Privacy, Data Security and Anti-Spam Compliance
Download as PPTX, PDF0 likes1,148 views
This document discusses privacy, data security, and anti-spam compliance. It covers privacy legislation in Canada including PIPEDA, and outlines new provisions regarding applicants for employment and sharing personal information to investigate breaches of law. Regarding data security, it discusses regulatory frameworks and standards from OSFI, CSA, and PIPEDA. Breach notification requirements are outlined. Finally, the document discusses CASL spam regulation including express consent requirements and recent enforcement actions.
Privacy, Data Security and Anti-Spam Compliance
- 1. Privacy, Data Security and Anti-Spam Compliance Privacy, Data Security and Anti-Spam Compliance March 29, 2017 Dan Michaluk
- 2. Privacy, Data Security and Anti-Spam Compliance Dan Michaluk I daniel-michaluk@hicksmorley.com
- 3. Privacy, Data Security and Anti-Spam Compliance Overview • Privacy compliance • Data security • Anti-spam
- 4. Privacy, Data Security and Anti-Spam Compliance Privacy Compliance
- 5. Privacy, Data Security and Anti-Spam Compliance Commercial sector privacy legislation • PIPEDA (federal) • BC PIPA • Alberta PIPA • Manitoba PIPA • Quebec Act
- 6. Privacy, Data Security and Anti-Spam Compliance Privacy legislation in four bullet points • Regulates flows of personal information – collection, use and disclosure • Flows must be authorized, for reasonable purpose and necessary • Accountability – structural, mandated openness, via access • Reasonable data security – accuracy/integrity + protection 6
- 7. Privacy, Data Security and Anti-Spam Compliance What’s new – PIPEDA now applies to applicants • S-4 amendment changed the application provision of PIPEDA – 4(1)(b) • Now applies to “an applicant for employment” • Creates new constraint on Bank screening processes • OPC can judge if a collection and use is reasonable • Beware of Mark’s Work Wearhouse in Alberta regarding the use of credit profile information (P2010 IR 001) 7
- 8. Privacy, Data Security and Anti-Spam Compliance What’s new – Guidance on investigations • Can now share PI to investigate and to prevent breaches of law • OPC issued warning in March 2017 • Carry out due diligence and exercise good judgement when availing themselves of these exceptions • Carefully consider each of the requirements explicitly outlined in the provisions • Take care to ensure the limits set out in these provisions are respected 8
- 9. Privacy, Data Security and Anti-Spam Compliance Data Security
- 10. Privacy, Data Security and Anti-Spam Compliance The context 10 Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA
- 11. Privacy, Data Security and Anti-Spam Compliance The regulatory framework • Privacy legislation • Reasonable security • Breach notification in Alberta and soon under PIPEDA • Bank Act and OSFI • Securities and market participant regulation 11
- 12. Privacy, Data Security and Anti-Spam Compliance The standard – Ashley Madison report • Having documented security policies and procedures is a basic organizational security safeguard • Conducting regular and documented risk assessments is an important organizational safeguard in and of itself • Use multi-factor authentication for remote administrative access 12
- 13. Privacy, Data Security and Anti-Spam Compliance The standard – OSFI self-assessment guide “Desirable properties and characteristics of cybersecurity practices” in six areas • Organization and resources • Cyber risk and control assessment • Situational awareness • Threat and vulnerability risk management • Cybersecurity incident management • Cybersecurity governance 13
- 14. Privacy, Data Security and Anti-Spam Compliance The standard – OSFI Guideline B-10 (Outsourcing) • FRFIs are to • Evaluate the risks associated with all existing and proposed outsourcing arrangements; • Develop a process for determining the materiality of arrangements; • Implement a program for managing and monitoring risks, commensurate with the materiality of the arrangements; • Ensure that the board of directors, chief agent or principal officer receives information sufficient to enable them to discharge their duties under this Guideline; and • Refrain from outsourcing certain business activities to the external auditor 14
- 15. Privacy, Data Security and Anti-Spam Compliance The Standard – CSA Staff Notice 11-332 • CSA says, “Hey! This is important!” • Refers to 13 documents as “useful” • No one size fits all, but here are 11 very general prescriptions – including on employee awareness, incident response, vendor management 15
- 16. Privacy, Data Security and Anti-Spam Compliance Notification – Under PIPEDA (Pending) • Reasonable to believe a real risk of significant harm • To individuals and to OPC as soon as feasible • To other organizations and government if could reduce risks or mitigate harm • Record of all breaches of security safeguard to be kept and provided to OPC on request 16
- 17. Privacy, Data Security and Anti-Spam Compliance Notification – CSA Staff Notice 51-347 In considering whether and when to disclose a cyber security incident, the issuer must determine whether it is a material fact or material change that requires disclosure in accordance with securities legislation… Materiality depends on the contextual analysis of the cyber security incident. While an isolated cyber attack may not be material, a series of or frequent minor incidents may become material in light of the level and type of disruption caused. 17
- 18. Privacy, Data Security and Anti-Spam Compliance CASL
- 19. Privacy, Data Security and Anti-Spam Compliance How CASL spam regulation works • Everything’s a CEM – a commercial electronic message – unless it isn’t • Default – express consent to send a CEM • Implied consent deemed in some circumstances • Convey certain information in a CEM • Provide and administer an opt out 19
- 20. Privacy, Data Security and Anti-Spam Compliance CASL enforcement activity to date • Compufinder (2015 notice of violation) - $1.1 mill • Porter (2015 undertaking) - $150,000 • Plentyoffish (2015 undertaking) - $200,000 • Rogers (2015 undertaking) - $48,000 • Blackstone Learning Corp (CRTC 2016-428) - $50,000 • William Rapanos (CRTC 2017-65) - $15,000 20
- 21. Privacy, Data Security and Anti-Spam Compliance What’s new – Pending private right of action • Implements (essentially) a private prosecution regime • Three year limitation period • Barred by pre-emptive regulator enforcement • Order may be made • Compensation for special damage (if any) • Defined amounts per contravention • Orders guided by factors 21
- 22. Privacy, Data Security and Anti-Spam Compliance Privacy, Data Security and Anti-Spam Compliance March 29, 2017 Dan Michaluk