ONE | RISE IN PRIVACY CLASS-ACTION CERTIFICATIONS
New privacy torts have recently emerged in certain Canadian jurisdictions, including intrusion upon seclusion and publicity given to private life. Intrusion upon seclusion allows a plaintiff to sue if (1) a person has intentionally or recklessly invaded his/her private affairs without justification and (2) a reasonable person would view the invasion as highly offensive. In Ontario, damages of up to C$20,000 are available, even if the plaintiff suffered no economic harm. Publicity given to private life allows a plaintiff to sue for publication of private facts when there is no legitimate public interest. Courts are increasingly certifying class actions for such privacy claims, even absent proof of harm. We expect the number of privacy class actions to continue to grow given the increasing number of data breaches.
TWO | PENDING FEDERAL MANDATORY BREACH NOTIFICATION REQUIREMENTS
Currently, Alberta is the only Canadian jurisdiction that has mandatory requirements to report data breaches outside the health-care context. New mandatory breach notification provisions of the Personal Information Protection and Electronic Documents Act, the federal statute that applies to collection, use and disclosure of personal information for commercial purposes, received Royal Assent on June 18, 2015. However, the act will not become effective until regulations are approved, which is expected to occur in 2016. These regulations will require organizations to notify the Privacy Commissioner of Canada if there is a breach of data security involving personal information in an organization’s control that poses a “real risk of significant harm” to affected individuals. Organizations will also be required to notify government institutions and other organizations of the breach in certain circumstances, including when those other entities may be able to reduce or mitigate the risk of harm to the affected individuals. Additionally, organizations will have to keep records of all sufficiently serious data breaches, even those that do not meet the harm threshold. Knowingly failing to report or record a data breach is an offence punishable by a fine of up to C$100,000.
When the new notification duties become effective, the number of privacy class actions will inevitably increase, as more information about data breaches will be available to plaintiff class counsel.
THREE | BOARD AND MANAGEMENT AWARENESS AND INVOLVEMENT
The rash of recent high-profile cyber breaches, including that of Canadian-based AshleyMadison.com, has made cybersecurity a top concern for Canadian boards. Boards want to better understand not only their role in managing cyber risks in their organizations, but also their exposure for failing to do so. When there is a breach, shareholders and others may sue directors and officers directly for the breach. Under the Canada Business Corporations Act, directors and officers are required to exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances. As a result, Canadian boards are increasingly trying to determine how to provide effective oversight of cyber risks within their organizations. Questions that Canadian boards are frequently asking relate to the board’s role in ensuring that effective governance structures for managing cyber risks are established, top-level security and privacy policies are put in place, security programs are implemented and regularly assessed, and security incident response protocols are established and regularly tested.
FOUR | THIRD-PARTY SERVICE PROVIDERS
It is no longer sufficient for organizations to focus only on the security of their own internal networks. As a result of cloud computing, data is increasingly in the custody of third-party service providers. Recognizing the risks posed by working with external providers, Canadian organizations are taking steps to better understand their external providers’ security practices and business continuity programs. While pre-engagement security assessments are currently quite common for organizations that entrust sensitive data to external providers, in light of information security management industry standards, the trend is moving toward regular, in-term security assessments.
An organization should consider imposing information security obligations in its contract with an external provider, where the provider has custody of the organization’s sensitive data or where the provider’s network “connects” to the organization’s network. Careful thought should be given to the appropriate security controls to apply to the provider, which may include a requirement for the provider to comply with one or more (or a combination) of the organization’s own security policies, the provider’s security policies and/or applicable ISO or other industry security standards. Rights to conduct security audits or assessments of the provider’s operations and receive audit reports or other regular reporting on security events from the provider should also be considered and spelled out in the contract. The contract with the provider should also specifically address how security breaches suffered by the provider should be reported, handled and managed. Of course, the contract should include sufficient provider obligations to enable the organization to comply with its data breach notifications and any other privacy and security obligations under applicable laws. Liability for data breaches should be allocated between the organization and the provider.
An organization should also consider whether a provider should be required to purchase cyber-liability insurance (if practicable) and whether the organization itself should obtain additional coverage to further mitigate its cyber-risk exposure.