1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Enforcement Notice: First text message case under CASL

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced the first undertaking and fine involving text message violations under Canada’s Anti-Spam Legislation (CASL). This first, involves Quebec-based 514-BILLETS, a ticket broker for sporting and cultural events.

Between July 2014 and January 2016, the CRTC alleges 514-BILLETS sent text messages to recipients without their consent. The CRTC also alleges the company sent text messages without information that identified who sent the messages as well as failed to provide information to recipients that would allow them to easily contact 514-BILLETS.

514-BILLETS has agreed to pay  a total of $100,000 in compensation, appoint a compliance officer and institute a CASL-compliance program. 514-BILLETS will pay $75,000 in the form of $10 rebate couples to 7,500 clients and $25,000 to the Receiver General of Canada.

The CRTC’s media release can be read here.

Enforcement Notice: First text message case under CASL

SEC Updates Guidance On Cybersecurity Risk And Incident Disclosure Requirements

The United States Securities and Exchange Commission (SEC) recently published updated interpretative guidance concerning the duty of covered public companies to disclose certain material cybersecurity risks and incidents when filing with the SEC. Entitled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” the new guidance clarifies and expands upon an October 2011 guidance issued by the the SEC’s Division of Corporation Finance, and outlines the SEC’s views as to when cybersecurity risks or incidents must be disclosed to the SEC and investors.

Summary of New Guidance

The new SEC guidance has two areas of focus: (1) it reminds companies of their disclosure obligations generally, and how those obligations relate to cybersecurity risks and incidents; and (2) it provides additional guidance regarding the adequacy of company controls and procedures concerning the disclosure of cybsersecurity risks and incidents, including the need for a policy to prohibit insider trading on nonpublic information about cybersecurity risks or incidents.

Cybersecurity Disclosure Obligations – Generally

Public companies are required to file periodic reports with the SEC, including on Forms 10-K and 10-Q, disclosing material information concerning:

  1. Business risk factors;
  2. Business operations and financial condition;
  3. A description of the business;
  4. Legal proceedings;
  5. Board oversight risk; and
  6. A description of the company’s disclosure controls and procedure.

Certain public companies are also required to file Securities Act and Exchange Act registration statements that disclose all material facts required to be stated or necessary to make the statements not misleading, and current reports on Forms 8-K and 6-K to maintain the accuracy and completeness of the registration statements. Public companies are also required to disclose “such further material information” as may be necessary to make the required statements, “in light of the circumstances under which they are made, not misleading.” The SEC “considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”

According to the SEC, only “material” cybersecurity risks and incidents need be disclosed. Whether a particular risk or incident is “material,” in the view of the SEC, will depend on the “nature, extent, and potential magnitude” of the particular risk or incident, and on the “range of harm that such incidents could cause.” Accordingly, companies should consider the “indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity[,]” including harm to a company’s reputation, financial performance, customer and vendor relationships, and the possibility of “litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”

Specific to the six categories of disclosure outlined above, the new guidance addresses how cybersecurity risks and incidents should be addressed:

Risk Factors

Covered public companies are required to disclose the “most significant factors that make investments in the company’s securities speculative or risky.” When evaluating cybersecurity risk factor disclosure, the SEC advises companies to consider:

  • The occurrence of prior cybersecurity incidents, including their severity and frequency;
  • The probability of the occurrence and potential magnitude of cybersecurity incidents;
  • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
  • The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including third-party vendor risks;
  • The costs associated with maintaining cybersecurity protections, including insurance coverage;
  • The potential for reputational harm;
  • Existing or pending laws and regulations that may impact the companies’ compliance with regard to cybesercurity, and the associated costs with such compliance; and
  • Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

The SEC notes companies “may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.” For example, if a “company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur. Instead, the company may need to discuss the occurrence of that cybersecurity incident and its consequences as part of a broader discussion of the types of potential cybersecurity incidents that pose particular risks to the company’s business and operations.” The SEC also notes that past incidents involving suppliers, customers, competitors, and others “may be relevant when crafting risk factor disclosure.”

Business Operations and Financial Condition

Covered public companies are required to discuss their financial condition, changes in financial condition, and results of operations in their public disclosures. According to the SEC, these items require a discussion of “events, trends, or uncertainties that are reasonably likely to have a material effect on its results of operations, liquidity, or financial condition, or that would cause reported financial information not to be necessarily indicative of future operating results or financial condition and such other information that the company believes to be necessary to an understanding of its financial condition, changes in financial condition, and results of operations.”

In this context, the SEC notes the cost of ongoing cybersecurity efforts, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents could inform a company’s analysis. In measuring cybersecurity costs, the SEC says companies “may consider the array of costs associated with cybersecurity issues,” including costs associated with:

  • Loss of intellectual property;
  • Immediate costs of the incident;
  • Implementing preventative measures;
  • Maintaining insurance;
  • Responding to litigation and regulatory investigations;
  • Preparing for and complying with proposed or current legislation;
  • Engaging in remediation efforts;
  • Addressing harm to reputation; and
  • Loss of competitive advantage.

Description of Business

Covered public companies are required to discuss their products, services, relationships with customers and suppliers, and competitive conditions. The SEC advises companies to disclose cybersecurity incidents or risks if they “materially affect” any of these disclosure requirements.

Legal Proceedings

Covered public companies must disclose information relating to material pending legal proceedings to which they or their subsidiaries are a party. The SEC makes clear that this disclosure requirement includes “any such proceedings that relate to cybersecurity issues.” For example, if a company experiences a cybersecurity incident “involving the theft of customer information and the incident results in material litigation by customers against the company, the company should describe the litigation, including the name of the court in which the proceedings are pending, the date the proceedings are instituted, the principal parties thereto, a description of the factual basis alleged to underlie the litigation, and the relief sought.”

Financial Statements

The SEC advises companies that their financial reporting and controls systems must be “designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available.” Cybersecurity incidents and risks may impact a company’s financial statements by resulting in:

  • Expenses related to investigation, breach notification, remediation and litigation, and the costs of legal and other professional services;
  • Loss of revenue, providing customers “with incentives or a loss of customer relationship assets value;”
  • Claims related to warranties, breach of contract, product recall/replacement, indemnification, and insurance premium increases; and
  • Decreased cash flow, and impairment of assets.

Board Oversight Risk

Covered public companies are required to disclose the extent of their board of directors’ role in the risk oversight of the company, including how the board administers its oversight function and the effect that has on the board’s leadership. The SEC’s new guidance makes clear that to the extent “cybersecurity risks are material to a company’s business,” such discussion “should include the nature of the board’s role in overseeing the management of that risk.” This disclosure will allow investors to “assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”

Disclosure Controls and Procedures

The SEC encourages companies to “adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.” Specifically, companies should asses whether they have sufficient disclosure controls and procedures in place to “ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate ppersonnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”

When designing and evaluating disclosure controls and procedures, the SEC advises companies to “consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings.” Controls and procedures, according to the SEC, should enable companies to:

  • Identify cybersecurity risks and incidents;
  • Assess and analyze their impact on a company’s business;
  • Evaluate the significance associated with such risks and incidents;
  • Provide for open communications between technical experts and disclosure advisors; and
  • Make timely disclosures regarding such risks and incidents.

With regard to the requirement that a company’s principal executive officer and principal financial officer make certifications regarding the design and effectiveness of disclosure controls and procedures, the SEC says such certifications and disclosures “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.” In addition, if the cybersecurity risk or incident poses a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed, management “should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.”

Insider Trading

In addition to the disclosure obligations set forth above, the new SEC guidance also advises companies, their directors, officers, and other corporate insiders to comply with “the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.” Specifically, the SEC notes that information about a company’s cybersecurity risks and incidents “may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.”

The SEC also encourages companies to consider how their codes of ethics and insider trading policies “take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.” Additionally, while companies are investigating and assessing cybersecurity incidents, companies “should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities.”

Takeaways

The SEC makes clear in its new guidance that it is not advising companies to “make detailed disclosures that could compromise its cybersecurity efforts[.]” For example, companies are not required to provide a “roadmap” for malicious actors to penetrate the company’s cybersecurity protections. Nor does the SEC “expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”

Instead, the SEC advises companies to “disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.” The SEC further requires companies to “make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders) from trading its securities until investors have been appropriately informed about the incident or risk.”

The SEC makes clear in its new guidance that it expects companies to “provide disclosure that is tailored to their particular cybersecurity risks and incidents.” To that end, companies are advised to “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” If you or your company is subject to these SEC disclosure requirements, or have questions about the SEC’s new guidance, please reach out to the Dentons cybersecurity team to discuss how our cost effective strategies can help mitigate your risk and provide an assessment of your overall cybersecurity reporting readiness.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkThe Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

 

SEC Updates Guidance On Cybersecurity Risk And Incident Disclosure Requirements

CASL: A Call for Clarity

Today the Standing Committee on Industry, Science and Technology presented its report on Canada’s Anti-Spam Law (CASL) to the House of Commons, as part of the three-year CASL statutory review.

The report title is telling:  Canada’s Anti-Spam Legislation: Clarifications are in Order.  Having heard 40 witnesses ranging from CRTC counsel and enforcement staff, to small and large businesses and business associations, to consumer protection and privacy experts, the Committee made a strong call for clearer legislation, guidance, and compliance decisions.

The Committee noted that those affected by CASL (for better or worse) disagreed on important issues such as whether CASL has actually reduced spam, and whether the proposed private right of action (currently on hold indefinitely) should be enacted, amended, or scuttled altogether.  However, stakeholders almost all agreed on the need for the CRTC – the government’s principal enforcement agency – to step up with better guidance, in the form of more, and more accessible, interpretation guidelines and decisions.

It is worth noting that 6 of the 13 Committee recommendations expressly called to “clarify” aspects of the legislation or its application.  These recommendations refer to fundamental aspects of the law including what exactly is a “commercial electronic message”, which is the very subject of the anti-spam component of the Act.

Indeed, CRTC staff pointed to inconsistencies and redundancies in the law with respect to core definitions and exceptions.

The Committee appears to have clearly heard how time-consuming, resource-intensive and costly it can be for an organization to implement and operate a CASL compliance program, given both the details and uncertainties involved.  The published decisions and compliance undertakings made publicly available in the past three years have not provided much additional information or certainty.  Various witnesses before the Committee raised concerns that enforcement has focused on “well meaning” organizations that made errors in judgment or implementation, rather than the real “bad actors” responsible for malicious or disruptive electronic messages.

We agree with the Committee that clarifications are in order, particularly (but not only) if the government has any intention of revisiting the private right of action under CASL.

The Committee has requested that the government table a substantive reponse to its report.  We’ll be watching to see how far the government will go to address perceived shortcomings in this regime.  Three years is long enough to assess those shortcomings, and long enough to wait for clarity.

 

CASL: A Call for Clarity

Private Right of Action under CASL coming July 2017

Canada’s Anti-Spam Law came into force on July 1, 2014.  Since then, all eyes have been on the Canadian Radio-television and Telecommunications Commission (CRTC) for decisions concerning CASL violations.  In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million.  Canadian and foreign companies have learned some things in the past two years about how CASL applies to their business, and many have taken steps to put in place policies and procedures to avoid violations.

Whatever steps you have taken to date, 2017 will be the time to revisit CASL compliance

On July 1, 2017, the private right of action (PRA) comes into force under CASL.  An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly.  While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group.

Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments up to the following amounts:

  • for sending commercial electronic messages contrary to CASL – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred
  • for altering the transmission data of a commercial electronic message – a maximum of $1 million for each day that the conduct occurred
  • for installing apps or other computer programs contrary to CASL – a maximum of $1 million for each day that the conduct occurred
  • for scraping, generating or otherwise accessing electronic addresses contrary to PIPEDA – a maximum of $1 million for each day that the conduct occurred
  • for sending commercial electronic messages with false or misleading information, including sender, locator or subject matter information, contrary to the Competition Act – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred

When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance…and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”.

CASL also provides for extended liability.  Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention.  Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable.

Revisiting CASL

CASL provides that where a person establishes that they exercised due diligence to prevent a violation, they cannot be found to have contravened CASL.  Despite this provision, a number of well-meaning businesses have been found offside CASL’s provisions, have made significant penalty or settlement payments, and in some cases have received negative media coverage for their failure to meet CASL requirements.

In July 2017, the risk exposure will increase.  Now is the time to revisit your CASL compliance.

  1. Discuss with your Board and Senior Management team why you need to revisit CASL in 2017.
  2. Make sure that you have a CASL Compliance Policy and Procedure that covers your operations, and that is easy for employees to understand and use.
  3. Ensure that existing and new employees have access to – and receive appropriate training in – the Policy and Procedure.
  4. Conduct an audit under the Compliance Policy and Procedure, including how consent is obtained and documented; whether unsubscribe requests are fulfilled quickly; whether CASL-compliant message templates are consistently used; how complaints are addressed (etc.).
  5. Consider whether you need to check in with service providers (to send messages or install apps or other computer programs) about their CASL compliance.
  6. Consider whether service provider contracts include the appropriate clauses to address CASL compliance, liability, and indemnification.

See also:

Lessons Learned: E-Learning Company Faces $50K Spam Fine

CRTC Enforcement Advisory – Records to Show Consent

Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner

Canada’s Anti-Spam Law: Not just for Canadians

CASL Applies to Software January 15 2015

New CASL Compliance and Enforcement Guidelines

 

, ,

Private Right of Action under CASL coming July 2017

HHS Issues Warning About Phishing Campaign Disguised As Official Communication

As part of its efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) engages in audits of covered entities and their business associates.

On November 28, 2016, the OCR issued an alert warning covered entities about a phishing e-mail that is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels.  The e-mail purportedly prompts the receiver to click a link regarding possible inclusion in the HIPPA Privacy, Security, and Breach Rules and Audit Program, and directs the recipient to a non-governmental website.  The phishing e-mail originates from the e-mail address OSOCRAudit@hhs-gov.us and directs individuals to http://www.hhs-gov.us.  This is a slight difference from the official e-mail address for the HIPAA audit program, OSOCRAudit@hhs.gov, and the official HHS website http://www.hhs.gov.

The OCR advises covered entities and their business associates to alert employees of this issue and take note that official communications regarding the HIPAA audit program are to be sent to selected auditees from the official e-mail address OSOCRAudit@hhs.gov.

A copy of the OCR alert can be found here.

If you or one of your entities has received this phishing e-mail, the Dentons Privacy and Cybersecurity Law Group is available to help you navigate next steps.

HHS Issues Warning About Phishing Campaign Disguised As Official Communication