Date post: | 14-Apr-2017 |
Category: |
Law |
Upload: | dan-michaluk |
View: | 217 times |
Download: | 0 times |
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
March 29, 2017
Dan Michaluk
Privacy, Data Security and Anti-Spam Compliance
Overview
• Privacy compliance• Data security• Anti-spam
Privacy, Data Security and Anti-Spam Compliance
Privacy Compliance
Privacy, Data Security and Anti-Spam Compliance
Commercial sector privacy legislation
• PIPEDA (federal)• BC PIPA• Alberta PIPA• Manitoba PIPA• Quebec Act
Privacy, Data Security and Anti-Spam Compliance
Privacy legislation in four bullet points
• Regulates flows of personal information – collection, use and disclosure
• Flows must be authorized, for reasonable purpose and necessary
• Accountability – structural, mandated openness, via access • Reasonable data security – accuracy/integrity + protection
6
Privacy, Data Security and Anti-Spam Compliance
What’s new – PIPEDA now applies to applicants
• S-4 amendment changed the application provision of PIPEDA – 4(1)(b)
• Now applies to “an applicant for employment”• Creates new constraint on Bank screening processes• OPC can judge if a collection and use is reasonable• Beware of Mark’s Work Wearhouse in Alberta regarding
the use of credit profile information (P2010 IR 001)
7
Privacy, Data Security and Anti-Spam Compliance
What’s new – Guidance on investigations• Can now share PI to investigate and to prevent breaches of law• OPC issued warning in March 2017
• Carry out due diligence and exercise good judgement when availing themselves of these exceptions
• Carefully consider each of the requirements explicitly outlined in the provisions
• Take care to ensure the limits set out in these provisions are respected
8
Privacy, Data Security and Anti-Spam Compliance
Data Security
Privacy, Data Security and Anti-Spam Compliance
The context
10
Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA
Privacy, Data Security and Anti-Spam Compliance
The regulatory framework
• Privacy legislation• Reasonable security• Breach notification in Alberta and soon under
PIPEDA• Bank Act and OSFI• Securities and market participant regulation
11
Privacy, Data Security and Anti-Spam Compliance
The standard – Ashley Madison report
• Having documented security policies and procedures is a basic organizational security safeguard
• Conducting regular and documented risk assessments is an important organizational safeguard in and of itself
• Use multi-factor authentication for remote administrative access
12
Privacy, Data Security and Anti-Spam Compliance
The standard – OSFI self-assessment guide
“Desirable properties and characteristics of
cybersecurity practices” in six areas
• Organization and resources• Cyber risk and control assessment• Situational awareness• Threat and vulnerability risk
management• Cybersecurity incident
management• Cybersecurity governance
13
Privacy, Data Security and Anti-Spam Compliance
The standard – OSFI Guideline B-10 (Outsourcing)• FRFIs are to
• Evaluate the risks associated with all existing and proposed outsourcing arrangements;
• Develop a process for determining the materiality of arrangements;• Implement a program for managing and monitoring risks, commensurate with the
materiality of the arrangements;• Ensure that the board of directors, chief agent or principal officer receives information
sufficient to enable them to discharge their duties under this Guideline; and• Refrain from outsourcing certain business activities to the external auditor
14
Privacy, Data Security and Anti-Spam Compliance
The Standard – CSA Staff Notice 11-332
• CSA says, “Hey! This is important!”• Refers to 13 documents as “useful”• No one size fits all, but here are 11 very general
prescriptions – including on employee awareness, incident response, vendor management
15
Privacy, Data Security and Anti-Spam Compliance
Notification – Under PIPEDA (Pending)
• Reasonable to believe a real risk of significant harm• To individuals and to OPC as soon as feasible• To other organizations and government if could reduce
risks or mitigate harm• Record of all breaches of security safeguard to be kept
and provided to OPC on request
16
Privacy, Data Security and Anti-Spam Compliance
Notification – CSA Staff Notice 51-347
In considering whether and when to disclose a cyber security incident, the issuer must determine whether it is a material fact or material change that requires disclosure in accordance with securities legislation… Materiality depends on the contextual
analysis of the cyber security incident. While an isolated cyber attack may not be material, a series of or frequent minor
incidents may become material in light of the level and type of disruption caused.
17
Privacy, Data Security and Anti-Spam Compliance
CASL
Privacy, Data Security and Anti-Spam Compliance
How CASL spam regulation works
• Everything’s a CEM – a commercial electronic message – unless it isn’t
• Default – express consent to send a CEM• Implied consent deemed in some circumstances
• Convey certain information in a CEM• Provide and administer an opt out
19
Privacy, Data Security and Anti-Spam Compliance
CASL enforcement activity to date
• Compufinder (2015 notice of violation) - $1.1 mill• Porter (2015 undertaking) - $150,000• Plentyoffish (2015 undertaking) - $200,000• Rogers (2015 undertaking) - $48,000• Blackstone Learning Corp (CRTC 2016-428) - $50,000• William Rapanos (CRTC 2017-65) - $15,000
20
Privacy, Data Security and Anti-Spam Compliance
What’s new – Pending private right of action
• Implements (essentially) a private prosecution regime• Three year limitation period• Barred by pre-emptive regulator enforcement• Order may be made
• Compensation for special damage (if any)• Defined amounts per contravention
• Orders guided by factors
21
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
March 29, 2017
Dan Michaluk