Review your data protection policies and procedures

With multiple infamous instances of law firm data breaches over the last few years, implementing security measures to protect electronically stored information has been a hot topic.

Kevin Cheung

With multiple infamous instances of law firm data breaches over the last few years, implementing security measures to protect electronically stored information has been a hot topic.

Recent government action reiterates the importance of robust data protection. The federal government recently proposed the Breach of Security Safeguards Regulations, which would trigger the Personal Information Protection and Electronic Documents Act's mandatory notice and record-keeping requirements. Though consequences of contravening PIPEDA can be severe, small firms are not excluded from obligations imposed under the legislation.  


PIPEDA applies to the collection, use or disclosure of personal information by every organization in the course of a commercial activity. It attempts to balance privacy rights of individuals with the needs of businesses to use or share information.  

While PIPEDA has been around since 2000, reporting data breaches has been voluntary up until the passing of the Digital Privacy Act in 2015. In fact, in response to recommendations in 2006 to create a system of breach notification, the Office of the Privacy Commissioner took the position that it should be up to the breached organization to voluntarily notify affected individuals and the privacy commissioner. In 2011, the second five-year review of PIPEDA again recommended mandatory notification obligations to no avail. The Digital Privacy Act finally succeeded in incorporating into PIPEDA mandatory notice and record-keeping requirements for data breaches.    

The provisions of PIPEDA to come into force include the following procedures in the event of a data breach: 

  • The organization must conduct a risk assessment to determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach. The assessment must consider the sensitivity of the information involved and the probability that the information will be misused;
  • When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada;
  • The organization must notify any other organization that may be able to mitigate harm to affected individuals; and
  • The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the commissioner upon request.

These provisions will come into effect when regulations outlining specific requirements are passed. The federal government has proposed such regulations — the proposed Breach of Security Safeguard Regulations, which outline the content, form and manner of reporting and record-keeping for each instance of a breach of security safeguards. PIPEDA defines breach of security safeguards as "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards . . . or from a failure to establish those safeguards."    

The impact on small firms and their clients is potentially substantial. Contravention of PIPEDA results in fines of up to $10,000 for a summary offence and up to $100,000 for an indictable offence.   

Updating law firm security measures 

Given that law firms are in a particularly vulnerable position due to the vast amount of sensitive information they hold and the outdated or lax security measures taken by many lawyers, the proposed regulations should be a final wake-up call to revisit security measures to ensure that they properly protect personal information.    

Some common and cost-effective measures that small firms can take include:

  • use two-factor authentication for all accounts that offer such a feature (and those that do not should be scrutinized carefully before adopting such services);
  • ensure all software is up to date;
  • use a password manager and generator;
  • any portable media, such as hard drives or USB keys, should be encrypted; and 
  • ensure procedures for storing, securing and destroying personal information are in place and ensure that staff are well trained in these procedures.

The mandatory reporting requirements and associated regulations have not come into force yet, though they will be a fact sooner rather than later. As such, now is a great opportunity for your firm to audit its security measures, as well as update policies and procedures to comply with upcoming legislative changes.


Free newsletter

The Canadian Legal Newswire is a FREE newsletter that keeps you up to date on news and analysis about the Canadian legal scene. A separate InHouse Edition is delivered on a regular basis, providing targeted news and information of interest to in-house counsel.

Please enter your email address below to subscribe.

Recent articles & video

Alberta’s provincial court is planning expanded WebEx remote capability in most locations

COVID-19 and the courts: June 8 update

Federation of Law Societies backs proposed beneficial ownership registry

Resource on abortion laws and policies in Nova Scotia updated in light of COVID-19

Space travel should be taxed as shareholder benefit, not as business trip: Federal Court of Appeal

Conducting all hearings remotely in the fall high on Nova Scotia Chief Justice’s list of priorities

Most Read Articles

SCC rules on entrapment in dial-a-dope drug investigations

COVID-19’s profound impact on justice

B.C. Court of Appeal quashes tribunal decision over decision not to allow lawyer to represent party

Survey suggests 50% of lawyers see working-from-home having a negative effect on career amid COVID