Proposed privacy legislation would impose harsher sanctions on companies for breaches
On Monday, federal Privacy Commissioner Daniel Therrien released his report on his office’s investigation into a massive breach of Desjardins Group’s customer data between 2017 and 2019. Desjardins discovered that the breach had been committed by a “malicious” employee, raising questions as to whether the credit union’s security safeguards were appropriate.
The Office of the Privacy Commissioner’s investigation concluded that Desjardins contravened the Personal Information Protection and Electronic Documents Act (“PIPEDA”)’s principles regarding accountability, retention periods and security safeguards, and made recommendations to address the contraventions found. These included: implementing security screening and confidentiality agreements; organizational policies and procedures; employee training and awareness; stricter access controls and data segregation; and ensuring oversight and monitoring.
In recent years data breaches and hacks have become far more common and COVID-19 has only exacerbated the problem, says two privacy and data protection lawyers, as hackers exploit vulnerabilities of a new remote, work-from-home environment.
“It’s amazing the sophistication resulting from COVID,” says Daniel Fabiano, a partner in Fasken Martineau DuMoulin LLP in Toronto. Individuals are anxious, stressed, and the ground has shifted; “that’s fertile ground for someone to exploit.” And although employee training in avoiding fraud is vital, even well-trained senior IT professionals can be duped by some of these hackers, he says.
For smaller companies, the cost of these attacks is proportionately very high, says Fabiano’s colleague Kateri-Anne Grenier, a partner in Fasken in Quebec City. The loss of business, reputation, and providing compensatory credit monitoring to perhaps 100,000 people can be pricey, she notes, and today even smaller companies are purchasing cyber insurance.
“It’s one of the aspects that we’ve seen develop during the past year,” she says: a cyber insurance policy so that companies can afford the cost resulting from data breaches.
The federal government’s Bill C-11, or Digital Charter Implementation Act, went through first reading in November and proposes the most significant changes to privacy legislation in a decade. If passed, it will enact two new acts: the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act, and amend some other acts.
And the corporate fines it would impose for the most serious infractions of digital privacy will be among the most stringent in the world: 5 per cent of an organization’s gross global revenue in its financial year before the one in which the organization is sentenced, or $25 million, whichever figure is higher. Under Quebec’s proposed Bill 64, administrative penalties for breaches would be up to $10 million, or 2 per cent of global revenues, whichever is higher.
In addition, says Grenier, technology companies operating in Quebec will have to comply with data breach notification requirements.
“Given the quantity of breaches we see nowadays, that [legislation brings] enhanced security obligations and [for] retaining data: having a structure, being disciplined with what information is collected, what is kept, and when is it necessary to delete personal information.
Companies open themselves up to great risk by keeping personal customer information for longer than they need to, or that is not necessary to its operations.
“I deal with data breaches every week, affecting tens of thousands of customers or employees,” says Grenier. “Where it hurts is when a company is keeping too much data; it creates the risk of facing a data breach, and the risk of a class action will be increased as well, and facilitated by the new legislation,” she adds. “This is something most companies need to improve [and] what makes the difference between a small incident and a very big one.”
Under the new privacy legislation clearer consent will be required of customers, and companies will have greater obligations regarding what they do with secondary use of information, Grenier says: for example, what a company might do with customer profile information after that person has opened an account. Companies will now be required to disclose what they do with all the information they collect, she says.
The manner of hacking into corporate accounts has also grown more vicious, Grenier notes. While several years ago one might see criminals hacking into a site and holding the data ransom by encrypting it, now they will steal the information and sell it on first, or at least will threaten to do so: on the dark web, on an auction site. Worse, companies are faced with sanctions if they are found to be at fault in the breach.
Companies must ensure that that their privacy policies are worth the paper they’re written on -- or the websites they’re displayed on -- say Grenier and Fabiano.
“Sometimes there’s a gap between theory and practice,” Grenier notes. This must be addressed through vigilant employee training, regularly updating security policies, and understanding and honouring regulatory compliance obligations.
“You really do have to live privacy throughout your operations on a day-to-day basis,” Fabiano adds. “So if you haven't trained your people on privacy matters and in a way that's relevant to their day-to-day duties, you're just asking for trouble: … breaches, or lapses, that could be real headaches in the future.”
Addressing the privacy commissioner’s report, Desjardins said in a news release that it had improved its information security in the past 18 months, and in coming years planned to create a “digital identity platform,” to “allow information to be shared more securely and give people more control over their own data.”