Continuity Podcast - Privacy And Data Breaches: Mitigation, Legislation And Litigation

Charles:

Hi, I'm Charles Sieuw.

Jordan:

And I'm Jordan Virtue, and this is the Continuity podcast.

Charles:

As we come to the end of Cybersecurity Awareness Month, we wind up with a conversation on the Canadian privacy landscape.

Jordan:

Privacy legislation is continuously evolving, and so are the cyber-attacks. It's important for organizations to stay informed and be prepared to protect themselves and other stakeholders.

Charles:

In today's episode, we will hear from Sunny Handa, de Lobe Lederman, Jenna Green and Renee Reichelt, lawyers in our Cybersecurity group, who will put a spotlight on how to mitigate the risk of a data breach and a potential class-action lawsuit.

[music]

Jordan:

Sunny, cybersecurity has grabbed so many headlines this past year, particularly with respect to ransomware, but are there other types of attacks that organizations should be worried about?

Sunny:

There are a lot of different types of attacks, but I think the one I'd like to focus on for this answer is "business email compromise." Business email compromise, or BEC, as we call it, is where someone takes control of your email box. It's one of the easiest hacks to accomplish because all you need to do is get somebody's password.
There are many systems that still, today, don't have what we call multifactor authentication. In other words, you need your password and some other credential, perhaps a code that's generated on your smart phone, to log in. If you lose your password, your entire email box becomes at risk, and it can either be moved out of your company with all of the email that's in there, and we've had clients where they've had 20- to 25-years' worth of email and everything they've ever done has gone, or somebody can get in there and start to play around with your email box and start to generate requests within your organization.

Jordan:

And what else can organizations do to protect against a breach?

Sunny:

Well, the first thing that you should do, just from a planning perspective, is hire a breach coach. There are a handful of breach coaches in the marketplace. We have that breach coach function here at Blakes, and we provide that service, but there are others that do as well. These are folks that can guide you through preparedness, but they can also guide you through an incident when it's happening. Have someone like that engaged, before the incident happens, it makes life so much simpler.
Adopt multi-actor authentication ? we've talked about that already. Turn off certain services. So remote desktop, in other words, where you can log into your computer remotely, turn that off, you know, make sure that your IT team understands whether you need to do it, and if you do, has secured it properly.
With business email compromise ? we've talked about that ? turn off certain protocols: IMAP, POP. They allow your entire email box to be exfiltrated very simply.
Don't use old operating system software. They are easy to break into. If you see an update available, apply the update. We're seeing a lot of attacks happen during the period when a patch is released, and the vulnerability is therefore declared, to the point where people patch it.
So, simple things. This isn't rocket science; it's just a little bit of vigilance can go a long way.

Charles:

de lobe, are there any changes on the horizon for the Canadian privacy landscape?

de lobe:

Yeah, it's actually a super interesting time to be practising in the privacy space, because we're seeing a number of changes to the legislative landscape that are likely to materially impact how businesses across Canada manage compliance with privacy on a go-forward basis, and these changes are at different points across Canada.
On one side of things, you've got Quebec's Bill 64, which very recently received the royal assent and has really set the tone for what modern private-sector privacy legislation may look like in Canada. On the other side, you've got jurisdictions like Ontario and Alberta that are currently consulting with stakeholders and industry groups to see what changes should be made, or could be made, to their respective regimes to keep up with changing times.
And, of course, the completion of the federal election means we're also likely to see some movement on that front now as well.
But the long and short of it is this: paradigms are shifting across Canada and it's going to be important for businesses to keep their ears to the ground and stay current with these changes as they move forward.

Charles:

And, as a result of these changes, what are some of the issues that organizations may have to face?

de lobe:

Yeah, yeah, it's a good question. So, the devil's really going to be in the details with all of these things, and we won't really know for sure until we actually see the final version of any statutes.
But I think that one thing most practitioners in this space will agree on is that we're moving towards more onerous privacy standards across Canada, and that's because the perceptions that legislation hasn't really kept up with the pace of technological change, and regulators don't, at present, really have great tools for holding entities accountable for non-compliance. And for this reason, we're likely moving towards more of a European, or GDPR, as it were, standard for privacy regimes in Canada.
And in terms of what this means for businesses, I'd say the main point is that there's going to be an increased need to be cognizant of the aspects of the business that touch on personal information and really engage privacy protections. Regulators are going to expect businesses to be accountable for the information they collect and to make sure that they're complying with the letter of the law, and the risk of not doing so is going to be higher going forward.
And I expect that a common theme across legislation will be the prospect of substantial fines for non-compliance with any new standards that are brought into force.

Jordan:

Jenna, what are we seeing in terms of privacy and data breach class actions?

Jenna:

Well, as we've seen more data breaches, as a result, we are seeing are seeing increased litigation, including class actions. Specifically, we're seeing class actions arise in situations where the media has reported on a data breach. These are generally against social media companies, retail companies, companies in the health-care sector.
The majority continue to be traditional data breaches, but we're also seeing some claims in employee snooping and in corporate misconduct and misuse of the data.
This year, in 2021, there have been a handful of certification motions, but plaintiffs have been struggling to show that their personal information was used by a bad actor in a way that created harm. And to certify a class action, you need to show that your personal information was used in a way that was harmful, not just that it's out there and that you fear that it could cause you harm. Harm is not always required, however, specifically in Ontario where there is a tort called intrusion upon seclusion.

Jordan:

Can you tell us more about intrusion upon seclusion and what this means in the data breach context?

Jenna:

Yeah, so for a while we were seeing that plaintiffs add this claim to every single class action that was out there.
This summer, however, an Ontario divisional court overturned a certification decision of this type of claim. This was a case of Owsianik and Equifax, and here, the company was the victim of the data breach, and the court held that this tort does not apply in cases where it was a database defendant. It's really more to compensate an individual for the humiliation and emotional harm that one suffers when there's been a personal intrusion into their private affairs. And here, when the company was the victim of the data breach, this really came down to reckless storage.
And two months after this decision, another Ontario court held that a reckless failure to prevent an intrusion was not an intrusion upon seclusion.
So, this will likely change the landscape of the claims that we're seeing, especially in the provinces where this tort has not been recognized.

Charles:

Renee, I understand that this year we had the first class action relating to loss of personal information determined on its merits. What can you tell us about this?

Renee:

So, this was a class action brought against IIROC, which is the Investment Industry Regulator Organization of Canada, after an IIROC inspector left an unencrypted laptop on a train. The device was merely password protected and contained personal information belonging to thousands of Canadian investors. The unidentified device was never found.
Now, when they dismissed the class action, the Quebec Superior Court held, first, that the fears and the inconveniences suffered through the loss of their personal information didn't constitute compensable damages; second, the court held that the evidence didn't support that the computer or the information ended up in the wrong hands; and finally, the court held that IRROC reacted diligently, that its unintentional faults and its subsequent conduct didn't justify ordering punitive damages.

Charles:

What does it look like for litigation going forward?

Renee:

Well, in Canada, we've begun to see claims where directors and officers are named as defendants in privacy class actions. This has been happening for several years throughout the United States, and some of those claims have been struck out until recently, when the U.S. courts have started to allow some to proceed to determination. We expect that this trend will also continue in Canada.
We're also seeing a general awareness of the importance of cyber incidents and reporting. Going back to IIROC, in April of 2018, IIROC introduced mandatory reporting of cyber incidents by dealer members, and in August of this year, we saw federally regulated financial institutions being required to report technology and cybersecurity instances to their regulator within 24 hours.
So, this is showing a general trend towards taking cyber risks seriously, and we expect this to become more common across other industries as well.

Charles:

Sunny, de Lobe, Jenna and Renee, thank you for joining us today to talk to the importance of being vigilant and planning ahead to avoid a cyber breach.

Jordan:

Listeners, for more information on our Cybersecurity group, please visit blakes.com.

Charles:

Until next time, stay well and stay safe.