Login

Review your data protection policies and procedures

With multiple infamous instances of law firm data breaches over the last few years, implementing security measures to protect electronically stored information has been a hot topic.

Kevin Cheung
OPINION

With multiple infamous instances of law firm data breaches over the last few years, implementing security measures to protect electronically stored information has been a hot topic.

Recent government action reiterates the importance of robust data protection. The federal government recently proposed the Breach of Security Safeguards Regulations, which would trigger the Personal Information Protection and Electronic Documents Act's mandatory notice and record-keeping requirements. Though consequences of contravening PIPEDA can be severe, small firms are not excluded from obligations imposed under the legislation.  

PIPEDA 

Most Read

BC Supreme Court grants limited spousal support due to economic hardship in 21-year marriage

Alberta court allows arbitration award to be entered as judgment in matrimonial dispute

State can be liable for damages for passing unconstitutional laws that infringe Charter rights: SCC

PIPEDA applies to the collection, use or disclosure of personal information by every organization in the course of a commercial activity. It attempts to balance privacy rights of individuals with the needs of businesses to use or share information.  

While PIPEDA has been around since 2000, reporting data breaches has been voluntary up until the passing of the Digital Privacy Act in 2015. In fact, in response to recommendations in 2006 to create a system of breach notification, the Office of the Privacy Commissioner took the position that it should be up to the breached organization to voluntarily notify affected individuals and the privacy commissioner. In 2011, the second five-year review of PIPEDA again recommended mandatory notification obligations to no avail. The Digital Privacy Act finally succeeded in incorporating into PIPEDA mandatory notice and record-keeping requirements for data breaches.    

The provisions of PIPEDA to come into force include the following procedures in the event of a data breach: 

  • The organization must conduct a risk assessment to determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach. The assessment must consider the sensitivity of the information involved and the probability that the information will be misused;
  • When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada;
  • The organization must notify any other organization that may be able to mitigate harm to affected individuals; and
  • The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the commissioner upon request.

These provisions will come into effect when regulations outlining specific requirements are passed. The federal government has proposed such regulations — the proposed Breach of Security Safeguard Regulations, which outline the content, form and manner of reporting and record-keeping for each instance of a breach of security safeguards. PIPEDA defines breach of security safeguards as "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards . . . or from a failure to establish those safeguards."    

The impact on small firms and their clients is potentially substantial. Contravention of PIPEDA results in fines of up to $10,000 for a summary offence and up to $100,000 for an indictable offence.   

Updating law firm security measures 

Given that law firms are in a particularly vulnerable position due to the vast amount of sensitive information they hold and the outdated or lax security measures taken by many lawyers, the proposed regulations should be a final wake-up call to revisit security measures to ensure that they properly protect personal information.    

Some common and cost-effective measures that small firms can take include:

  • use two-factor authentication for all accounts that offer such a feature (and those that do not should be scrutinized carefully before adopting such services);
  • ensure all software is up to date;
  • use a password manager and generator;
  • any portable media, such as hard drives or USB keys, should be encrypted; and 
  • ensure procedures for storing, securing and destroying personal information are in place and ensure that staff are well trained in these procedures.

The mandatory reporting requirements and associated regulations have not come into force yet, though they will be a fact sooner rather than later. As such, now is a great opportunity for your firm to audit its security measures, as well as update policies and procedures to comply with upcoming legislative changes.

 

Recent articles & video

SCC orders Ontario and Canada to negotiate with First Nation on unpaid Treaty annuities

Credit curtailment, consolidation among impacts of SCC’s Redwater decision for oil and gas: lawyers

Canadian consumer insolvencies at highest in almost five years

The BoC is cutting, but has its pivot come too late?

Proactive approach needed for ‘huge change’ coming to GAAR tax law: Dentons

Ontario Superior Court grants father parenting schedule despite abuse and substance use allegations

Most Read Articles

BC Supreme Court grants limited spousal support due to economic hardship in 21-year marriage

Alberta court allows arbitration award to be entered as judgment in matrimonial dispute

State can be liable for damages for passing unconstitutional laws that infringe Charter rights: SCC

Lawyer suing legal regulator for discrimination claims expert witness violated practice standards