From data breach to discipline: cyber incidents as a new regulatory risk

The economy increasingly relies on big data. Companies hold large amounts of confidential information that can be exposed to litigation or reputational damage in the event of a cyberattack. For example, let’s imagine a cyberattack that paralyzes a firm's servers for 72 hours. A company suffers a data breach after an employee clicks on a phishing email. These scenarios are no longer hypothetical: they occur regularly in Canada.

All organizations, even the best-prepared ones, can be vulnerable to external threats.

What professionals still fail to grasp is that a cyber incident does not only generate operational costs or notification obligations, but it can also open the door to disciplinary proceedings. This shift, subtle but real, deserves close examination.

When an incident becomes professional misconduct

Professional orders did not wait for the digital age to require their members to protect the confidential information entrusted to them. This obligation existed long before ransomware. What has changed is the nature of the breaches at issue.

In practice, the minimum baseline today includes: two-factor authentication on all systems containing client data; encryption of sensitive data in transit and at rest; regular updates to software and operating systems; and periodic staff training on phishing risks. These measures are no longer considered optional best practices; they are becoming the standard against which breaches will be measured.

A cyber incident can thus reveal, or be a symptom of, several potential failures:

• Breach of confidentiality: A fundamental obligation of every regulated professional under section 60.4 of the Professional Code^[1], which establishes the professional’s duty to preserve the secrecy of all confidential information, the protection of client or patient information can be endangered by the absence of data security practices, well before any external attack.
• Lack of competence: Ignoring minimum cybersecurity practices (two-factor authentication, data encryption, backups) may be potentially treated as professional negligence.
• Failure to supervise: A professional who delegates the management of their IT systems without maintaining adequate oversight may be held liable, even if they were not the direct author of the breach.

Quebec’s Law 25^[2] (amendments to the Act respecting the protection of personal information in the private sector) has significantly strengthened data governance obligations. It enhances the protection of citizens' personal information by giving them greater control over how their data is processed and a better understanding of the consequences of their choices.

Organizations are also required to disclose all incidents that threaten the confidentiality of personal information or involve a cyberattack to the Québec Access to Information Commission (CAI) for Quebec or to the Information and Privacy Commissioner of Ontario (IPC) for Ontario. They are required to maintain a register of all privacy incidents. This register must be kept for five years from the date on which the organization became aware of the incident.

The CAI now holds significant administrative sanctioning power. It can impose substantial penalties on organizations that fail to report a privacy incident to the CAI or to any affected individual and could face unprecedented penal sanctions and administrative monetary penalties, with fines reaching up to $25 million or 4% of annual turnover^[3]. At the same time, certain professional orders have begun incorporating guidelines on information technology management into their regulations or advisories.

A regulator investigating a cyber incident will seek to determine whether the protective measures in place met the minimum standards of the profession; whether the incident could have been prevented or limited through reasonable diligence; and whether the post-incident response, including communication to those affected, was handled with transparency and without delay.

The Desjardins case: a benchmark for internal threats

The most instructive Canadian decision on organizational security failures remains the Privacy Commissioner of Canada's findings in PIPEDA Report of Findings #2020-005 (December 14, 2020)^[4], arising from a data breach at the Fédération des caisses Desjardins du Québec that compromised the personal information of nearly 9.7 million individuals between 2017 and 2019.

The breach was not caused by an external cyberattack. A dishonest employee exfiltrated sensitive personal data including names, dates of birth, social insurance numbers, and transaction histories over a period of at least 26 months, using USB drives. The Office of the Privacy Commissioner of Canada (OPC) found that Desjardins had violated three core principles of PIPEDA^[5]: the accountability principle (Principle 4.1)^[6], the limiting use, disclosure and retention principle (Principle 4.5)^[7], and the safeguards principle (Principle 4.7)^[8].

What makes this decision particularly relevant for regulated professionals is the Commissioner's finding that the failures were not technical in origin, they were organizational. Desjardins had extensive written policies in place. The problem was that those policies had never been properly implemented. Employees were transferring confidential personal data to shared directories accessible to the entire marketing team, in direct contravention of internal standards. No active monitoring system was in place to detect the anomalous behaviour. And nearly 3.9 million inactive records, some dating back decades, remained in the system with no destruction procedure in place.

The Commissioner concluded that an organization cannot satisfy its obligations under PIPEDA by adopting policies alone. It must verify that those policies are followed, train employees to understand their obligations, implement access controls that technically prevent unauthorized data movements, and deploy active surveillance tools proportionate to the sensitivity of the data it holds.

For a regulated professional, the lesson is direct: the existence of an information governance policy is not a defence. What matters is whether that policy was implemented, monitored, and enforced. A disciplinary committee or regulatory authority investigating a cyber incident will ask the same questions the Commissioner asked of Desjardins, not what the rules said, but what was done.

For professionals: anticipate rather than react

The best disciplinary defence is built before an incident occurs. Several concrete measures are essential:

• Document information governance. Security policies, access logs, staff training records: documentation is the first line of defence against allegations of negligence.
• Prepare an incident response plan. Knowing what to do, who to contact, and what to communicate within the first 24 hours of an incident can make a considerable difference, both operationally and from a disciplinary standpoint.
• Consult a lawyer promptly in the event of an incident. The dual nature of cyber incidents, both regulatory and disciplinary warrants immediate legal analysis. Disclosure obligations, notification deadlines, and communications management are all areas where a misstep can significantly increase exposure.

For professional orders: a risk to be managed proactively

Issuing clear guidelines, raising member awareness of practice-specific risks, and developing self-assessment tools would help reduce the frequency of incidents and establish the standards against which future breaches will be judged.

Conclusion

Cybersecurity is no longer the exclusive domain of IT departments. For regulated professionals, it has become a component of competent and ethical practice. Ignoring this shift means risking that a technical incident turns into a disciplinary crisis.

This article was provided by Lanctot Avocats