The Annual Privacy Governance Report 20164 recently published by Ernst & Young and the International Association of Privacy Professionals states that privacy is now a board-level issue for 73 per cent of all organizations. Specifically, 14 per cent of Canadian privacy professionals are reaching the C-Suite and more than 50 per cent of privacy leaders are within two rungs of the CEO position.
Upon security breaches taking place, privacy commissioners will often take the opportunity to provide guidance as to what types of measures are adequate under applicable data protection laws. In recent months, many regulators have provided guidance on the development and implementation of adequate cybersecurity measures and protocols. Businesses therefore have to stay up to date on the data privacy and security legal guidance which is quickly evolving. With the new Personal Information Protection and Electronic Documents Act (PIPEDA) breach notification and recordkeeping requirements coming into force in the near future, providing that it will be a criminal offence for an organization to knowingly fail to report breaches, punishable by significant fines, many businesses are preparing by investing in breach incident management response plans, adopting relevant breach response and recordkeeping policies, and training their staff on how to report and adequately respond to security breaches.
Following the Ashley Madison security breach, which exposed the personal information of some 32 million users of the online dating website, the Office of the Privacy Commissioner of Canada released an important report which raised a number of key elements and recommendations for all organizations subject to the federal PIPEDA. The report sheds light on several issues, such as the need to implement safeguards supported by an adequate information security governance framework; the risks associated with charging a fee for the deletion of user profile information; the issues pertaining to the long-term retention of information contained in inactive or deactivated customer profiles; the importance of email verification (when collecting email addresses); and the impact of false or misleading security seals or icons.
In last year's report, we discussed the growing trend towards privacy class actions being filed following a security breach or a business practice breaching applicable data protection laws. We note that there are currently 33 privacy breach class actions pending in Canada. While cases like Ashley Madison get most of the attention, there are more internal privacy breach cases than external ones: 79 per cent of pending privacy breach class actions are employee-generated. In 2016, settlements were reached in two privacy class actions cases, which may provide incentive for additional claims being filed in the future, if they are not being litigated.
New technologies are also presenting additional privacy and data security challenges. Wearable technologies and related apps and services, which can use sensors to collect environmental, behavioural, and social data from consumers or employees are gaining in popularity. With the Internet of Things, seemingly mundane everyday devices are fitted with microchips, sensors, and wireless communication capabilities. These recent innovations may trigger additional privacy and data security challenges that have to be considered when a business is assessing its legal risk exposure.
Footnote
4 https://iapp.org/media/pdf/resource_center/IAPP%202016%20GOVERNANCE%20SURVEY-FINAL3.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.