This seminar is part of the 2016 Gowling WLG Risk to Reward series, designed to address the most important legal, regulatory and corporate risks facing your organization.

To view the video click here.

More on-demand seminars in this series:

About this seminar

This overview of privacy and cybersecurity requirements will assist you in identifying vulnerabilities, while offering practical advice to promote effective compliance in your organization.

Rebecca Perry from Jordan Lawrence, a U.S. risk assessment company, will be joining us to discuss customized solutions for the identification of cybersecurity and privacy risks within an organization. Wendy Wagner of Gowling WLG, presents on how this data interacts with a privacy compliance program from the perspective of legal compliance with Canada, particularly in view of heightened privacy obligations such as mandatory breach reporting under PIPEDA.

This program counts for up to 1 hour of substantive credits towards the mandatory CPD requirements of the LSUC.


Full transcript

Todd: Good morning everyone. Welcome to the third seminar in our “Risk to Reward” series. My name is Todd Burke. I’m a commercial litigation partner here at Gowling WLG. Our topic today is privacy and cyber security. A topic which consistently ranks as one of the top concerns for executives in both the public and private sector. The seminar today will look at current and emerging risk and will take a considerable amount of time looking at preventative steps your organization can take. Our first speaker is Wendy Wagner, who is the leader of our firm’s privacy and information management group. Her practice focuses on privacy, access to information and defamation. Whether it’s managing a data breach or creating a privacy compliance plan, Wendy brings a considerable amount of experience, and a very practical perspective. Our second speaker is Rebecca Perry, who is the Director of Professional Services at a firm called Jordan Lawrence. Jordan Lawrence is a leading solution provider for records retention, data privacy and information governance solutions. We are very happy to be partnering with Jordan Lawrence in providing privacy solutions to our clients. Rebecca comes to us today from St. Louis and is a certified privacy professional who is a frequent speaker in the legal and privacy communities. We are very happy she has traveled to join us here today.

Rebecca: Thank you for having me.

Todd: As I look in the audience there are some folks from DMS Canada here, which is an insurance brokerage who does a lot of work in the cyber security area, so if you have questions about insurance they are here are as well and will be able to assist you in that regard. With that I want to cede the floor to Wendy and thank you very much for coming.

Wendy: Thanks Todd and welcome everyone. I don’t want to spend a lot of time. I want to give the floor to Rebecca quite quickly but before Rebecca describes how her organization views data security and the risks and assesses these risks, I just want to spend a few minutes on the legal landscape for privacy in Canada, and some of the recent development, and how those developments affect compliance. I’m going to come back to that at the end of my presentation as well.

Just a few words on the regulatory framework. From the private sector perspective we have PIPEDA which governs collection use and disclosure of information by the private sector in the course of commercial activities. It governs in all Provinces except for Alberta, BC and Quebec, which all have their own substantially similar legislation. In those Provinces that legislation also governs what you do with your employees’ personal information. That’s also true of PIPEDA but only for federal works, businesses and undertakings. So, federally regulated organizations. Some of you are from the public sector so, of course, you’ll know that the Privacy Act governs your activities and then, of course, there’s health specific legislation as well. It’s important to recognize that for companies operating across Canada, or cross sectorally, you may be subject to several different pieces of privacy legislation.

There were some recent amendments to PIPEDA through the Digital Privacy Act and I’m not going to go through them all. They’re interesting amendments because in some senses they provide more room or scope for companies to disclose information without consent. They have added a specific exception for disclosure of information in the context of a sale of a business or those types of business transactions. They have some exceptions that are codified for disclosure of information in the context of law enforcement so there are some further exceptions built in. But at the same time there are aspects of the amendments that make the privacy regime more rigorous and, in fact, our federal Privacy Commissioner has for a long time wanted to make the privacy regime more rigorous and has fought hard for amendments to do that. PIPEDA is, as you’ll know like most of the privacy legislation in Canada, a consent based regime. Collection use and disclosure and use of personal information is based on the consent of the data subject. That consent does not always have to be expressly obtained. You’re not always talking about a situation where you need someone to manifest their consent in an express way. Consent can be implied. But the basis of the legislation is knowledgeable consent. It’s a concept that someone cannot really consent, whether by just handing over their information or by giving express or manifest consent, unless they know what they are consenting to. How, as an organization, are you going to be, or what purposes are you collecting that information, how are you going to use that information, to whom are you going to disclose that information or transfer it in the context of a service provider? One of the recent amendments to PIPEDA has made what is considered to be reasonable and knowledgeable consent more explicit. The standard for consent has changed and you can see that it’s now stated that consent is only valid if it’s reasonable to expect that an individual, to whom the organization’s activities are directed, would understand the nature, purpose and consequences of the collection, use and disclosure of the personal information to which they are consenting. Now how this will play into what Rebecca’s organization does, and what she is going to tell you about, is that you cannot possibly ensure that you have obtained knowledgeable consent if you, as an organization, do not know what personal information it is that you’re collecting, the universe of that information, and how you intend to use it and to whom you are transferring it, or to whom you are disclosing it. That’s just a fundamental basis for ensuring that the consent that you have is actually knowledgeable and you are able to transmit to the outside world the information that they need to actually provide you with appropriate consent. I’m going to come back, after Rebecca has had an opportunity to tell you about what her organization does, and talk about one of the other changes to PIPEDA, which is the mandatory breach reporting, which hasn’t come into force yet but will in fairly short order.

Now, just turning to the legal risks and due diligence obligations, PIPEDA has often been seen, as I indicated, as somewhat enforcement like. The Privacy Commissioner does not have a robust enforcement regime built into PIPDEA, although we’ll see that’s changing bit by bit in terms of the breach reporting, there will be penalties for failure to meet those obligations. How the system works under PIPEDA is that if the Commissioner investigates and a complaint is found to be well founded then the complainant can take that decision and take it to federal court and attempt to get it enforced in federal court. But even in that context the remedies that have been imposed have been fairly modest although it’s always quite expensive to just have to defend a court proceeding. One of the things that’s in its infancy in Canada, but is sort of new to the privacy landscape, is the initiation of several privacy class actions. While none have proceeded through to a decision, there are a good ten or twelve across Canada that have been initiated, both against private sector companies and against the public sector. Those have been certified so they’re at the stage where at least the courts have said that the Plaintiffs have stated a cause of action, a known cause of action. Those causes of action have been based on breach of privacy, based on statutory tort, so a failure to comply with the statute essentially. Common law tort, there’s been the emergence of new common law torts in Canada, intrusion upon seclusion, and more recently publication of private facts. That’s a new emergence. Also negligence. Negligence raises the issue of what’s the standard of care for privacy protection. If you are subject to a law suit what will be considered to be the standard of care that your organization had to meet for the protection of privacy? You can see from what Plaintiffs have pleaded that they are pleading things such as the failure to create policies, the failure to prevent unauthorized access, the failure to take safeguard measures, such as encryption of data. In the case of a breach, failure to disclose the loss in a timely fashion so that people can take mitigating steps to address the breach. Failure to have adequate data security measures and failure to monitor and assess and audit and update those measures. Those are all the types of due diligence tasks that Rebecca is going to be speaking about when I turn the mic over to her now.

Rebecca: All right. For my portion of this we’re talking about being proactive, mitigating risks, and at the end of the day companies can’t prevent all bad things from happening, right? But what the courts are going to look at is did your organization do enough to prevent something bad from happening. We’re going to talk about those proactive steps that you can take to mitigate those risks. I wanted to start with this headline from the “Wall Street Journal”. This was an article that was published in December of last year and the headline is “Employee error leading cause of data breach”. I think for many organizations this is probably a blind spot for your organization. This is what’s keeping your CIO’s, CISO’s, Chief Information Security Officers, up at night. Employees essentially are the weakest link when it comes to privacy and cyber security and protecting your sensitive data. If we look at here, on the next slide, you need to be concerned about those cunning hackers, of course, and most organizations are doing the technical things that they need to be doing. To sort of illustrate this just a bit further, it’s your own employees, sweet Grace from accounting, and if you’re from my generation you’re probably familiar with “Ferris Bueller’s Day Off”. Usually gets a laugh, maybe not today. When you think about your employees, and they’re handling information, the number one cause of data breach are loss of information. I know we have someone from an insurance provider here. AIG is also one of the largest cyber insurance providers. Their number one cause of data breach for a cyber insurance claim is actually lost laptop, lost mobile device. When you think about privacy and cyber security don’t forget about your own internal controls that go along with that.

From the “Wall Street Journal” the new survey was actually taken from the ACC’s State of Cyber Security Report. Do we have any ACC members in the room or in house counsel that belong to that organization? It’s a terrific resource. There’s a download of free summary of this report and I would encourage you guys to go and look at this because it does touch on some of the top issues that corporate counsel are concerned about when it comes to these issues. I wanted to take just a couple of headlines from this and these are from in house counsel that participated in this survey. These were their most important things you wish you would have known before a breach. I think this is so telling because these were essentially things that they hadn’t really thought about or prepared for. Let me just take a look here. Employee negligence, which we touched on. It’s not just those cunning hackers that can cause a breach. The use of unencrypted devices across the organization. So, thumb drives, things like that. The amount of personal information that’s being shared via email. Those are types of things that we help organizations uncover. Where is sensitive information? How is that being used? What are employees doing with that information? The fact that this is an enterprise wide responsibility, this is not just IT’s issues, this risk management, compliance, legal. The amount of personal information that’s saved on shared drives, when I sit down with corporate counsel and CEO’s and CIO’s and share with them all of the different locations where we have identified employees are saving sensitive information, their jaw drops typically. It’s quite amazing. Also understanding a full mapping, this sort of points to what Wendy said, where do you have sensitive information? Understanding how information is being used across the organization, how it’s being shared, what are the systems that are being managed, all of that is critical to understanding and managing and ultimately mitigating that risk.

Also from this report, I thought that this was interesting because I think retail tends to make the headlines whenever there is typically a breach in insurance and health care providers, but when we look at this what I found interesting is that manufacturing, when you look at the number of data breaches, manufacturing had more data breaches than retailers. So, really regardless of industry this should be of a concern to your organization. You may not have potentially customer credit card information but you all have employees and sensitive employee information. This really affects everyone and I think the saying is it’s really not a matter of if but when. When a company has a breach what sort of story are you going to be able to tell in terms of what you did to mitigate that risk?

What we’re really going to transition to is what are some reasonable steps. We’ve kind of looked at what corporate counsel, what they wished they would’ve known before the breach, and sort of highlighted some of the vulnerabilities, the biggest risk are your employees. What can you do as an organization? What are pragmatic steps you can take to begin to understand this risk, mitigate those risks and insulate your company should you have a data breach. I guess we did talk about the bogeyman, right? What should companies be doing now? I think an ounce of prevention is worth a pound of cure. Unfortunately many organizations don’t realize this until something bad happens and they wish they would have gone back and done those preventative steps. I think we can go ahead and move on.

One of the things that we’re going to talk about and I’ve highlighted the fact that employees are you’re weakest link. That’s what keeps your CIO’s, your CISO’s up at night. One of the suggestions in the “State of Cyber Security Report” is that companies should do an annual risk assessment across the entire organization. Understand what policies you have in place. What are the policies that you have in place? What are the controls that you have in place? Management believes one thing is happening because it’s written on the policy but what’s really happening across the organization? What are your employees doing? Do they understand those policies? Are department managers aware of those policies and are they ensuring that their employees are following those policies as well? It’s critical to understand those gaps. That is an area that we help companies tackle, is to do an annual risk assessment very rapidly across the organization, very little disruption to the business. This is an example of some of the things that we’ve helped companies uncover. This is actually a retailer that we worked with last year. They had an information security policy. They had a records retention policy which is a key component of good data protection and information governance, but as you can see, not everyone was aware that that the policy even existed, and for those folks that said, “Yes, I’m aware of a policy” we asked them, “When was the last time you were trained on that policy?” That’s critical. If you have a policy but you can’t demonstrate that that policy is consistently enforced, that employees are made aware and that they’re trained on that policy, that’s a gap. That’s something that’s actually quite easy to fix. That is one of the key components that’s talked about in this report, train your employees, track that training. As far as the records retention policy, the one thing I’ll point out here, is you can see a lot of awareness of this policy but employees were still not throwing obsolete records and information away. If you talk to companies like Sony, who had a breach that was made very public and I think it was their second one, old emails came back to haunt them. Things that they didn’t need to have around and caused a lot of embarrassment for their organization.

When we look at some of the other things that we uncover we talk about the human risk factor. What are employees doing? In this illustration we have a firewall, right? That’s your line of defense to prevent the bad guys from coming in but the reality is employees are walking out with information. They’re emailing things outside the firewall. They’re saving things to laptops and walking out the door. We had some statistics that went along with that. For this particular retailer that we worked with 18% were saving to cloud storage. This was outside of what IT was actually aware of. Things like Dropbox employees were using. 20% saved flash drives or other types of mobile types of devices and what was interesting here is in the policy that this client had, they identified they don’t even allow flash drives. This got the attention of the general counsel and the CIO and that’s something that they corrected very quickly. Obviously we talked about lost laptops, one of the number one cyber insurance claims. 84% of their employees are saving some type of sensitive information about customers and employees to laptops. That happens so often where employees with appropriate credentials to systems like your HR system, payroll systems, take that information and save it down to a laptop, that laptop’s lost, stolen, left in airport, whatever it might be. That’s internal, looking at your policies, looking at your practices and understanding where you have gaps, so that you can address those and be proactive in mitigating those risks.

This next piece is sort of a deeper dive in understanding where sensitive information exists and really mapping out where you have information. There is sort of an illustration here, hopefully you can see it okay, on where your information is. We help companies do this in about 45 days and we’ve done this for large global organizations. We do it all remotely via the web so we don’t deploy consultants, necessarily, to go out and have face to face interviews. But we help companies very rapidly understand and map out their information from what types of records and information do we have? What are we doing with that information? Are we saving it to laptops? Are we saving it to shared drives? What are the applications that are supporting that information? Also intelligence about what are the regulatory requirements to retain that information. When can we get rid of it? When has it met our business and legal obligations? Also the specific types of sensitive information that records contain. Not just that it contains PII but it contains social insurance numbers, driver licence numbers, credit card numbers, understanding the different types of records. When you think about where am I going to get that information, at the end of the day, it’s your employees that understand the records and the information that they work with. You have to go to those employees. We typically work with one or two business representatives from each department of an organization to collect that information. But we start with what makes sense to them because if you ask an employee, “Do you have any PII?” they don’t even know what you’re talking about. We start with something that they understand and that’s the types of records that your department works with. Jordan Lawrence has been helping companies for about 30 years now get their arms around their records and information practices. We’ve developed a terrific set of standards in terms of what are the types of records a manufacturer or a retailer would have, just as an example. So we present a list that’s based on their industry but also based on their department functions. So if they work in HR they’re going to be presented with a list of records that they typically would work with. They identify those records and then they share with us information about what they’re doing with that information. So, where is it? Where are you saving it? I love this graphic because this is so true, right? This is the reality of where we live. Information moves and employees are making decisions everyday about where they’re going to put sensitive information across the organization. It’s in the cloud, it’s in email, it’s sitting on the shared drives. You have to understand what are they doing with that information so that you can begin to mitigate and remediate redundancies.

Once we collect that information from the organization we’re able to benchmark them against their peers. This really gets the attention of corporate counsel, the CIO’s and when we’re able to share with them how much they’re over retaining information compared to their peers, it really lights a fire under them to get serious about getting rid of old obsolete information that’s not business and regulatory requirements. The thing here is when you look at 71%, in this particular case for this retailer, they were over retaining information. 48% of that was tagged with some type of sensitive information that they shouldn’t have been holding on to so that’s a risk. That’s an area that we can pinpoint and help our clients put in place a plan to remediate that information. So we touched on this, at the end of the day, it comes down to your employees. The human risk factor or we could call it the human firewall. Sort of another good way to put that. We have to ensure that you’re training your employees regularly, that you’re tracking that and that they understand those policies. We can’t prevent, again, everything bad from happening but we can position your organization to show that you’ve done your due diligence, you’ve met those obligations to train your employees and protect that information.

Another area of risk are third party providers. Probably next to employees third parties pose a great risk to your organization. Anyone familiar with the Target breach? If you’ve looked into that the source of that particular breach it was actually a third party provider. It was what I think Target would consider a low risk vendor. It was an HVAC electrical contractor. What’s interesting, when you dive a little deeper into that, it was actually an employee that clicked on a link that sort of unleashed the malware that infected Target with that breach. Companies need to also demonstrate that they’ve done their due diligence with their third party providers. In the “State of Cyber Security Report” it talks about at least assessing your vendors annually in terms of understanding what are the controls they have in place, how are they protecting information, what are the policies that they have in place, how are they training their employees as well. And then another piece of this is actually understanding the contracts. A lot of the agreements that you may have with third party providers were put in place long before cyber security was an executive or CEIO’s level issue. So going back and looking at that, and Wendy can probably talk to that a bit more, is looking at those agreements to see is your company protected.

Wendy: I thought the interesting thing when Rebecca and I were having dinner last night, as many of you will know, it’s actually a legal obligation in Canada to contractually obligate your vendor’s to provide the same level of protection that you provide and the protection that you’re obligated to provide by the legislation. When we do up contractual clauses, we often put in some form of audit or assessment right within those contracts, but although we put that language in I have actually never heard of one of our clients actually using that audit provision to audit, or assess their vendors or their suppliers, to ensure that they’re actually abiding by those contractual obligations. The rights are there, we make sure they’re there, but how often they’re being used I think is probably pretty infrequent.

Rebecca: So we really help organizations very quickly assess their third party providers and provide the visibility for legal, privacy compliance and risk, to look at and dial into the risks that those third party vendors may pose. In fact, I think I have an example here, of a heat map that demonstrates as you look across the different vendors, and this is just one vendor, Cleveland Enterprises we picked on here, but down at the bottom we’re able to heat map and dial into specific issues that this vendor, when they completed their assessment, posed a risk to the organization. Whether it’s information security or acquisition, access controls, but you’re able to very quickly dial into what are the risks here and then take steps, whether it’s contractually to mitigate those risks as well.

Wendy: And again, even the fact of having done the audit and assessment and having exercised those rights, plays into the whole due diligence piece of this. As Rebecca stated, you cannot prevent every single risk, but at least you can take the measures that you ought to have taken to prevent the risk which is going to play out well if the inevitable does happen.

Rebecca: Just to sort of wrap up my piece here we started with what do you wish you would have known before a breach? This sort of illustrates what are the most important learning’s. So again, from corporate counsel, what did you learn after the dust settled, essentially, after that breach? Training, we’ve touched on that. This is just sort of a bookend to this. Doing an external assessment every 12 months for your organization. Ensuring that you’re taking those steps. Information governance in terms of do we have good controls in place to manage our records and information? Are we disposing of things that we don’t need in a consistent manner and can we demonstrate that? A review of cyber insurance to help mitigate or manage some of that risk. Test your vendors rigorously and regularly. So again, the recommendation is what we would call a tier one or high risk vendor, you should be checking in on them at least once a year. For other vendors that may sort of be a lower risk, and again I gave you the example of the HVAC vendor being a lower risk but they were the cause of the breach, you should be checking in on them at least every 2 or 3 years. But you have to know your vendors first and be able to assess them. Ensuring that cyber security is being presented and talked about in orderly board meetings so if you have a representative from legal, from IT security, that can fill that role. I thought this was interesting too, the communication between legal and IT about your third party providers. Having a good process in place to understand what are the vendors that you have. That I think really speaks to what are the proactive steps, the due diligence, that organizations should be doing and hopefully some of the examples that I gave you give you ideas on how you can mitigate those risks in your organization.

Wendy: Okay, back to legal. As we’ve been discussing, no matter how many steps you take to ensure due diligence, which you should of course be doing, that does not mean that you can prevent every breach from happening. Anyone who follows the news is aware of just how frequently privacy breaches occur. In our practice we deal with it all the time. It’s not an unusual occurrence at all. Coming back to the Digital Privacy Act, right now in Canada, the only private sector privacy legislation that has mandatory breach reporting is Alberta. In the health sector there is some mandatory breach reporting. Public organizations have specific obligations in that respect but the Digital Privacy Act will bring in mandatory breach notification for organizations subject to PIPEDA. Even before that mandatory breach notification was in place, if a privacy breach occurs today and you are an organization subject to PIPEDA, just because there’s not mandatory recording to the Commissioner and affected individuals, does not mean that you would not notify affected individuals and potentially, voluntarily, notify the Privacy Commissioner. Because, of course, if you don’t take the appropriate steps in the event of a breach then a complaint will be made to the Privacy Commissioner, in any event, and they can investigate that and they can issue a decision that either says that that complaint is well founded or not. The federal Privacy Commissioner has for a long time had a set of recommended best practices in the event of a privacy breach and does accept voluntary notifications as well, because as you can imagine, if something happens and people are unhappy about that, usually the first step they take is to complain to the Privacy Commissioner. Sometimes it’s good for them to have a heads up that you had this occur within your organization, and that you have taken appropriate steps, so that if they get that type of complaint everyone is sort of on the same page and already knows what’s happening. The key steps in terms of responding, of course the first thing you do, is find out the source of the breach and contain it. There is lots of instances where companies or other organizations find out about a breach and it is ongoing. They are losing the data as they investigate. That’s absolutely the first thing that needs to be done. In terms of evaluating the risk that’s going back to finding out what is the affected data. Some types of personal information are obviously more sensitive than others. There’s been a lot of breaches in Canada in the last couple of years that have involved health information which, of course, people consider to be among the most sensitive of information that an organization will hold about them. Notifying individuals. That’s connected to the evaluation of the risk. Whether you notify affected individuals, or not, depends on the type of information that has been lost and what impact that will have on the individual and whether they can take steps to mitigate. If the information is largely inconsequential, and there’s nothing that can be done to mitigate any risks, then there’s really no point in notifying people because you just end up in a situation where they’re wondering why are you telling me this because there’s nothing really I can do and there’s really nothing of consequence that’s going to occur as a result of this. Develop a plan. Every organization now, even without the mandatory breach notification going into place, should have a breach policy. You should have a privacy breach policy. The last thing you want to be doing when something like this happens in your organization is to be figuring out on the spot what do we do. It needs to be laid out what you do. How do you escalate the situation? Who needs to be notified? Are you in a jurisdiction that has mandatory breach reporting? If there’s credit card information do you have a legal obligation to notify the credit card provider? There’s lots of things like that that you don’t want to figure out basically on the spot because it’s stressful enough to deal with that situation without having some of those steps locked down.

In terms of the mandatory PIPEDA breach notification this will come into force once the regulations are in place. There was a consultation period on the regulations that ended in May so they should be out in relatively short order and that’s when the mandatory breach notification will come into play. It’s not in every circumstance that it will be mandatory to be notify the Commissioner and affected individuals that a breach has occurred. It’s based on the assessment of whether there’s a real risk of significant harm to an individual, taking account of the sensitivity of the information, and the probability that it will be misused. That’s an assessment that has to be undertaken. I can tell you that while significant harm sounds like a high threshold, similar language has been used in Alberta, and the Privacy Commissioner there has interpreted that to be actually a very low threshold. In fact there have been circumstances where the Commissioner has determined that breach notification is mandatory where all you’re dealing with, for example, is names and email addresses. The reason they’ve reached that conclusion in some circumstances is they’ve said that that gives rise to a risk of fishing. It’s the fishing with a pea, I don’t know how many people are familiar with that term, but it’s where an illegitimate organization poses as a legitimate organization in order to try to get data or information from an individual. They’ll use their email address. Say it was a breach of a bank and now they have the names of the customers and their emails, they can use that information in order to email those customers of the bank, posing as the bank to try to get certain banking passwords or financial information. You wouldn’t tend to think of that kind of breach as necessarily rising to the level of significant harm but that’s not the conclusion that has necessarily been reached within jurisdictions that have the mandatory breach reporting. It’s always difficult to figure out when faced with a breach as to what will be considered to give rise to a significant risk of harm and also this aspect of mitigation. If people’s social insurance numbers are subject to a breach, well obviously that’s very sensitive information, but the other factor there is that if people know that their social insurance numbers have been released, they can contact the government and have that number discontinued and obtain a new social insurance number. Definitely when there’s a prospect that if people know they’ve been subject to this they can actually take mitigating steps, then that’s definitely going to be a circumstance where you want people to be notified, because that allows them to take those steps. In many of the cases that have led to the class action law suits, in circumstances where there has been notification, in some instances it hasn’t been for months and months and months. Think of how you would feel as a person affected by a breach, knowing that had you known within a few weeks, you could have taken some proactive measures to ensure that the use of your information wouldn’t be misused in a harmful way. The breach notification, mandatory breach notification that’s coming into effect, it will be that notification has to be given obviously to the affected individuals, but also the Commissioner, and also potentially other organizations in the case of very serious breaches. Sometimes the RCMP or other law enforcement have to be notified as well.

There’s another obligation that will be part of the PIPEDA breach notification obligation which is that even in a circumstance where there’s a breach that doesn’t rise to the level of requiring notification, there will be an obligation to retain records of breach occurrence, any time where it involves any personal information at all.

I just want to say a few words about the issue of mitigating risk which we’ve already been talking about quite a bit. From a legal perspective most organizations will have an external facing privacy policy. But going back to what I started out with in the presentation that privacy policy should not be considered to be a static document. Your information practices will change over time and going back to what Rebecca’s organization does, the difficulty for legal within an organization, a legal department within an organization, or the compliance department within an organization, is that they often don’t know what is happening. They aren’t told what’s happening in the organization with respect to collection use and disclosure of personal information. There is a lot of really neat new stuff out there and you aren’t always told about it in terms of new applications for mobile devices and what is being collected in that context. Ad tracking now, or different types of information gathering through the internet using third party ad companies, using placement of cookies. There’s a whole lot of information that can be gathered and our Privacy Commissioners consider that to be personal information. In order to have consent you have to have imparted knowledge to your customer base or your clientele that you are collecting that information and you may have to give an opt out of the collection of that information. Sometimes, as I say, as things change over time and the people in your organization think of all these interesting new things to do, they don’t always realize that it has these legal obligations associated with it and there may need to be some changes from that perspective.

Going back to service providers, as I’ve said, in Canada there is actually a legal obligation to ensure that you are contractually obligating all of your service providers to comply with the privacy laws that you are subject to as an organization. Those service providers may not be in Canada. That’s fine. Generally, depending on if you are public sector, you may have additional restrictions. If you’re health sector you may have some additional restrictions. But in general there is not a lot of restriction in Canadian law in terms of transfer of personal information outside of Canada. But there is still this obligation to ensure that that information is protected to our standards by the service provider. Whether that’s a Canadian or foreign provider. That necessitates this issue of contract review and maybe actually using those nifty little audit rights within those contracts and making it a living document.

That’s all I want to say about mitigating risk but I’ll turn it over to you Rebecca to say a few words from your perspective.

Rebecca: Sure. I think that summed everything up very nicely. At the end of the day, as we said, it’s your posturing for your organization and really insulating and protecting your organization. Taking those proactive steps, doing the technical things that your IT folks are already doing, but also understanding where those other risks are across your organization and being proactive in addressing those. There was something that I wrote down here. Being proactive and due diligence obligations to prevent risk and the reality is, if you haven’t done what you need to do and breach occurs, you’re going to be viewed as negligent. I think that’s a good way to sort of sum up.

Audience: inaudible question

Wendy: It’s under PIPEDA. It’s part of the fair information practices that are in Schedule 1 that are incorporated into the law. The Privacy Commissioners consider it a legal obligation and if found complaints to be well founded, in circumstances where you fail as an organization to impose, they use the phrase, I think, “contractual or other measures”. There’s a little bit of leeway but they’re definitely looking to see what the obligations are that are imposed and I think they say “normally would consider to be contractual”.

Audience: inaudible question

Wendy: I loved that you asked that question because Todd didn’t mention but I have a very strange mixed practice which one side is all privacy and data and defamation, and the other side is international trade, and they have never intersected and now they finally are. So, transpacific partnership was the question and there’s actually, I think it’s the first time that a trade agreement actually features a chapter, rather skeletal chapter, on data transfer or transfer of personal information. The objective of having the chapter in there, because it’s a free trade agreement, is actually to ensure free flow of data as much as possible. But at the same time they’ve tried to build in some safeguards to ensure that as a country, because TPP is done on a country by country basis, it’s a government to government agreement, but they’ve tried to ensure that you can have measures in place, as a country, to ensure adequate protection of data and the end objective is supposed to be sort of a mutual recognitions. So that every country that’s a member of the TPP is supposed to offer a basic level of protection for personal information and as long as they do then you are not supposed to impose restrictions on data transfer. Which of course is a huge issue in the EU right now and relating to the Schrem’s decision and whether the United States, in particular, provides an adequate level of protection for the personal information of EU citizens. So, I think it’s interesting. I think there’s all kinds of holes in it. I know BC was very concerned about it. I was out at a conference put on by the Information and Privacy Commissioner of BC a couple months ago and they were very concerned about whether they would still be able to have their data localization provisions or whether TPP would remove their ability to do that. I don’t think it will. There’s a lot of exceptions that are built in. It remains to be seen.

Audience: inaudible question

Rebecca: More and more companies are purchasing cyber insurance, and in fact clients that have gone through our assessment process we actually provide them a cyber insurance, sort of a generic application, that really provides the insights that they need to go and shop around for cyber insurance. It also, when they’re negotiating that cyber insurance, they’re in a much better position because they can say, “We’ve looked inside our organization to better understand what it is that we’re doing, what information we have” so they’re in a good position to negotiate a more favourable term.

Audience: inaudible question

Rebecca: Sure. Thank you. We’ve been around for about 30 years. We used to be, I like to say a traditional consulting firm, but about 15 years ago we really shifted our model and invested in our own web based technology to help us do our work more efficiently, for us, as well as for our clients. It’s very cost effective. What we help organizations do is assess their internal risks so we actually have in the booklets that you have, if you flip that over on the Jordan Lawrence side, we offer three services, essentially. One, what we call a human risk factor assessment, which is very much an annual assessment that you would do. We provide that all via the web so we don’t have to come onsite and meet with folks. We do that annually per organizations and it provides the due diligences so that they can demonstrate that they’re looking at their policies and practices and identifying where they have gaps. The other piece that we do is a much deeper dive, what we call assessment for information risks. In about 45 days we help companies essentially understand the records that they have, how long they’re keeping it, we benchmark them against peers and provide back, at the end of that 45 days, an executive level presentation where those key stakeholders from compliance, CEO’s are often involved in that, the GC’s and share with them, “Here’s where you have vulnerabilities. Here’s how long you’re over retaining information”. That’s typically, that’s not something you do annually, but we help companies do that and it’s really sort of the foundation for implementing a good records and information governance program which we also help companies do. The other service that you’ll see listed there is the vendor risk assessment. We’ve taken what is traditionally a very resource intensive process for many organizations, typically managed through spreadsheets, very manual, hard to identify risks. We’ve essentially automated that process for our clients. Any number of vendors they can go through our process. Whether they’re legacy existing providers, or if you’re on boarding new vendors as well, we provide that due diligence process to be able to meet those legal obligations and show that you’re checking in on your third party providers.

Wendy: Just to mention that I’ve seen Jordan Lawrence’s demo program so you can actually take a walk through the web based system and see how the surveys are conducted and the types of information that’s generated out of that. If you’re interested I think it’s a really good walk through to better understand. I had a hard time conceptualizing exactly how do you do this, how do you generate the information, and it was really helpful to do that.

Rebecca: In fact, if anyone is interested I’m going to have a couple of demos if you’d like to walk through any of those services, on Thursday this week. You can reach out to Wendy or to me directly and we can get you that information for attending. They’re typically about 20-30 minute web based sessions that we do. I’d be happy to share that with you.

Todd: If there are no further questions I’d like to thank our speakers first. I want to thank everybody in the audience for attending and watch our “Risk to Reward” site on our webpage for a number of other seminars that are going to be out in the fall. Thank you very much.