I met Logan when we were presenters at a Cyber Security Conference in Toronto. Our interests intersected and we decided to enlighten business owners about cybersecurity developments in Canada. I am a lawyer practicing civil litigation with a keen interest in privacy law. Logan is a cybersecurity and threat intelligence consultant focusing on providing cybersecurity solutions to businesses. This article was begging to be written by us.
The New and Improved PIPEDA: What you need to know and what you need to do
By: Stanislav Bodrov (Strigberger brown Armstrong LLP) and Logan Wolfe (Gearhead Software)
Part 1 – The Amendment
It has become a bit of a jingle – “the question is not if your organization will get hacked, it’s when” – but Canadian lawmakers are taking this mentality seriously. There is a clear commitment in Canada to ensure that individuals retain power over their personal information; how it is used; and, most importantly, how it is protected by organizations.
Earlier this year, the EU passed the revolutionary General Data Protection Regulation (GDPR). On November 1, 2018, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) will be amended to include mandatory breach notification rules, which are similar to the provisions included in the GDPR. On an International scale, Canada is seen as a leader in personal data protection and the changes to the existing legislation further reinforces that image.
The amendment will require organizations to do three things:
Report data breaches to the Privacy Commissioner of Canada;
Notify the affected individuals who were affected by a data breach; and,
Keep records of every breach of security safeguards.
These requirements will apply to every organization that collects, uses, or discloses personal information in the course of commercial activities in Canada.
The drafters of the legislation prescribe targeted requirements. For instance, a “breach of security safeguards” is defined as a loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of the organizations security safeguards. This type of breach ranges from an employee accessing a consumer’s personal information without authorization (i.e. bank teller accessing information of an ex-spouse to see what they were spending money on) to an outside hacker accessing the organization’s network through illicit means. All breaches of security safeguards must be recorded by the organization and are subject to review by the Privacy Commissioner of Canada.
However, not every breach will require the organization to notify the consumer and be reported to the Privacy Commissioner. Only those breaches that pose a real risk of “significant harm” will trigger these obligations. The current PIPEDA does not define the term “significant harm”. However, the new PIPEDA defines it as including bodily injury, humiliation, damage to reputation or relationships, loss of employment, identity theft, negative effects on the credit report and damages to or loss of property.
In the course of determining whether a breach will cause significant harm, the organization must balance a number of factors including the sensitivity of the personal information; the probability of the information being misused; and, other relevant factors specific to each case.
The Regulation states that the organization must give notification “as soon as feasible” after the breach is discovered. There is no definition of this phrase. However, considering the number of reactionary steps that must be taken by an organization, the notification need not be immediate (otherwise it would say so in the Regulation), but it must certainly be considered a top priority in the organization’s data breach response plan.
Failure to maintain records of breaches, report breaches to the Commissioner, and notify the affected user, can lead to penalties prescribed by PIPEDA. An organization guilty of such non-compliance will be subject to a fine of up to $100,000. This is in addition to the exposure associated with lawsuits initiated against the organization by the affected consumers and the legal costs associated with defending such actions.
Part 2 – PIPEDA v. GDPR: Similarities and Trends
The GDPR went into effect in May of this year and was immediately used as a basis for complaints against Facebook and Google. The GDPR, like PIPEDA, requires organizations to disclose to consumers when a company’s security mechanisms have been breached. It also requires the organization to disclose to its consumers how their information is going to be used, all in an effort to revert power over personal information back to the individual providing it.
One of the prevalent similarities between the two pieces of legislation is the territorial application of the laws. Specifically, organizations that conduct business in Canada will be subject to PIPEDA as well as the GDPR, if that organization is accessible in the European market. As such, the organization will be required to pay fines prescribed in the GDPR for non-compliance. The GDPR fines are much more severe than those in PIPEDA – up to €20 million or four percent of the organization’s annual global turnover. Similar to PIPEDA, the fines are discretionary and are levied based on the blameworthiness of the organization; the sensitivity of the information breached; and, number of other applicable factors.
Some sources note that reported breaches to the Information Commissioner’s Office in the UK, quadrupled within a month of the GDPR’s implementation1, other sources report a doubling in reporting2. Regardless, one thing is clear, organizations suffered breaches significantly more than they were reporting prior to the implementation of the GDPR. In September, Fieldfisher, a law firm in the UK, reported a ten-fold increase in security breach cases since the implementation of the GDPR.3
If history is any indicator, it is likely that a similar trend will follow in Canada with the passing of the PIPEDA amendments. Companies will be exposed to not just the fines prescribed in the legislation, but also the insipient legal actions that will be based on negligence and violation of privacy.
In essence, the Regulations are forcing organizations to owe a duty of care to their consumers. Implementing effective cyber security strategies to avoid significant financial devastation will be vital to a business’ success, while failure to do so will result in significant legal and financial exposure.
Part 3 – Cyber Security Strategies
Security safeguard requirements vary based on the sensitivity of data. However, as a rule of thumb, a strategy’s end goal is protecting personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which it is held.
The nature of the safeguards will depend on a variety of factors including the sensitivity of the information that has been collected; the amount, distribution, format of the information; and, the method of storage. Implementing these safeguards will affect an organization’s reputation. In the event of a data breach and the resulting mandatory incident disclosure to affected customers and third parties, an organization will be forced to demonstrate that adequate security measures were implemented and the organization leadership met the requisite standard to protect its affiliates.
Realistically, risk cannot be reduced to zero without reducing the usefulness of the asset - the goal is to find an acceptable balance between protection and usability. That said, more sensitive information should be safeguarded by a higher level of protection, which will typically decrease the usability of that information. Various types and levels of security controls are vital to a business’ cyber security success, these include:
Physical measures (CCTV, locks, access cards, restricted access to premises);
Finally, having a detailed data breach response and business continuity plans will make all the difference in the event of a security incident. These plans cover all preparatory and reactionary steps in case of a breach in great detail. The plans ought to include tiered impact analysis; automated backups; load balancing and IT-focused forensics procedures focusing on determining affected areas and containing damage; escalation and notification practices; mitigation steps; lessons learned; high-level financial and technical reporting; recovery procedures; designated first responders; loss control; and, reputation management.
Data breach response plans are no longer optional – they are mandatory. Organizations will be responsible to ensure that their customer’s data is protected with a strategy that meets the standard of care prescribed by the cyber security industry. Additionally, organizations will be required to report breaches to the Privacy Commissioner; inform users of a breach; and, maintain detailed records of all security safeguards breaches. Failure to comply with these requirements may result in significant fines levied pursuant to the amended PIPEDA and/or the European GDPR.
Organizations must ensure to not only have a sufficient preventative mechanism but also a requisite reactionary plan. This includes having a cybersecurity agency on-call to follow a response plan and a competent lawyer to minimize an organization’s exposure in legal actions. Cyber liability insurance policies play a vital role in covering the costs of both services based on your own choosing.
Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...
Long-term disability (“LTD”) coverage is often a key benefit employees derive from their employment. LTD benefits can provide significant security to employees in the form of income continuation when they are disabled due to an illness or injury. I previously talked about some misconceptions that employers may have regarding LTD benefits, here. Today we deal with some common misconceptions that employees may have with LTD benefits.
Misconception #1: An Employer is not entitled to know why I am off work
Generally speaking, if an employee is taking a sick day or two, an employer is not entitled to ask for specifics, such as a diagnosis. In fact, the recent amendments to the Employment Standards Act 2000 brought in by Bill 148 explicitly prohibit the requirement for a doctor’s note when making use of Personal Emergency Leave. However, when employees are off work for an extended period of time, their employers become entitled to obtain further information. Generally this may mean an employee has to provide a diagnosis and details of their general functional abilities for the purposes of determining proper accommodation. In the extreme cases, Ontario’s Divisional Court has ruled that under the Ontario Human Rights Code employers are entitled to request that an employee undergo an independent medical examination as part of the duty to accommodate, provided the medical information required by the employer cannot reasonably be obtained from the employee’s treating practitioner.
Practically speaking, it is in the employee’s best interest to keep the employer in the loop. The employer and the LTD carrier are entitled to updates on an employee’s condition and their ability to return to work, within reasonable limits. A failure to communicate with the employer about an employee’s medical status may lead to an eventual claim for frustration of contract, as we discussed in a previous blog, here.
Misconception #2: The Employer and LTD Carrier have the obligation to obtain updated information
While most employers and LTD carriers will take the initiative to check in with an injured employee, ultimately, it is the employee’s responsibility to ensure they are providing sufficient information to satisfy the policy definition for disability.
LTD carriers require information in order to appropriately adjudicate a file. That information comes from the employee and their treatment team. As a recipient of LTD benefits, an employee has an obligation to provide ongoing information to the LTD carrier. In fact, many disability definitions require that the employee be under the continuous care of a physician in order to qualify for benefits. If an employee fails to provide the required information, the carrier may be entitled to terminate entitlement to benefits on the basis that there is insufficient information to determine their ongoing disability.
Where a medical picture is particularly complex or prolonged, many LTD policies allow the LTD carrier to arrange their own independent medical examination to determine an employee’s ongoing eligibility.
Misconception #3: An employee cannot be terminated while on disability and does not have to return to work unless they are 100% recovered
Just like employers have a duty to accommodate, employees have a duty to participate in reasonable accommodation attempts. If employers can provide modified meaningful work to an injured employee, the employee may be required to attempt a return to work. Many LTD policies will have provisions regarding “rehabilitation programs” which allow for gradual returns. Employees who fail to comply with these provisions may find themselves in violation of the Policy.
Similarly, an employee can be terminated while receiving LTD benefits, so long as their disability did not form part of the basis for the termination. As an example, during a factory shut down. However, it is worth noting that employees in this situation may still be entitled to pay in lieu of notice rather than “working notice.” Additionally, in some cases employees can be terminated on the basis that their disability has made it impossible to complete their contract of employment, resulting in frustration of contract. While each case is unique, an employer who is capable of showing there was no reasonable likelihood of the employee returning to work within the foreseeable future may have a valid claim for frustration, as seen in Roskraft v. RONA Inc. In a valid frustration scenario, employers are entitled to consider the contract at an end and employees will only be entitled to the minimum statutory payments required under the Employment Standards Act, 2000.
Conclusion: Avoiding Disputes Through Collaboration
When dealing with an injured employee, benefit entitlement, accommodation, and potential termination of employment are areas of significant risk and concern for all parties involved. Early, often, and accurate information exchange can bust many of the myths in these complex multi-party disability situations. The overlap of contractual, statutory and common law obligations between the three parties make the management of long-term disability claims particularly complex. If an employee fails to take positive steps to advise their employer of their situation or cooperate with the LTD carrier, they may find themselves on the receiving end of a claim for frustration or abandonment.
Devan Marr’s practice has focused on bodily injury, long term disability, statutory accident benefits, and employment claims.
The Divisional Court has confirmed that the limitation period set out in the Insurance Act and the SABS falls within the category of “hard” limitations periods, which are triggered by a fixed and known event, as opposed to the day a claim was discovered.
The Divisional Court noted that although it may be considered harsh, there are important policy considerations on both sides:
In the case of the Insurance Act, and claims under the SABS, an insurer has no control over when an insured applies for a designation of catastrophic impairment. An insurer would not continually assess a claimant if ongoing expenses are not being submitted. Presumably, the legislature thought it important to provide for a reasonable period, after which an insurer’s obligation would be discharged, whether or not meritorious claims may be discovered later.
The Applicant, Sotira Tomec, sought judicial review of the decision of the Licence Appeal Tribunal in S.T. v. Economical Mutual Insurance Company, 2018 CanLII 61170 (ON LAT).
Ms. Tomec was involved in a pedestrian-motor vehicle accident on September 12, 2008. Economical paid attendant care benefits and housekeeping benefits up to the 104-week mark, at which point Economical sent her a letter and Explanation of Benefits, both dated August 26, 2010, containing a refusal to pay further attendant care benefits and housekeeping benefits beyond September 12, 2010. The Explanation of Benefits contained language regarding the dispute resolution process and a warning of the two-year limitation period to dispute the refusal to pay further benefits. Ms. Tomec did not dispute the refusal to pay further attendant care benefits and housekeeping benefits until more than six years later, on September 20, 2016. In the interim, Ms. Tomec submitted an Application for Determination of Catastrophic Impairment, dated May 13, 2015 and via letter dated November 4, 2015, Economical deemed her catastrophically impaired.
At the Licence Appeal Tribunal, Ms. Tomec argued that the limitation period should not start to run before she was deemed catastrophically impaired, which was when she discovered she had a claim. In response, Economical argued that the limitation period is triggered by the insurer’s refusal to pay a benefit and that, as set out by the Divisional Court in Kirkham v. State Farm,  O.J. No. 6459 (leave to appeal refused), the principle of discoverability does not apply to SABS disputes. The “cause of action approach” was specifically rejected in Kirkham when interpreting the phrase “within two years after the insurer’s refusal to pay the benefit claimed”.
The Tribunal’s Vice-Chair determined that the Applicant was statute barred from proceeding with her claim for attendant care benefits and housekeeping benefits. The Vice Chair found that Economical issued a clear and unequivocal denial of attendant care benefits and housekeeping benefits which met the requirements of Smith v. Cooperators,  2 S.C.R. 129 and, as well, that the principle of discoverability does not apply to accident benefits.
The Divisional Court considered the appropriate standard of review of the Tribunal’s decision, noting that the question of whether the discoverability principle applies is a general question of law that goes beyond the expertise of the Tribunal and is a question that must be answered uniformly for all adjudicators deciding cases under the Insurance Act. However, ultimately, the Court found that it was unnecessary to come to a definitive conclusion on the applicable standard of review since there was no error, even on a correctness standard.
Ultimately, after consideration of its own decision in Kirkham v. State Farm and the Ontario Court of Appeal’s decisions in Levesque v. Crampton Estate, 2017 ONCA 455, Haldenby v. Dominion, 55 O.R. (3d) 470,Turner v. State Farm, (2005) 195 OAC 61 and Sietzema v. Economical, 2014 ONCA 111, the Divisional Court held:
as found by the Tribunal, the insurer had clearly and unequivocally refused to pay those expenses as of September 12, 2010. Pursuant to the clear words of the limitation period, which ties it to a period of two years after the insurer’s refusal to pay the benefit claimed, the claim is time barred.”
Lisa has an insurance law practice that has focused exclusively on insurance defence for 15 years. Her practice focuses on complex insurance-related litigation, including accident benefits and bodily injury. Read more ...