The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1130923
w w w . c a n a d i a n l a w y e r m a g . c o m J U N E / J U LY 2 0 1 9 39 I n 2019's online environment, experts in cybersecurity say businesses that handle personal information need to know that protecting themselves from liability is not a matter of if a data breach occurs but when. In 2017, hackers broke in and accessed the names, addresses, social insurance numbers and other personal information of 143 million people, including 19,000 Canadians, in their assault on Equifax Inc. On April 9, the Office of the Privacy Commissioner released its report on the incident. The OPC's findings indicate an intention to push Canada's privacy regime toward stricter consent requirements and provide a cautionary tale to organizations that handle Canadians' personal data, say privacy lawyers. Equifax Inc. and its Canadian subsidiary, Equifax Canada, were responsible for inadequate security, holding information too long, a lack of accountabil- ity and weak protection measures offered to those affected after the breach, according to the OPC. Canadians became ensnared because Equifax — the credit-reporting and data analytics company — sent credit monitoring and fraud alerts to the U.S.- based parent company for processing. This led the OPC to recommend that, despite pre- vious guidance to the contrary, an organiza- tion handling the personal data of Canadians needs to get consent from everyone whose data is being held before that data is sent outside of Canada. OPC communications advisor Corey Larocque says that, during the OPC's inves- tigation into Equifax, "several complainants" said they were surprised their information had been sent to the U.S., so the OPC examined its trans-border data-transfer policy under the Personal Information Protection and Elec- tronic Documents Act. The OPC initiated a consultation period that was supposed to run until June 4. However, on May 31, Canadian Lawyer reported that the OPC had suspended the consultation. Lisa Lifshitz is a partner at Torkin Manes LLP and her practice focuses on informa- tion technology and business law. She says it appears the OPC is reinterpreting PIPEDA to keep it from falling behind the European Union's General Data Protection Regulation. If PIPEDA is not in line with the GDPR — seen around the world as the gold-stan- dard data-security regime — the EU may A pre-breach plan can help ensure compliance with increasingly specific regulatory requirements By Aidan Macnab PREPARING FOR THE INEVITABLE HACK C Y B E R S E C U R I T Y L E G A L R E P O R T HUAN TRAN