Privacy, Data Security and Anti-Spam Compliance

Privacy, Data Security and Anti-Spam Compliance


March 29, 2017

Dan Michaluk


Dan Michaluk I [email protected]


Overview

• Privacy compliance• Data security• Anti-spam


Privacy Compliance


Commercial sector privacy legislation

• PIPEDA (federal)• BC PIPA• Alberta PIPA• Manitoba PIPA• Quebec Act


Privacy legislation in four bullet points

• Regulates flows of personal information – collection, use and disclosure

• Flows must be authorized, for reasonable purpose and necessary

• Accountability – structural, mandated openness, via access • Reasonable data security – accuracy/integrity + protection

6


What’s new – PIPEDA now applies to applicants

• S-4 amendment changed the application provision of PIPEDA – 4(1)(b)

• Now applies to “an applicant for employment”• Creates new constraint on Bank screening processes• OPC can judge if a collection and use is reasonable• Beware of Mark’s Work Wearhouse in Alberta regarding

the use of credit profile information (P2010 IR 001)

7


What’s new – Guidance on investigations• Can now share PI to investigate and to prevent breaches of law• OPC issued warning in March 2017

• Carry out due diligence and exercise good judgement when availing themselves of these exceptions

• Carefully consider each of the requirements explicitly outlined in the provisions

• Take care to ensure the limits set out in these provisions are respected

8


Data Security


The context

10

Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA


The regulatory framework

• Privacy legislation• Reasonable security• Breach notification in Alberta and soon under

PIPEDA• Bank Act and OSFI• Securities and market participant regulation

11


The standard – Ashley Madison report

• Having documented security policies and procedures is a basic organizational security safeguard

• Conducting regular and documented risk assessments is an important organizational safeguard in and of itself

• Use multi-factor authentication for remote administrative access

12


The standard – OSFI self-assessment guide

“Desirable properties and characteristics of

cybersecurity practices” in six areas

• Organization and resources• Cyber risk and control assessment• Situational awareness• Threat and vulnerability risk

management• Cybersecurity incident

management• Cybersecurity governance

13


The standard – OSFI Guideline B-10 (Outsourcing)• FRFIs are to

• Evaluate the risks associated with all existing and proposed outsourcing arrangements;

• Develop a process for determining the materiality of arrangements;• Implement a program for managing and monitoring risks, commensurate with the

materiality of the arrangements;• Ensure that the board of directors, chief agent or principal officer receives information

sufficient to enable them to discharge their duties under this Guideline; and• Refrain from outsourcing certain business activities to the external auditor

14


The Standard – CSA Staff Notice 11-332

• CSA says, “Hey! This is important!”• Refers to 13 documents as “useful”• No one size fits all, but here are 11 very general

prescriptions – including on employee awareness, incident response, vendor management

15


Notification – Under PIPEDA (Pending)

• Reasonable to believe a real risk of significant harm• To individuals and to OPC as soon as feasible• To other organizations and government if could reduce

risks or mitigate harm• Record of all breaches of security safeguard to be kept

and provided to OPC on request

16


Notification – CSA Staff Notice 51-347

In considering whether and when to disclose a cyber security incident, the issuer must determine whether it is a material fact or material change that requires disclosure in accordance with securities legislation… Materiality depends on the contextual

analysis of the cyber security incident. While an isolated cyber attack may not be material, a series of or frequent minor

incidents may become material in light of the level and type of disruption caused.

17


CASL


How CASL spam regulation works

• Everything’s a CEM – a commercial electronic message – unless it isn’t

• Default – express consent to send a CEM• Implied consent deemed in some circumstances

• Convey certain information in a CEM• Provide and administer an opt out

19


CASL enforcement activity to date

• Compufinder (2015 notice of violation) - $1.1 mill• Porter (2015 undertaking) - $150,000• Plentyoffish (2015 undertaking) - $200,000• Rogers (2015 undertaking) - $48,000• Blackstone Learning Corp (CRTC 2016-428) - $50,000• William Rapanos (CRTC 2017-65) - $15,000

20


What’s new – Pending private right of action

• Implements (essentially) a private prosecution regime• Three year limitation period• Barred by pre-emptive regulator enforcement• Order may be made

• Compensation for special damage (if any)• Defined amounts per contravention

• Orders guided by factors

21



March 29, 2017

Dan Michaluk

Law

Privacy, Data Security and Anti-Spam Compliance