If Alberta’s experience is any indication, it’s unlikely that Canada’s new data breach notification regulations, which affect the federal private sector and came into force on November 1, will languish in obscurity.
In 2010, Alberta became the first (and still the only) province to mandate breach notification from the private sector where “a real risk of significant harm” to individuals existed. The legislation drew 11 notifications that year, a number that grew to 167 in 2017, up from 70 in 2016.
Legislative requirements aside, there were at least 33 media-reported breaches in Canada in 2017, according to breachlevelindex.com. Most experts believe that the unreported breaches far exceed those disclosed. The disclosures included the theft of 1.9 million records from Bell Canada; 1.6 million from Vancouver-based Tio Networks, a PayPal subsidiary; up to 1.13 million from Nissan Canada Finance; 1 million from Canoe.ca users; and 95,000 from McDonalds Canada. The US saw 1,579 data breaches in 2017, up about 50% from 2016 and more than double the 2015 total.
No surprise, then, that an April 2018 Citrix Cloud and Security Survey of 1,505 Canadian residents, found that almost half (46%) of Canadians are either “not at all” or not “very secure” storing family information on the cloud. Medical information (52%) and financial information (59%) fare even worse.
It all amounts to fodder for the plaintiffs’ class action bar. Privacy class actions have become ever more popular in this country in the last 10 years. Many engage more than 1 million consumers and $1 billion in damages. High-profile defendants have included Google, Facebook, Equifax, Yahoo, Walmart, Home Depot, Scotiabank, Banque Nationale de Canada, Bell Canada, Desjardins Group, Ford Motor Company, DaimlerChrysler, TD Auto Finance Services, Durham Region Health, and University of British Columbia.
Although damages can be difficult to prove, at least one jurisdiction has adopted a statutory solution. “California has mandated statutory damages of $750 per person notified,” said Brian Hengesbaugh in Baker McKenzie LLP’s Chicago office. “So if you’re notifying 1 million people, you’ve got a big class action on your hands.”
From a global perspective, IDG, a multinational tech media company, reports that the damage from global ransomware grew from $325 million in 2015 to an estimated $5 billion in 2017. To make matters worse, a recent Ponemon Institute, LLC study estimates that security breaches are increasing at a rate of 27.4% annually.
“Privacy issues are everywhere,” said Chantal Bernier, formerly Canada’s Interim Privacy Commissioner and now counsel in Dentons Canada LLP’s Ottawa office. “Even good companies are being subjected to sophisticated and incessant attacks.”
But pervasiveness, it seems, has not been a clarion call to action for the business community. A 2017 Thomson Reuters (owner of this magazine) study of 1,000 data privacy professionals at companies in nine countries found that almost half, or 44%, had not complied with data privacy regulations. Even more respondents, some 47%, advised that they were struggling to keep up or falling further behind.
“Awareness is up, but preparedness is flat,” says Ira Nishisato in Borden Ladner Gervais LLP’s Toronto office. “We tend to get a spike from clients only when there’s a news event, like the GDPR [the European Union’s recently enacted General Data Protection Regulation], or something bad has happened to them.”
HIGHEST DIRECT COST
At press time, the latest federal sector victim was Air Canada, whose mobile app was, compromising the personal information of some 20,000 users. But many more were affected: after noting suspicious activity in the account a week earlier, the airline locked out all 1.7 million subscribers, who subsequently received instructions to change their passwords.
While the costs of the Air Canada breach have not been disclosed by the company, what is known from the Ponemon study is that Canada ranks first globally with the highest direct costs of $81 per record breached (all figures US), including legal and forensic costs and identity protection services. In indirect costs — including the expenses and resources involved in notifying victims, investigating the breach, loss of goodwill, and customer loss — the country’s cost of $116 per record was second only to the US. Combined, the direct and indirect costs are $197.
With the average number of records compromised when a breach occurred in Canada at 22,275, the average cost per breach computes at about $4.5 million. But even that may be an understatement: in the case of Air Canada, the company must have incurred further costs in notifying and dealing with all the remaining customers who were required to change their password.
The Ponemon study also found that 50% of Canadian breaches were caused by intruders, 25% by system errors and 25% by human error.
The most effective steps in decreasing costs, according to the study, were having an incident response team (decreased costs by $14 per record); using extensive encryption ($13.1); continuous management involvement ($9.3); training employees ($9.3); and sharing threat information ($8.7). In other words, by taking these five steps, Canadian companies could cut $54.4 from the financial damage done by breaches, a reduction of some 22% of the total direct and indirect costs of $197 per record.
Also studied were factors that increased costs in data breaches. The top five were third-party involvement ($13.4); extensive cloud migration ($11.9); compliance failure ($11.9); extensive use of mobile platforms ($10); and lost or stolen devices ($6.5).
So what role do lawyers play in all this? How are they relevant and what can they do to help their clients take a proactive approach in avoiding data breaches and maintaining the privacy of their customers?
“What we strive to have our clients appreciate is that data protection and breach response is an enterprise-wide risk management issue,” Nishisato says. “They need to engage broadly internally and externally, which includes not just legal and technical assistance, but public relations, communications and forensic specialists.”
In simple terms, law firms must provide advice on the parameters of due diligence. What the law requires here is that organizations have safeguards that are appropriate to the level of risk, something that is measured by the sensitivity of the information involved and the likelihood of attack. “The test for compliance with the rules is one of due diligence, not absolute prevention,” Bernier said.
Because cyberattacks are inevitable, counsel’s role is to help their clients design and implement programs that prepare the organization for a breach, recover from the breach, and minimize the damage that flows from a breach including critical data loss, reputational damage and regulatory sanctions. “Organizations need to put themselves in a position to respond quickly because there’s not time for planning while the cyberattack is happening,” said Francesca Gaudino in Baker& McKenzie LLP’s Milan office.
According to Bernier, the obligation to safeguard data has three components: physical security, technical security and organizational security. “Where the lawyers come in is on the organizational security side,” she explained.
Here, a look back at the factors that increase and decrease cost is instructive. What’s clear is that costs increase and decrease in proportion to the strength of internal organizational security. So, having an incident response team, management involvement, training, and communication all decrease costs. On the other hand, third-party involvement increases costs.
Good governance links organizations effectively from top to bottom and from side to side. “The CEO must be engaged because she should always be involved in managing risk, managers must implement the C-suite’s policies, including the supervision of staff, and all staff must truly adopt the concept of privacy as a matter of ethics,” Bernier said. “Good governance is the mechanism that brings good polices to life.”
Nishisato is adamant that breach response plans be tested by way of simulation. “It can’t just be a piece of paper sitting on a shelf, because it can easily be derailed,” he said. “What happens, for example, if email goes down as part of a hack? How will people communicate?”
What is clear is that regulators are bearing down on what they expect from companies collecting personal information. “Just restating PIPEDA [Personal Information Protection and Electronic Documents Act] in 20 pages doesn’t cut the mustard anymore,” said Lyndsay Wasser, the Toronto-based co-chair of McMillan LLP’s privacy and data protection group. “Broad principles like ‘consider who to notify’ have given way to policies that go into the details of dealing with a breach.”
An effective “playbook,” then, must answer certain basic but critical questions. “They include who are the key decision makers; how do you get in touch with them; how do you classify incidents; how and when do you escalate; how will people communicate if systems are down; what are the key messages that need to be communicated; how frequently will the response team meet to determine next steps; and who will be the outside providers, including external counsel, forensic experts, and IT consultants?” said Ruth Promislow in Bennett Jones LLP’s Toronto office.
Then there are the issues relating to third parties who are handling personal information for companies. “Clients must ensure that service providers handle data properly by including appropriate contractual obligations in their agreements and by selecting providers who have good privacy policies,” Wasser said.
Contractual terms for data protection are becoming more common, Wasser notes, because clients are now trying to avoid being drawn into litigation where a third-party service provider has suffered a breach or has been subjected to a regulatory investigation. “Clients will have to make greater efforts to address the issues in advance and obtain the appropriate indemnities,” Wasser said. “I’ve seen contracts that contain everything from a broad statement of appropriate measures that are satisfactory, to specific requirements for firewalls, encryption, and data transfer protocols.”
COPING WITH EVOLUTION
Complying with domestic federal and provincial legislation, however, is but part of the picture. As privacy laws emerge and change rapidly throughout the world, organizations ranging from Canadian multinationals to small and medium-sized businesses (SMEs) that have no physical presence in other jurisdictions but sell or even advertise to consumers there, online or otherwise, must cope with the evolution.
Take the GDPR, for example, which has extensive extra-territorial reach. “Any company, wherever it is in the world, that offers products or services in the EU and whether it has a physical establishment there or not, must comply with the GDPR regarding the processing of personal information,” Bernier said.
Even companies that don’t face the EU on the client or customer side may find themselves dealing with the GDPR. “Very locally focused organizations which have service providers from the EU are suddenly being confronted with requests to update agreements or clauses so they comply with the GDPR,” says Ryan Berger in Norton Rose Fulbright Canada LLP’s Vancouver office.
Global compliance, however, is a tedious business. “First, you have to find out where the data is stored, and which jurisdictions and laws are engaged,” Nishisato said. “Once that fact-finding is complete, clients need to obtain proper advice in each jurisdiction.”
But completing the fact-finding is easier said than done. “Data mapping is the hardest part of compliance, partly because many organizations start from a very low baseline,” Bernier said.
Some clients balk at the cost and intrusiveness of the endeavour. “Part of what we do is educate our clients that, if they don’t go through the process thoroughly, the whole organization might be at risk,” Nishisato said.
Still, solutions must be cost effective. “Counsel have got to think privacy issues through from a practical point of view,” said Theo Ling in Baker & McKenzie’s Toronto office. “On the one hand, you have to appreciate what the various laws say you have to do, but you’ve also got to figure out how to interpret them and choose the best way forward from a business risk and operational perspective.”
It helps that privacy laws are converging worldwide. “My view is that privacy laws are becoming more aligned even as the general standard goes up,” Ling said. “While there are scenarios where there’s a requirement to notify in certain jurisdictions but not in others, the ones that require notification all focus on some assessment of the risk of harm and a way to determine that risk.”
By way of example, Ling said he believes that the timing of the announcement of Canada’s new notification regime — in the works since 2015 — was “partly or significantly prompted” by the enactment of the GDPR, which, among other things, introduced breach notification as apart of EU privacy law. “It was a bit of an imperative that the November implementation was announced in April, just before the GDPR came into force,” the lawyer said. “No doubt Canada wishes to maintain its ‘adequacy’ status by which the EU recognizes that Canadian privacy laws are ‘equivalent’, which allows for seamless data transfer between the jurisdictions.”
Indeed, the view of many privacy law experts is that the GDPR represents the gold standard in privacy law.
“If a company is looking for feasible, user-friendly uniformity in its privacy policies, it should go with the GDPR, which is now the highest common denominator,” Bernier said. “But there are also little accommodations that have to be made.”
It’s these “little accommodations” that give some privacy law practitioners cause for concern.
“There are places where there are disconnects between Canadian law and the GDPR, where the laws don’t work well together,” she said. “There has to be considerable thought given about when to use a global standard and when to use a country-specific standard.”
Areas for concern include diverging rules regarding what constitutes personal information; residency and cross-border data transfer requirements; distinctions between the obligations of data controllers and data processers; the availability of mechanisms other than consent as pre-conditions for lawful processing; and differences in requirements for notifying authorities and/or individuals affected.
“In some cases, complying with the GDPR can hinder Canadian companies’ flexibility that might exist under domestic law,” Wasser said. “What I recommend to clients is that they should think carefully about whether it’s best for them to comply with the GDPR, especially if adhering to the Canadian standard does not create meaningful risk.”
Hengesbaugh advocates a practical approach to breach notification as well. “It may not be necessary to notify everybody, particularly if the information is non-sensitive or if the risk in certain jurisdictions is otherwise acceptable,” he said.
A consensus exists that engaging local counsel or partners in relevant jurisdictions is essential. “What clients need is a coordinated effort because what is said and done in one jurisdiction can affect the risk in others,” Promislow says.
That’s true even within the EU. “Experts have pointed out that as all-encompassing as the GDPR is, member states have the ability to expand the rules beyond the minimum and adopt different approach to enforcement,” said Matt Saunders in Cox & Palmer’s Halifax office. “It just means there’s another layer of complexity to something that’s already extraordinarily complex.”
Extraordinarily complex indeed.
So much so that, earlier this year, global law firm Norton Rose Fulbright launched a data breach chatbot named Parker. “Parker is an artificial intelligence tool built on the IBM Watson platform that helps organizations understand whether they are subject to certain privacy laws,” Berger said.
The Canadian version is aimed specifically at guiding clients in determining their exposure and obligations under the new breach notification regime. It follows on the success of Parker in Australia, where the program originated, and its subsequent modification to answer questions about the GDPR. The GDPR version is primarily aimed at multinational businesses which need to determine whether and how the new law applies to them.
Nick Abrahams, global head of technology at Norton Rose, and his Sydney colleague Edward Odendaal developed the first Parker in anticipation of major changes in the Australia data protection notification regime that came into force in late February. The first 24 hours’ of Parker Australia’s December 2017 launch drew over 1,000 conversations to the chatbot. As of June 13, the number had grown to 5,976.
“Generally, the average number of messages per conversation varies between four to six questions,” Berger says. “Taking an average of three minutes per conversation, Parker Australia has provided clients and potential clients with just shy of 300 hours of legal information in its first six months.”
The GDPR Parker rang up 3,826 conversations between its launch in May and June 13. Just how many of the conversations involved Canadian businesses is not known.
Parker and artificial intelligence notwithstanding, the fact remains that complying with the maze of global privacy laws is like shooting at a moving target. “Not even the European lawyers who are heavily engaged with the Regulation know exactly how it will be enforced,” says Éloïse Gratton, a partner in Borden Ladner’s Montreal and Toronto offices.
Fortunately for their clients, Canadian law firms appear to be up for the challenge.