1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Enforcement Notice: First text message case under CASL

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced the first undertaking and fine involving text message violations under Canada’s Anti-Spam Legislation (CASL). This first, involves Quebec-based 514-BILLETS, a ticket broker for sporting and cultural events.

Between July 2014 and January 2016, the CRTC alleges 514-BILLETS sent text messages to recipients without their consent. The CRTC also alleges the company sent text messages without information that identified who sent the messages as well as failed to provide information to recipients that would allow them to easily contact 514-BILLETS.

514-BILLETS has agreed to pay  a total of $100,000 in compensation, appoint a compliance officer and institute a CASL-compliance program. 514-BILLETS will pay $75,000 in the form of $10 rebate couples to 7,500 clients and $25,000 to the Receiver General of Canada.

The CRTC’s media release can be read here.

Enforcement Notice: First text message case under CASL

Mark your calendars: Mandatory data-breach notification rules come into force November 1

The federal government released an Order in Council, dated March 26, 2018, announcing that the mandatory data-breach notification rules will come into force on November 1, on the recommendation of Navdeep Bains, Minister of Industry, Science and Economic Development.

After nearly three years, sections 10, 11, and 14, subsections 17(1) and (4) and sections 19 and 22 to 25 of the Digital Privacy Act, Chapter 32 will come into effect to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). The federal government released the proposed breach reporting rules in September 2017 and advised at that time that the proposed regulations will be delayed coming into force after their publications, meant to “give regulated organizations time to adjust their policies and procedures accordingly and ensure that systems are in place to track and record all breaches of security safeguards that they experience.”

With the amendment, PIPEDA will contain provisions requiring organizations to notify affected individuals and organizations of breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner. It also creates offences in relation to the contravention of certain obligations respecting breaches of security safeguards. Among the changes, the new rules will also give the privacy commissioner the power to enter into a “compliance agreement” with an organization in certain circumstance to ensure the organization’s compliance with PIPEDA.

Stay tuned for further updates.

Mark your calendars: Mandatory data-breach notification rules come into force November 1

IRS Warns About New Cyber Scam Targeting Taxpayers

Last month, the United States (US) Internal Revenue Service (IRS) issued a warning to US taxpayers that cyber criminals are increasing their efforts to steal more detailed financial information from taxpayers in order to provide a more detailed, realistic tax return and better impersonate legitimate taxpayers. These efforts include targeting tax professionals, human resource departments, businesses, and other enterprises that store large amounts of sensitive financial information. To mitigate against this threat, the IRS recommended that taxpayers and businesses that store taxpayer information take three steps:

  • Use Security Software. Use security software with firewall and anti-virus protections, and ensure the security software is always turned on and can automatically update. Encrypt sensitive files stored electronically, such as tax records, and use strong and unique passwords for each account.
  • Watch Out For Scams. Recognize and avoid phishing emails, threatening calls and texts from individuals posing as legitimate organizations, such as banks or credit card companies, or even the IRS. Do not click on links or download attachments from unknown or suspicious emails.
  • Protect Personal Data. Don’t routinely carry Social Security cards and make sure tax records are secure. Shop at reputable online retailers. Treat personal information like cash – don’t leave it lying around.

Recently, the IRS issued a specific warning of a quickly growing scam involving erroneous tax refunds being deposited into taxpayer bank accounts. Specifically, after stealing client data from tax professionals and filing fraudulent tax returns, cyber criminals are using taxpayers’ real bank accounts for the deposits and then using various tactics to reclaim the refund from taxpayers. In one version of the scam, criminals posing as debt collection agency officials acting on behalf of the IRS contact taxpayers to say a refund was deposited in error, and ask the taxpayers to forward the money to their collection agency. In another version, the taxpayer who receives the erroneous refund gets an automated call with a recorded voice saying the person is from the IRS. That person then threatens the taxpayer with criminal fraud charges, an arrest warrant and a “blacklisting” of their Social Security Number. The recorded voice gives the taxpayer a case number and a telephone number to call to return the refund.

In its new warning, the IRS repeats its call for tax professionals to increase the security of sensitive client tax and financial files, and outlines steps impacted individuals and enterprises may follow in the wake of a breach, including those outlined in Tax Topic Number 161-Returning an Erroneous Refund and the Taxpayer Guide to Identity Theft.

These new threats highlight the way cyber criminals are uniquely attempting to access sensitive personal information. As businesses increase their encryption and security efforts, these unique efforts by malicious actors will only increase. If you or your enterprise stores or transmits sensitive personal information, such as taxpayer identifying information, you should take time to audit your current practices surrounding how that data is secured, and how your relationships with third parties may impact that security. The Dentons cybersecurity team is prepared to help in those efforts.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

IRS Warns About New Cyber Scam Targeting Taxpayers

PIPEDA: Substantial Amendments Proposed by Parliamentary Committee

Since February 2017, the House of Commons Standing Committee on Access to Information, Privacy and Ethics has been reviewing Canada’s federal privacy statute – Personal Information Protection and Electronic Documents Act (PIPEDA) – including public meetings and submissions from stakeholders. A year later, the Committee issued its report outlining its recommendations that would see a significant overhaul of PIPEDA.

In the report titled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act, 19 recommendations are proposed to the Government of Canada that would see significant changes to the operation of, and individual rights, around personal information. It’s clear in the report and the recommendations themselves that Europe’s General Data Protection Regulations were an influence.

Some of the Committee’s recommendations include:

  • to explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, and with a view to implementing a default opt-in system regardless of purpose
  • providing measures to improve algorithmic transparency
  • an examination of the best ways of protecting depersonalized data
  • providing for a right to data portability
  • a framework for a right to erasure based on the model developed by the E.U. The model would, at minimum, include a right for young people to have information posted online either by themselves or through an organization taken down
  • modernizing the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral
  • clarification of the terms under which personal information can be used to satisfy legitimate business interests
  • a framework for the right to de-indexing
  • to give the Federal Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance
  • to give the Federal Privacy Commissioner broad audit powers, including the ability to choose which complaints to investigate

During his September 2017 annual report to Parliament, Daniel Therien, Canada’s Federal Privacy Commissioner, emphasized the urgency to revisit PIPEDA in order to meet the realities of today’s world, including requesting the new enforcement powers. Organizations have been equally considering how Canada’s status as an adequate country will be affected as a result of the GDPR.

Click to read the report in full Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act.

 

PIPEDA: Substantial Amendments Proposed by Parliamentary Committee

NIST Releases Draft Update To Cybersecurity Framework

In 2014, the National Institute of Standards and Technology (NIST) released its first version of the Framework for Improving Critical Infrastructure Cybersecurity (Cyber Framework). The Cyber Framework was originally developed as a voluntary framework to help private organizations and government agencies manage cybersecurity risk in the critical infrastructure space (e.g., bridges, power grid, etc.). Since then, it has been widely adopted across industry as a benchmark standard for measuring an enterprise’s cybersecurity readiness.

Following feedback NIST received in December 2015 from a Request for Information, and comments from attendees at the Cybersecurity Framework Workshop in 2016 held at the NIST campus in Maryland, NIST released a draft update to the Cyber Framework in January 2017 called Version 1.1. Some of the key changes in the draft update included:

  • Adding a new section on cybersecurity measurement to discuss the correlation of business results to cybersecurity risk management metrics and measures;
  • Expanding the use and understanding of cyber supply chain risk management frameworks;
  • Accounting for authentication, authorization, and identity proofing in the access control section of the framework; and
  • Better explaining the relationship between the various implementation tiers and profiles.

Last week, NIST released a second draft of Version 1.1, which is open for public comment through January 20, 2018. The new draft expands on issues such as supply chain security and vulnerability disclosure programs. It also emphasizes the need for companies using the framework to develop metrics to quantify their progress. NIST says it hopes to finalize Version 1.1 in the spring of 2018.

If you are interested in submitting comments on the new draft of Version 1.1, or learning more about its proposed changes that will likely take effect in 2018, the Dentons Privacy and Cybersecurity Group is ready to assist.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkDentons’ Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

NIST Releases Draft Update To Cybersecurity Framework