1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguards Regulations. The draft Regulations will be open for comment for 30 days. If the Regulations are not further amended by ISED, they may be registered and republished. ISED has stated that there will be a delay between finalizing the Regulations and their coming into force to permit organizations time to implement any necessary organizational changes.

ISED has drafted Regulations that hew close to similar regulations under Alberta’s Personal Information Protection Act. Far from being unsettling, this sense of  déjà vu will be welcome for organizations concerned about coping with divergent requirements.

However, there are still some important differences to note:

1.  Reporting to the regulator can focus on the cause of the breach rather than speculate about the harm

The content of the report to the Office of the Privacy Commissioner of Canada (OPC) tracks fairly close to the content required under Alberta’s law. Perhaps as a matter of clarification more than a substantive difference, the federal Regulations specify that the report should include the “cause” of the breach if known. However, one significant difference is that organizations are not required to engage in speculation about the potential harm to individuals. This will be highly appreciated by organizations who have had to deal with Alberta’s law.

2.  Organizations must make it easy on individuals to get information or to complain

The content of the notices to individuals of a breach are also similar to those in Alberta. However, ISED has included some consumer-friendly requirements. First, individuals should have a toll-free number to contact someone who can answer questions on behalf of the organization (or an email address). Second, individuals must be informed about the organization’s internal complaint process. Finally, individuals must be advised of their right to complain to the OPC about the breach.

3.  There is flexibility with respect to the manner of reporting

The federal Regulations specifically provide that notices to individuals can be provided:

  • by email or other secure forms of communication (to which the individual has consented)
  • by letter
  • by telephone
  • in person

Moreover, organizations can opt for indirect notification (without having to pre-clear this with the OPC) if direct notification would cause harm to the individual, the cost of direct notification would be prohibitive to the organization, or the organization does not have current contact information.  Indirect notification can be made by conspicuous posting of the notice on the organization’s website for 90 days (or more) or by means of an advertisement that is likely to reach the affected individuals.

4. Record-keeping is much less onerous than feared

One difference between the Alberta law and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), is that PIPEDA requires an organization to maintain a record of every breach of security safeguards even if that breach does not result in a real risk of significant harm to an individual.

The ISED has heard the concerns raised by organizations about this provision. Organizations only need to maintain records for 2 years. The form and content of the records are up to the organization provided that they contain enough information to allow the OPC to assess whether the organization was making any required reports to the OPC and required notifications to affected individuals. Since a report to the OPC containing the prescribed elements would be sufficient as a record, this appears to mean that the type of information that must be kept does not include a written assessment of the risk of harm.

Read the draft Regulations here.

, ,

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

SEC Issues Cybersecurity Alert For Brokers And Financial Advisers

On May 17, 2017, the US Securities and Exchange Commission (SEC), through its National Exam Program, issued a “Risk Alert” to broker-dealers, investment advisers and investment firms to advise them about the recent “WannaCry” ransomware attack and to encourage increased cybersecurity preparedness. The purpose of the alert, according to the SEC, was to “highlight for firms the risks and issues that the staff has identified during examinations of broker-dealers, investment advisers, and investment companies regarding cybersecurity preparedness.”

Based on a 2015 survey of 75 SEC registered broker-dealers, investment advisers and investment firms, the SEC National Exam Program staff recognized certain firm practices that registrants may find relevant when dealing with threats such as the WannaCry ransomware attack:

  • Cyber-risk Assessment: Five percent of the broker-dealers, and 26 percent of the investment advisers and investment companies examined “did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.”
  • Penetration Tests: Five percent of the broker-dealers, and 57 percent of the investment companies “did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.”
  • System Maintenance: All broker-dealers, and 96 percent of investment firms examined “have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities.” And only ten percent of the broker-dealers, and four percent of the investment firms examined had a significant number of critical and high-risk security patches that were missing important updates.

The SEC recommends registrants undertake at least two separate tasks: (1) assess supervisor, compliance and/or other risk management systems related to cybersecurity risks; and (2) make any changes, as may be appropriate, to address or strengthen such systems. To assistant registrants, the SEC highlights its Division of Investment Management’s recent cybersecurity guidance, and the webpage of the Financial Industry Regulatory Authority (FINRA), which has links to cybersecurity-related resources.

The SEC cautions that the recommendations described in the Risk Alert are not exhaustive, “nor will they constitute a safe harbor.” Factors other than those described in the Risk Alert may be appropriate to consider, and some factors may not be applicable to a particular firm’s business. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised in the Risk Alert. Ultimately, the “adequacy of supervisory, compliance, and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.”

The SEC recognizes that it is not possible for firms to anticipate and prevent every cyber-attack. However, “appropriate planning to address cybersecurity issues, including developing a rapid response capability is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.”

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

SEC Issues Cybersecurity Alert For Brokers And Financial Advisers

New ABA Opinion – Attorneys Must Take Reasonable Cybersecurity Measures To Protect Client Data

On May 11, 2017, the American Bar Association (ABA) issued Formal Opinion 477, making clear that a lawyer may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct so long as the lawyer takes reasonable efforts to prevent inadvertent or unauthorized access to client information. Lawyers may also be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. This new opinion updates a prior opinion issued by the ABA in 1999 (Formal Opinion 99-413), in which the ABA concluded that attorneys may use the Internet to transmit unencrypted communications relating to a client without running afoul of the Model Rules of Professional Conduct.

According to the ABA, in the “technical landscape of Opinion 99-413,” unencrypted email posed “no greater risk of interception or disclosure than other non-electronic forms of communication.” Although this premise remains true today for routine communication with clients, and the use of unencrypted routine email generally remains an acceptable method of lawyer-client communications, cyber-threats and the proliferation of electronic communications devices have “changed the landscape and it is not always reasonable to rely on the use of unencrypted email.” As an example, the ABA notes that electronic communication through certain mobile applications or on message boards or via unsecured networks may lack the basic expectation of privacy afforded to email communications. Lawyers must therefore, on a case-by-case basis, constantly analyze how they communicate electronically about client matters.

Although the ABA does not provide specific steps for attorneys to take in this regard, it does provide the following considerations as guidance:

Understand the Nature of the Threat

The ABA says that understanding the nature of the threat includes consideration of the sensitivity of the client’s information and whether the client’s matter is a higher risk for cyber intrusion. Client matters involving proprietary information in highly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft.

Understand How Client Confidential Information is Transmitted and Where It Is Stored

The ABA says a lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information. Every “access point is a potential entry point for a data loss or disclosure.” Every access point, and each device, should therefore be evaluated for security compliance.

Understand and Use Reasonable Electronic Security Measures

Model Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. What is “reasonable” will vary depending on the facts of each case. The ABA indicates that making reasonable efforts may include “analysis of security measures applied to both disclosure and access to a law firm’s technology system and transmissions.” A lawyer should also understand and use electronic security measures to safeguard client communications and information, including using secure internet access methods to communicate, access and store client information, using unique complex passwords, changed periodically, implementing firewalls and anti-malware/spyware/antivirus software on all devices, and applying necessary security patches and updates to software when required.

Determine How Electronic Communications About Client Matters Should Be Protected

Different communications require different levels of protection. The ABA recommends that the lawyer and client discuss what levels of security will be necessary for each electronic communication about client matters. For example, if client information is of sufficient sensitivity, the ABA says a lawyer should encrypt the transmission and determine how to do so to sufficiently protect it, and consider the use of password protection for any attachments. Lawyers can also consider the use of well vetted and secure third-party cloud based file storage systems to exchange documents normally attached to emails. Lawyers should also be cautious in communicating with a client if the client uses computers or other devices subject to the access or control of a third party.

Label Client Confidential Information

The ABA recommends lawyers follow the “better practice” of marking privileged and confidential client communications as “privileged and confidential” and using disclaimers in client emails.

Train Lawyers and Nonlawyer Assistants in Technology and Information Security

The ABA recommends lawyers establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients.

Conduct Due Diligence on Vendors Providing Communication Technology:

The ABA recommends lawyers examine a vendor’s reference checks and credentials, security protocols and policies, hiring practices, and the use of confidentiality agreements when determining which vendors to use in supplying communications technologies.

Takeaways

Although most enterprises and firms use some level of protection in their electronic communications, this new opinion highlights the growing focus on cybersecurity across all industries and professions. Encryption is increasingly becoming the industry standard in securing electronic data and communications, and is often the first line of defense when facing a data breach scenario.

New ABA Opinion – Attorneys Must Take Reasonable Cybersecurity Measures To Protect Client Data

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

On April 4, 2017, Tennessee Governor Bill Haslam signed into law an amendment to the state’s data breach notification law, making two substantive changes to the statute:

  1. Adding a technically specific safe harbor encryption provision; and
  2. Adding a 45 day window to complete breach notification, when required.

Overall Summary of Breach Notification Law

Tennessee’s data breach notification law applies to any person or business conducting business in Tennessee that owns or licenses computerized data that contains “personal information.” “Personal information” is defined under the statute as a person’s first name or initial and last name combined with:

  • Social security number;
  • Driver’s license number; or
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Covered entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 or the Health Insurance Portability and Accountability Act of 1996, as expanded by the Health Information Technology for Clinical and Economic Health Act, are exempt from the law.

The statute requires covered entities to disclose a “breach in the security of the system” to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an “unauthorized person.”

New Encryption Requirements

Under the new law, the phrase “breach in the security of the system” has been amended to read “breach of system security,” and is defined to mean the acquisition of: (1) unencrypted computerized data; or (2) encrypted computerized data and the encryption key that contains personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. The new statute defines encrypted to mean “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2[.]” FIPS 140 is a US government standard that defines minimum security requirements for cryptographic modules in products and systems, as set forth in Section 5131 of the Information Technology Management Reform Act of 1996. Therefore, under the new amendment, if the information acquired was encrypted pursuant to the FIPS 140-2 standards, and the encryption key was not compromised, notification is likely not required.

Notification Clarification

The new amendment also imposes a specific time frame for completing notification, when required. Disclosure now must be made no later than 45 days from the discovery or notification of the “breach of system security,” unless a longer period of time is required due to the legitimate needs of law enforcement. Specifically, notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. This change makes Tennessee the eighth state to enact a statute that puts a specific time period on the notification requirement. The majority of states only require notification in the “most expedient time possible” or “without unreasonable delay.”

Takeaways

Cyber threat preparation and monitoring remains the first and best line of defense against data breaches. Dentons helps companies prepare for breach by formulating written incident response plans, conducting table-top exercises with key members of the incident response teams, and advising companies on compliance with data notification reporting requirements, such as the new requirements now applicable in Tennessee. Our team is ready to help you or your business navigate this complicated area of the law, and help with the growing need for encryption requirements.

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

A Cautionary Tale Regarding Consent and In-Store Tablets

The Office of the Privacy Commissioner (OPC) recently released a case summary with implications for retailers attempting to obtain consent for privacy-compliance or anti-spam compliance purposes.

Consistent with guidance by the Canadian Radio-television Telecommunications Commission (CRTC) with respect to Canada’s Anti-Spam Legislation, the OPC is taking a harder line with respect to the business records that an organization must retain in order to establish that an individual gave consent. The bottom-line is that the practice of obtaining consent by either having the individual or the salesperson check a box is vulnerable to challenge. Organizations should only use methods of obtaining consent that involve corroborative evidence.

Background

The complaint arose out of a dispute with respect to whether an individual had applied for a co-branded credit card with a retailer. While shopping in a retail store, the complainant was approached to join a loyalty program. The individual provided the salesperson with his driver’s licence as part of the registration.

Later, the individual received a credit card and learned that a credit check had been conducted on him. After obtaining access to the information held by the bank that provided the credit card, the complainant discovered that much of the information on the application was inaccurate and asserted that he had not provided that information to the salesperson. He also argued that he did not check the box on the tablet to permit a credit check.

The OPC concluded that the bank could not establish that it had obtained consent and that the information collected from the complainant was accurate. There was no evidence that the complainant ever saw the tablet screen, provided the information in the application, understood that the information would be used for a credit check or that the individual actually clicked the consent box on the tablet.

No Recognition of Canada Evidence Act

Certainly, the circumstances of this case were suspicious. However, bad facts can make for bad legal interpretations. That seems to be the case here. The OPC appears to believe that organizations must retain independent proof that consent has been obtained. This is similar to guidance form the CRTC’s guidance that oral consent to receive commercial electronic messages must be backed up with an audio recording or third party verification.

This guidance fails to directly engage with the laws of evidence within which both the Personal Information Protection and Electronic Documents Act and Canada’s Anti-Spam Legislation exist.  The Canada Evidence Act specifically contemplates that the business records, including electronic business records, are admissible for the proof of what is recorded in them. While other evidence may raise concerns regarding their accuracy or veracity, as in the case before the OPC, they are not inherently inadequate as the OPC and CRTC seem to suggest. In an informal administrative process such as the one before the OPC, the OPC may be free to ignore the law of evidence. However, this would not be the case before the Federal Court.

The real issue should have been that the organization was unable to establish that it audited compliance of the salespersons such as through secret shoppers or that the organization confirmed the individual’s consent by sending the individual a copy of the application once completed.

Conclusion

Be forewarned: organizations should have some means of corroborating their records when obtaining oral consent from individuals in retail stores in order to avoid problems with the OPC and the CRTC. To access the OPC’s decision, click here: PIPEDA Case Summary 2016-12.

A Cautionary Tale Regarding Consent and In-Store Tablets