Given the number of financial service firms that hold, and work with, confidential information obtained from their clients, the threat of a cybersecurity breach has been in the spotlight as an ongoing business risk throughout 2017. As directors seek ways to address this risk, they should be mindful of CSA Staff Notice 33-321 released in October 2017 by the Canadian Securities Administrators which provides guidance in this area (summarized in our November Issue of the Bulletin). Directors should also be mindful of one of the leading privacy law cases: Townsend v. Sun Life Financial (“Townsend”) which discusses a firm’s obligations regarding the protection of private and confidential information.
In Townsend, the plaintiff alleged that Sun Life failed to safeguard his personal information by accidentally sending information to a third party and mailing certain letters to incorrect addresses. The Federal Court did not award any damages to the plaintiff and found that: (a) the breach was relatively minor; and (b) “Sun Life had a detailed protocol [for dealing with private information] before the occurrence of what can only be considered human error” and “Nobody should be held to a standard of perfection”.
The Court’s finding in (b) above is significant because it suggests that taking reasonable measures to protect private information may lessen or absolve culpability in the event of a data breach (including a cybersecurity incident) at a firm. Reasonable measures may include using certain cybersecurity measures that are currently being used by the financial services industry, including:
- The National Institute of Standards of Technology Cybersecurity Framework
- The 10 principals of Cyber Resilience from a report issued by the World Economic Forum entitled “Advancing Cyber Resilience Principles and Tools for Boards”
- The IIROC Cybersecurity Best Practices Guide
Although we recommend that you speak to your usual lawyer at AUM Law to discuss what measures makes sense for your firm, a common thread on all cybersecurity standards that we have seen is that directors are required to play an integral part of the management process and be active in the oversight of cybersecurity risk. In short, cybersecurity is not an IT department problem and those firms that delegate the management of their cybersecurity risk to their “tech people” may be seen to fall short of the “reasonable measures” expectation described above.
Director involvement requires that firms maintain and document proof that they have reviewed and promoted their cybersecurity policies, and that they have the technical proficiency to understand the policies and/or they have consulted experts that can explain it to them. After a cybersecurity policy is created, directors must still ensure that they are actively reviewing the policy and asking questions of their experts to ensure that their policy remains effective and current.