See, for example, Zuckerman c. Target Corporation, 2015 QCCS 1285 and Lozanski v. The Home Depot Inc., CV-14-51262400CP (Ont. Sup. Ct.).
34 Consumer Protection Act, 2002, S.O. 2002, c. 30, Sched. A.
35 These four mitigation strategies have also been emphasized by the Council on Cyber Security, in its paper "The Critical Security Controls for Effective Cyber Defense", as being amongst the "First Five Quick Wins" that will have the most immediate impact on preventing cyber attacks. See: http://www.counciloncybersecurity.org/critical-controls/reports/. The fifth "quick win" emphasized by the Council on Cyber Security is "use of standard, secure system configurations."
36 See http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm for more information on these mitigation strategies. These four mitigation strategies have also been emphasized by the Council on Cyber Security, in its paper "The Critical Security Controls for Effective Cyber Defense", as being amongst the "First Five Quick Wins" that will have the most immediate impact on preventing cyber attacks. See: http://www.counciloncybersecurity.org/critical-controls/reports/. The fifth "quick win" emphasized by the Council on Cyber Security is "use of standard, secure system configurations."
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2016