I met Logan when we were presenters at a Cyber Security Conference in Toronto. Our interests intersected and we decided to enlighten business owners about cybersecurity developments in Canada. I am a lawyer practicing civil litigation with a keen interest in privacy law. Logan is a cybersecurity and threat intelligence consultant focusing on providing cybersecurity solutions to businesses. This article was begging to be written by us.
The New and Improved PIPEDA: What you need to know and what you need to do
By: Stanislav Bodrov (Strigberger brown Armstrong LLP) and Logan Wolfe (Gearhead Software)
Part 1 – The Amendment
It has become a bit of a jingle – “the question is not if your organization will get hacked, it’s when” – but Canadian lawmakers are taking this mentality seriously. There is a clear commitment in Canada to ensure that individuals retain power over their personal information; how it is used; and, most importantly, how it is protected by organizations.
Earlier this year, the EU passed the revolutionary General Data Protection Regulation (GDPR). On November 1, 2018, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) will be amended to include mandatory breach notification rules, which are similar to the provisions included in the GDPR. On an International scale, Canada is seen as a leader in personal data protection and the changes to the existing legislation further reinforces that image.
The amendment will require organizations to do three things:
Report data breaches to the Privacy Commissioner of Canada;
Notify the affected individuals who were affected by a data breach; and,
Keep records of every breach of security safeguards.
These requirements will apply to every organization that collects, uses, or discloses personal information in the course of commercial activities in Canada.
The drafters of the legislation prescribe targeted requirements. For instance, a “breach of security safeguards” is defined as a loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of the organizations security safeguards. This type of breach ranges from an employee accessing a consumer’s personal information without authorization (i.e. bank teller accessing information of an ex-spouse to see what they were spending money on) to an outside hacker accessing the organization’s network through illicit means. All breaches of security safeguards must be recorded by the organization and are subject to review by the Privacy Commissioner of Canada.
However, not every breach will require the organization to notify the consumer and be reported to the Privacy Commissioner. Only those breaches that pose a real risk of “significant harm” will trigger these obligations. The current PIPEDA does not define the term “significant harm”. However, the new PIPEDA defines it as including bodily injury, humiliation, damage to reputation or relationships, loss of employment, identity theft, negative effects on the credit report and damages to or loss of property.
In the course of determining whether a breach will cause significant harm, the organization must balance a number of factors including the sensitivity of the personal information; the probability of the information being misused; and, other relevant factors specific to each case.
The Regulation states that the organization must give notification “as soon as feasible” after the breach is discovered. There is no definition of this phrase. However, considering the number of reactionary steps that must be taken by an organization, the notification need not be immediate (otherwise it would say so in the Regulation), but it must certainly be considered a top priority in the organization’s data breach response plan.
Failure to maintain records of breaches, report breaches to the Commissioner, and notify the affected user, can lead to penalties prescribed by PIPEDA. An organization guilty of such non-compliance will be subject to a fine of up to $100,000. This is in addition to the exposure associated with lawsuits initiated against the organization by the affected consumers and the legal costs associated with defending such actions.
Part 2 – PIPEDA v. GDPR: Similarities and Trends
The GDPR went into effect in May of this year and was immediately used as a basis for complaints against Facebook and Google. The GDPR, like PIPEDA, requires organizations to disclose to consumers when a company’s security mechanisms have been breached. It also requires the organization to disclose to its consumers how their information is going to be used, all in an effort to revert power over personal information back to the individual providing it.
One of the prevalent similarities between the two pieces of legislation is the territorial application of the laws. Specifically, organizations that conduct business in Canada will be subject to PIPEDA as well as the GDPR, if that organization is accessible in the European market. As such, the organization will be required to pay fines prescribed in the GDPR for non-compliance. The GDPR fines are much more severe than those in PIPEDA – up to €20 million or four percent of the organization’s annual global turnover. Similar to PIPEDA, the fines are discretionary and are levied based on the blameworthiness of the organization; the sensitivity of the information breached; and, number of other applicable factors.
Some sources note that reported breaches to the Information Commissioner’s Office in the UK, quadrupled within a month of the GDPR’s implementation1, other sources report a doubling in reporting2. Regardless, one thing is clear, organizations suffered breaches significantly more than they were reporting prior to the implementation of the GDPR. In September, Fieldfisher, a law firm in the UK, reported a ten-fold increase in security breach cases since the implementation of the GDPR.3
If history is any indicator, it is likely that a similar trend will follow in Canada with the passing of the PIPEDA amendments. Companies will be exposed to not just the fines prescribed in the legislation, but also the insipient legal actions that will be based on negligence and violation of privacy.
In essence, the Regulations are forcing organizations to owe a duty of care to their consumers. Implementing effective cyber security strategies to avoid significant financial devastation will be vital to a business’ success, while failure to do so will result in significant legal and financial exposure.
Part 3 – Cyber Security Strategies
Security safeguard requirements vary based on the sensitivity of data. However, as a rule of thumb, a strategy’s end goal is protecting personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which it is held.
The nature of the safeguards will depend on a variety of factors including the sensitivity of the information that has been collected; the amount, distribution, format of the information; and, the method of storage. Implementing these safeguards will affect an organization’s reputation. In the event of a data breach and the resulting mandatory incident disclosure to affected customers and third parties, an organization will be forced to demonstrate that adequate security measures were implemented and the organization leadership met the requisite standard to protect its affiliates.
Realistically, risk cannot be reduced to zero without reducing the usefulness of the asset - the goal is to find an acceptable balance between protection and usability. That said, more sensitive information should be safeguarded by a higher level of protection, which will typically decrease the usability of that information. Various types and levels of security controls are vital to a business’ cyber security success, these include:
Physical measures (CCTV, locks, access cards, restricted access to premises);
Finally, having a detailed data breach response and business continuity plans will make all the difference in the event of a security incident. These plans cover all preparatory and reactionary steps in case of a breach in great detail. The plans ought to include tiered impact analysis; automated backups; load balancing and IT-focused forensics procedures focusing on determining affected areas and containing damage; escalation and notification practices; mitigation steps; lessons learned; high-level financial and technical reporting; recovery procedures; designated first responders; loss control; and, reputation management.
Data breach response plans are no longer optional – they are mandatory. Organizations will be responsible to ensure that their customer’s data is protected with a strategy that meets the standard of care prescribed by the cyber security industry. Additionally, organizations will be required to report breaches to the Privacy Commissioner; inform users of a breach; and, maintain detailed records of all security safeguards breaches. Failure to comply with these requirements may result in significant fines levied pursuant to the amended PIPEDA and/or the European GDPR.
Organizations must ensure to not only have a sufficient preventative mechanism but also a requisite reactionary plan. This includes having a cybersecurity agency on-call to follow a response plan and a competent lawyer to minimize an organization’s exposure in legal actions. Cyber liability insurance policies play a vital role in covering the costs of both services based on your own choosing.
Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...
The Supreme Court of Canada recently considered whether an individual can be impaired by reason of distracted driving in R. v. Suter. While the primary issue was the appropriate length of sentence for the criminal conviction, it also dealt with the concept of being impaired by distraction.
The facts of the case were tragic. Mr. Suter fatally injured a two year old when he drove his vehicle onto a restaurant patio. Following the incident, the accused was charged with impaired driving causing death, impaired driving causing bodily harm and refusing to provide a breath sample after causing an accident resulting in a death. Complicating the situation was the fact that sometime after the accident, Mr. Suter was attacked by a group of vigilantes who kidnapped him, beat him and cut off his thumb using a set of pruning shears.
In the moments leading up to the accident, the accused and his wife got into a fight in the parking lot in front of the restaurant patio. During this fight, his wife exclaimed “Maybe we should just get a divorce.” At about the same moment, the wife realized that the vehicle was inching forward and she yelled at the accused to stop. Unfortunately, Mr. Sutter’s foot had come off the brake pedal. Instead of hitting the brake, he pressed down on the gas pedal which caused the vehicle to launch forward onto the patio where he struck the child. Following this, Mr. Suter was pulled from the vehicle, thrown to the ground and beaten by witnesses at the scene. He was arrested, taken to the police station and a breath demand was made. It was after speaking with a lawyer to obtain legal advice that he ultimately refused to provide the breath sample.
The Supreme Court of Canada noted that the circumstances were unique as the reason the accused refused to provide the police with a breath sample was because he was given bad legal advice which he followed. The impaired driving charges were ultimately withdrawn when the accused plead guilty to one count of refusing to provide a breath sample.
The Court of Appeal of Alberta found that the sentencing Judge made several errors in his decision. One of these errors was that the sentencing Judge failed to consider the fact that the accused “cho[se] to drive while distracted in the context of his health and pre-existing alcohol problems.” The Court of Appeal found that this was an aggravating factor.
The Supreme Court of Canada was critical of the Court of Appeal for engaging in their own interpretation of the evidence by concluding that what happened was more than just a momentary driving error. Although it was accepted that the accused was not impaired by alcohol, the Court of Appeal concluded that the accused’s ability to drive was “knowingly impaired by health and other factors.” Specifically, the Court of Appeal concluded that the accused’s ability to drive was “impaired by the distraction offered by his argument with his wife, in the context of [his] health and drinking problems.”
The Supreme Court of Canada held that the concept of “impaired by distraction” was “both novel and confusing” and would not endorse it. The Supreme Court of Canada found that the Court of Appeal did so primarily to circumvent the lower Court’s finding that the accident was a result of a non-impaired driving error. The Supreme Court of Canada noted that in describing the circumstances of the accident, the Court of Appeal focused on the fact that the accused chose to drive (1) in a busy parking lot; (2) while angry and distracted; and (3) in the context of pre-existing martial/health/alcohol problems.
The Supreme Court concluded that the Court of Appeal:
[I]mproperly recast the accident as one caused by health and alcohol problems, anger, and distraction. It reweighed the evidence and looked to external factors that had no bearing on the gravity of the offence for which Mr. Suter was charged, nor on Mr. Suter’s level of moral blameworthiness.
The Supreme Court of Canada found that this was an error in principle that resulted in the imposition of an unfit sentence.
While impaired by distraction may not be sufficient for a criminal conviction, an individual’s state of mind while behind the wheel continues to play a significant role in motor vehicle tort claims. The standard to prove negligence is lower than the criminal burden of proof. Although the Supreme Court of Canada may not have been willing to assign criminal fault in these circumstances, the reasonableness of a driver’s actions in a similar civil setting is still fair game.
On June 19, 2018, the Senate voted to pass Bill C-45, the federal government’s bill to legalize and regulate recreational cannabis in Canada. This paves the way for Royal Assent. After a “buffer period” to allow provinces and municipalities to complete preparations, legalization is expected to take place sometime in the Fall of 2018. Regardless of personal opinions, legalization will likely have far-reaching consequences on the Canadian insurance industry.
Generally, the proposed Act will allow adults to purchase, share, and possess up to 30 grams of dried cannabis, grow up to four plants per residence for personal use, and make cannabis products including food or drink. Certain rights can be modified by corresponding provincial legislation, such as Ontario’s Cannabis Act2017, SO 2017, c. 26, Sched. 1, which restricts the age of purchase to 19 as opposed to the federal minimum of 18.
In addition to legalizing the possession and production of recreational cannabis, Bill C-45 provides a regulatory framework for the distribution and management of the cannabis supply in Canada. It grants significant powers to a Cabinet designate to levy administrative monetary penalties on individuals who are in violation of various provisions. Significant restrictions will also be placed on marketing, branding, and advertising targeted at youth.
Additionally, new criminal penalties will be imposed on the illegal distribution or sale of marijuana outside of the regulated systems put in place by the provinces, possession over the 30 gram limit, or production of cannabis beyond the personal use limits. These penalties will range from modest tickets and fines for small infractions to up to 14 years in prison for more serious offences. Notably, the act of taking cannabis across Canada’s borders carries with it a penalty of up to 14 years in jail.
It will be up to the individual provinces to determine how cannabis will be distributed in their respective jurisdictions. Ontario has opted for a centralized government monopoly where cannabis will be sold through the Ontario Cannabis Store (“OCS”). Nova Scotia has put in place a similar government monopoly. In contrast, Manitoba plans to allow a cluster of four private companies to distribute cannabis. Similarly, each province and municipality will be entitled to restrict the consumption of cannabis on public property.
After 95 years of prohibition, insurance policies and practices have generally excluded anything to do with cannabis. It was only recently that some insurers have begun to include medical cannabis in their group benefit plans, despite medical cannabis having been legalized many years previous. Previously, losses arising from fires caused by growing cannabis were excluded as arising from criminal acts. With the legalization of home growing, questions remain as to whether failing to tell your insurer about your four cannabis plants would be sufficient to constitute a material change in risk. Certain independent adjusting firms are also rolling out specialized claims services for the cannabis industry in an effort to get ahead of the coming changes. Although the full impact of legalization remains to be seen, disputes involving coverage under home owner policies, reasonable medical expenses, and human resources practices will likely be quite common in the initial transition.
Apple watch leads to distracting driving conviction.
A recent Ontario Court of Justice case brings to light a new distracted driving concern – Apple wrist watches. Ms. Ambrose was convicted of “drive hand-held communication device” – really, distracted driving - after she was observed looking at her watch on several occasions while operating a vehicle. The police officer testified that as he was stopped beside the Defendant at a red light, he noted a glow from a handheld device. The officer observed her look up and down approximately four times. When the light turned green, the two cars in front of the Defendant moved forward but she did not. When the police officer turned on his spot light, she started to drive forward.
After the officer pulled over the Defendant, he learned that the handheld device was her Apple watch. While she testified that the watch was not connected to her phone, the Court found that whether it was actually connected to another device at the time of the offence was not a determining factor. It was the holding, or use of the device, that the Court must examine. Ms. Ambrose claimed that despite the capabilities of the watch, she was only checking the time which required touching the screen to activate and deactivate it. The Court noted that she did this instead of using the clock in her vehicle.
The Court found that the law was clear – driving occurs even when motor vehicles are stopped at a red light. As such, the evidence established that the Apple watch was used while the Defendant was driving a motor vehicle on a highway. The key was determining whether she was distracted. On this point, the Court found that it was “abundantly clear” from the evidence that the Defendant was distracted. She was looking up and down repeatedly over the 20 seconds that the officer observed her. In addition, she didn’t start driving when the light turned green. It was only when the floodlight illuminated the vehicle that she started to drive. The Court rejected the argument that the Defendant was checking the time because it was inconsistent with the officer’s observations.
Finally, the Court noted that even though the watch was smaller than a cellular phone, it was a communication device capable of receiving and transmitting electronic data. Specifically, the Court held “[w]hile attached to the defendant’s wrist it is no less a source of distraction than a cell phone taped to someone’s wrist. It requires the driver to change their body position and operate it by touch.”
This case is important for personal injury claims. During interviews, discoveries and trials, the use of all handheld devices (which now include smart watches) should be explored to determine whether a party was distracted at the time of the accident and thus negligent.
It takes little effort to identify the international behemoth that was recently scrutinized for disclosing its users’ personal data (*cough* Facebook *cough*). As of today, many business, big and small, have the potential to be vilified and fined for the same type of inadvertent disclosures. The key distinction between Facebook and other companies are their resources to deal with the fall out such a disclosure.
What does it do?
The GDPR was developed in 2016 and intended to take effect this year. The Regulation aims to protect people’s information when it is shared with businesses. It also allows people to permit or deny the distribution of personal data with third parties. The Regulation places certain disclosure requirements on entities to inform their users of a potential breach.
Although this is a European regulation, it affects businesses that operate out of a European signatory state marketing to a foreign country (i.e. Canada), or a foreign business marketing to and operating within a European signatory state. In essence, any company that seeks to advertise to an international population, which by using the Internet most companies do, they must comply with the requirements set out in the GDPR.
Failure to comply
The failure to comply with the GDPR can lead to severe consequences. One of them is a fine of up to €20 million. The GDPR also allows signatory states to implement their own regulations to ensure compliance. Another significant repercussion is the potential of lawsuits stemming from a data breach. The GDPR establishes a standard of care that business must meet. Failure to satisfy this standard, will expose business to not only fines but financially devastating legal actions.
The “big” insurance companies like Chubb, Lloyds, and Northbridge are beginning to offer comprehensive cyber insurance policies to businesses. Other new companies such as Boxx Insurance have started to exclusively offer cyber insurance policies to small and medium sized businesses.
Cyber insurance policies are designed to protect businesses when a data breach occurs, and may include coverage for fines, legal services, and PR services.
Insurance adjusters’ will soon be confronted with a significant number of claims originating from cyber policies. Adjusters must be ready to not only ensure that their clients are protected but that the insurer is not being defrauded.
Adjusters will have to undergo technical training to verify that their clients are compliant with not only the GDPR but also with the requirements of their insurance policy. It will also be imperative that adjusters identify technical “red flags” that may signal a fraudulent claim.
Striking this balance will be difficult but necessary.
Companies like Facebook can rebound from a data breach given their vast pool of resources, however, small business can go bankrupt from a single cyber-attack. As a result of this dichotomy, cyber insurance policies will continue to develop and may soon be as common as an auto insurance policy. Insurance companies and their adjusters must be prepared to understand and “speak the language” of their consumers to meet their needs and expectations.
Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...