1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Private Right of Action under CASL coming July 2017

Canada’s Anti-Spam Law came into force on July 1, 2014.  Since then, all eyes have been on the Canadian Radio-television and Telecommunications Commission (CRTC) for decisions concerning CASL violations.  In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million.  Canadian and foreign companies have learned some things in the past two years about how CASL applies to their business, and many have taken steps to put in place policies and procedures to avoid violations.

Whatever steps you have taken to date, 2017 will be the time to revisit CASL compliance

On July 1, 2017, the private right of action (PRA) comes into force under CASL.  An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly.  While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group.

Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments up to the following amounts:

  • for sending commercial electronic messages contrary to CASL – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred
  • for altering the transmission data of a commercial electronic message – a maximum of $1 million for each day that the conduct occurred
  • for installing apps or other computer programs contrary to CASL – a maximum of $1 million for each day that the conduct occurred
  • for scraping, generating or otherwise accessing electronic addresses contrary to PIPEDA – a maximum of $1 million for each day that the conduct occurred
  • for sending commercial electronic messages with false or misleading information, including sender, locator or subject matter information, contrary to the Competition Act – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred

When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance…and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”.

CASL also provides for extended liability.  Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention.  Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable.

Revisiting CASL

CASL provides that where a person establishes that they exercised due diligence to prevent a violation, they cannot be found to have contravened CASL.  Despite this provision, a number of well-meaning businesses have been found offside CASL’s provisions, have made significant penalty or settlement payments, and in some cases have received negative media coverage for their failure to meet CASL requirements.

In July 2017, the risk exposure will increase.  Now is the time to revisit your CASL compliance.

  1. Discuss with your Board and Senior Management team why you need to revisit CASL in 2017.
  2. Make sure that you have a CASL Compliance Policy and Procedure that covers your operations, and that is easy for employees to understand and use.
  3. Ensure that existing and new employees have access to – and receive appropriate training in – the Policy and Procedure.
  4. Conduct an audit under the Compliance Policy and Procedure, including how consent is obtained and documented; whether unsubscribe requests are fulfilled quickly; whether CASL-compliant message templates are consistently used; how complaints are addressed (etc.).
  5. Consider whether you need to check in with service providers (to send messages or install apps or other computer programs) about their CASL compliance.
  6. Consider whether service provider contracts include the appropriate clauses to address CASL compliance, liability, and indemnification.

See also:

Lessons Learned: E-Learning Company Faces $50K Spam Fine

CRTC Enforcement Advisory – Records to Show Consent

Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner

Canada’s Anti-Spam Law: Not just for Canadians

CASL Applies to Software January 15 2015

New CASL Compliance and Enforcement Guidelines

 

, ,

Private Right of Action under CASL coming July 2017

FTC Announces New Guidance on Ransomware

On November 10, 2016, the U.S. Federal Trade Commission (FTC) released new guidance for businesses and consumers on the impact of, and how to respond to ransomware.  Ransomware is a form of malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data hostage until the victim pays a ransom.  Ransomware incidents have increased over the past year, including a number of high-profile attacks on health care organizations.

Business Guidance

For businesses, the FTC released Ransomware – A closer look with a companion video Defend against Ransomware.  A copy of both can be found here.

According to the FTC, if your business holds consumers’ sensitive information “you should be concerned about the threat of ransomware.”  The FTC notes it can impose “serious economic costs on businesses because it can disrupt operations or even shut down a business entirely.”

In order to defend against ransomware attacks, the FTC recommends businesses invest in prevention through:

  • Training and education: Implement education and awareness programs to train employees to exercise caution online and avoid phishing attacks.
  • Cyber hygiene:  Practice good security by implementing basic cyber hygiene principles (including updating software, and implementing new procedures for users).
  • Backups:  Backup data early and often.
  • Planning:  Plan for an attack.  Develop and test incident response and business continuity plans.

For those businesses hit with a ransomware attack, the FTC recommends organizations take the following steps:

  • Implement the continuity plan:  Have a tested incident response and business continuity plan in place.
  • Contact law enforcement:  Immediately contact law enforcement, such as a local FBI field office, if an attack is discovered.
  • Contain the attack:  Keep ransomware from spreading to networked drives by disconnecting the infected device from the network.

Consumer Guidance

For consumers, the FTC released How to defend against ransomware.  A copy of this guidance can be found here.  The FTC recommends consumers take the following steps to protect against ransomware:

  • Update your software:  Use anti-virus software and keep it up to date.  Set your operating system, web browser and security software to update automatically, and on mobile devices do it manually.
  • Think twice before clicking on links or downloading attachments or applications:  You can get ransomware from visiting a compromised site or through malicious online ads.
  • Back up files:  Back up files whenever possible, and make it part of your routine.

If you are a victim of a ransomware attack, the FTC recommends:

  • Disconnecting the infected devices from the network;
  • Restoring the infected device where possible; and
  • Contacting law enforcement.

Next Steps

If you or your organization becomes a victim of ransomware, or you are interested in developing a comprehensive prevention plan, Dentons’ Privacy and Cybersecurity Group is ready to help.

FTC Announces New Guidance on Ransomware

NIST and USCG Issue New Maritime Industry Cybersecurity Profile

In 2013, President Obama issued Executive Order 13636 and directed the Director of the National Institute of Standards and Technology (NIST) to “lead the development of a framework to reduce cybersecurity risks to critical infrastructure” (Cybersecurity Framework).  The Cybersecurity Framework was published in February 2014.  A number of industries are integrating the Cybersecurity Framework, including by creating industry-focused Framework Profiles (Profiles) as described in the Cybersecurity Framework.

This month, NIST and the United States Coast Guard (USCG) released a “Maritime Bulk Liquids Transfer Cybersecurity Framework Profile” (Bulk Liquids Transfer Profile) to address the vulnerabilities in the transfer process of bulk hazardous liquids in the maritime industry.  These transfers are often a part of a sophisticated supply chain that uses multiple networked systems, and is therefore vulnerable to attack.   The new profile serves to assist in cybersecurity risk assessments for those entities involved in maritime bulk liquids transfer operations as overseen by the USCG, and is intended to act as “non-mandatory guidance to organizations conducting” maritime bulk liquids transfer operations within facilities and vessels under the regulatory control of the USCG under the Code of Federal Regulations 33 CFR 154-156.

The stated benefits of creating the new Bulk Liquids Transfer Profile include:

  • Compliance reporting becoming a byproduct of running an organization’s security operation;
  • Adding new security requirements will become more straightforward;
  • Adding or changing operational methodology will be less intrusive to ongoing operations;
  • Minimizing future work by future organizations;
  • Decreasing the chance that organizations will accidentally omit a requirement;
  • Facilitating understanding of the bulk liquid transfers environment to allow for consistent analysis of cybersecurity-risk; and
  • Aligning industry and USCG cybersecurity priorities.

Other benefits include strengthening strategic communications between:

  • Risk executives and operational technology integration of cybersecurity capabilities;
  • Personnel involved in cybersecurity governance processes and operational technology oversight; and
  • Enterprises who are just becoming aware of cybersecurity recommended practices with subject matter expertise and the collective wisdom of industry experts.

The new profile can be found here.

NIST and USCG Issue New Maritime Industry Cybersecurity Profile

Germany to audit 500 companies on data transfers

Germany to audit 500 companies

The German data protection authorities have announced today that they have chosen 500 companies throughout Germany to audit their transfer of personal data to the US and other countries (eg. India).  The targets were chosen by random and cover small, medium-size and also large companies known to transfer data of their customers or employees from Germany to the US. Cloud computing and office software applications are in their focus. The different approach towards data privacy in the US – especially made apparent by Snowden –  has made many EU authorities criticize the US use of personal data as not being adequate to the data protection level of the EU.

Context

The Safe Harbor self-certification option for commercial entities in the US, a commonly used tool agreed between the EU Commission and the US Department of Commerce to safeguard an EU data protection level at US companies, was declared void by the CJEU in its Schrems decision. The new regime known as the “EU US Privacy Shield” went live is August. Also, companies have the option to agree bilateral EU Standard Contractual Clauses or to establish binding corporate rules.

Beware Cloud and SaaS

Now, the German authorities want to audit German companies and German branches of companies from abroad to check if and how they are complying. Especially it is expected that they want to investigate if there are transfer regimes in place and if the old Safe Harbor approach is still in use. Use of the cloud and SaaS vendors will be a focus.

Once more this is a warning sign that authorities of EU Member States are using their administrative authorities to enforce EU data protection law especially of consumers but also employees. Germany is being particularly active.

What happens next?

The German data protection authorities will approach companies by sending a letter requesting information on their practice of data transfer to the US. Depending on the response, the German authorities make more requests or site inspections may follow. The authorities will also likely direct the companies’ in-house Data Protection Officers to assist them with their requests.

If companies have received such requests they should carefully draft their response. As these requests usually provide for sufficient time to react, there may still be time to establish safeguards like EU Standard Contractual Clauses.  But planning now is key.

Prepared by Christian Schefold, Christoph Zieger and Ariane Loof of Dentons Germany

Germany to audit 500 companies on data transfers

Lessons Learned: E-Learning Company Faces $50,000 Spam Fine

The Canadian Radio-television and Telecommunications Commission (CRTC) has issued its first Compliance and Enforcement Decision* under Canada’s Anti-Spam Law (CASL).  The Commission confirmed the staff finding that Blackstone Learning Corp. had committed 9 violations of CASL by sending almost 400,000 emails in 2014 without proper consent.  However, the Commission reduced the administrative monetary penalty originally set in the notice of violation from $640,000 to $50,000.  While it is open to Blackstone to appeal the decision, meaning that we may not have heard the last of this case, the Commission’s decision provides useful commentary on its approach to CASL compliance and enforcement.  The following are lessons learned under two headings: implied consent, and what we will refer to as “sender conduct”.

Email addresses posted online – ripe for the picking as “implied consent”?

Not so fast, cautions the CRTC.  While addresses that have been “conspicuously published” online or otherwise may qualify for implied consent, this “does not provide persons sending commercial electronic messages [CEMs] with a broad licence to contact any electronic address they find online”.  The CASL conditions attached to “conspicuous publication” set a higher standard than that.  As a starting point, the person who receives the email message must have posted his address himself, or authorized it to be posted.  Often, an employer will post contact information including an employee’s email address, which for the purposes of CASL implies that CEMs can be sent IF there is no indication otherwise, and IF the messages are relevant to the person’s business role or function.

As the CRTC points out, if a business chooses to advertise through a third party (our example: an online service provider listing) and includes an employee’s contact information along with the ad, this can be the basis for implied consent to contact the employee in relation either to the ad or to the employee’s role, because the account holder (the employer) caused the publication.  Implied consent stops there:  if the listing service goes on to copy or sell the list of addresses on its own, new senders can no longer count on the “conspicuous publication” implied consent, because the account holder did not authorize any further publication.

Lesson learned:  Implied consent is evaluated on a case-by-case basis.  Under CASL, the onus is on the sender to prove consent.  The CRTC “stress[es] the importance of detailed and effective record-keeping for this reason.”

What is a “reasonable” monetary penalty under the CASL regime?  How important are the sender’s conduct and circumstances?

CRTC staff set out an administrative monetary penalty (AMP) of $640,000 in the notice of violation issued to Blackstone.  Having determined that Blackstone did commit the CASL violations, the Commission considered whether the AMP was reasonable.  CASL sets out a number of factors to be taken into consideration.

  • purpose of the penalty: the Commission stated that the amount must be representative of the violations, and have enough of an impact on a person to promote changes in behavior, in effect a second chance. An amount high enough to put a person out of business would mean he would no longer have that second chance.  An AMP of $640,000 would be too high.
  • nature and scope of the violations:  while almost 400,000 non-compliant messages were sent, were disruptive to the recipients, and prompted at least 60 complaints to the Spam Reporting Centre, the violations took place over only 2 months, and suggests that an AMP of $640,000 would be too high.
  • ability to pay:  based on the evidence, an AMP of $640,000 would significantly exceed Blackstone’s ability to pay.
  • other factors – cooperation and self-correction:  Blackstone’s failure to cooperate with the investigation increased the need for a penalty to ensure future compliance. However, the Commission saw some possibility of “self-correction” going forward, which suggested that a lower AMP would be appropriate.

The Commission decided on the amount of $50,000.  The Commission noted that Blackstone did not have the benefit of more recent CASL guidance which is now available to everyone online.  This should be read as a thinly-veiled direction to others:  the decision cites The Commission’s Guidance on Implied Consent for CASL and also the Department of Industry’s Fightspam information website for businesses and individuals.

Lesson learned:  the Commission expects organizations to do their homework, to cooperate with investigations, and to self-correct when they discover mistakes.

We have been assisting many organizations in Canada and other countries to adapt their practices to comply with CASL.  Let us know if we can help you.

*A number of organizations have been subject to CASL enforcement since the Act came into force in July 2014; some of these cases have not been made public, and others have been publicly available only through brief settlement summaries.  This is the first Commission decision reviewing a Compliance and Enforcement Sector notice of violation.

,

Lessons Learned: E-Learning Company Faces $50,000 Spam Fine