Review your data protection policies and procedures

With multiple infamous instances of law firm data breaches over the last few years, implementing security measures to protect electronically stored information has been a hot topic.

Kevin Cheung

With multiple infamous instances of law firm data breaches over the last few years, implementing security measures to protect electronically stored information has been a hot topic.

Recent government action reiterates the importance of robust data protection. The federal government recently proposed the Breach of Security Safeguards Regulations, which would trigger the Personal Information Protection and Electronic Documents Act's mandatory notice and record-keeping requirements. Though consequences of contravening PIPEDA can be severe, small firms are not excluded from obligations imposed under the legislation.  


PIPEDA applies to the collection, use or disclosure of personal information by every organization in the course of a commercial activity. It attempts to balance privacy rights of individuals with the needs of businesses to use or share information.  

While PIPEDA has been around since 2000, reporting data breaches has been voluntary up until the passing of the Digital Privacy Act in 2015. In fact, in response to recommendations in 2006 to create a system of breach notification, the Office of the Privacy Commissioner took the position that it should be up to the breached organization to voluntarily notify affected individuals and the privacy commissioner. In 2011, the second five-year review of PIPEDA again recommended mandatory notification obligations to no avail. The Digital Privacy Act finally succeeded in incorporating into PIPEDA mandatory notice and record-keeping requirements for data breaches.    

The provisions of PIPEDA to come into force include the following procedures in the event of a data breach: 

  • The organization must conduct a risk assessment to determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach. The assessment must consider the sensitivity of the information involved and the probability that the information will be misused;
  • When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada;
  • The organization must notify any other organization that may be able to mitigate harm to affected individuals; and
  • The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the commissioner upon request.

These provisions will come into effect when regulations outlining specific requirements are passed. The federal government has proposed such regulations — the proposed Breach of Security Safeguard Regulations, which outline the content, form and manner of reporting and record-keeping for each instance of a breach of security safeguards. PIPEDA defines breach of security safeguards as "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards . . . or from a failure to establish those safeguards."    

The impact on small firms and their clients is potentially substantial. Contravention of PIPEDA results in fines of up to $10,000 for a summary offence and up to $100,000 for an indictable offence.   

Updating law firm security measures 

Given that law firms are in a particularly vulnerable position due to the vast amount of sensitive information they hold and the outdated or lax security measures taken by many lawyers, the proposed regulations should be a final wake-up call to revisit security measures to ensure that they properly protect personal information.    

Some common and cost-effective measures that small firms can take include:

  • use two-factor authentication for all accounts that offer such a feature (and those that do not should be scrutinized carefully before adopting such services);
  • ensure all software is up to date;
  • use a password manager and generator;
  • any portable media, such as hard drives or USB keys, should be encrypted; and 
  • ensure procedures for storing, securing and destroying personal information are in place and ensure that staff are well trained in these procedures.

The mandatory reporting requirements and associated regulations have not come into force yet, though they will be a fact sooner rather than later. As such, now is a great opportunity for your firm to audit its security measures, as well as update policies and procedures to comply with upcoming legislative changes.


Free newsletter

The Canadian Legal Newswire is a FREE newsletter that keeps you up to date on news and analysis about the Canadian legal scene. A separate InHouse Edition is delivered bi-weekly, providing targeted news and information of interest to in-house counsel.

Please enter your email address below to subscribe.

Recent articles & video

Jordan trial delay limits for adults apply to youth criminal trials: SCC

Torkin Manes adds Ted Citrome to its tax law group

StopSOP and the limits of self-regulation: what the statement of principles tells us

Pilot project tests virtual meeting platform

Two global law firms make Fortune list of parent-friendly workplaces

SCC restores acquittals of naturopath convicted of unlawful death manslaughter

Most Read Articles

Nova Scotia scrapping bar exam in overhaul of bar admission process

Self-regulation: the end of an era? Lawyer discipline and the role of law societies

WOMEN IN LAW - Leila Rafi gets real on helping associates see light at the end of the tunnel

B.C. bencher candidate says past advocating for Indigenous people fits Law Society of B.C.’s present