The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1130923
w w w . c a n a d i a n l a w y e r m a g . c o m J U N E / J U LY 2 0 1 9 41 L E G A L R E P O R T tive toward, but he says organizations are often reluctant to set up pre-breach protection measures. Toledano recommends his clients hire a privacy officer — someone to conduct audits and be the point of first contact when a breach occurs and to liaise with the privacy commissioner and other government agencies — a tough sell as companies don't tend to want to hire anyone unless it's essential. "It's very challenging to go and get their buy-in on it before they've actu- ally had the breach. Once they have the breach, they're all buying in," he says. Since Nov. 1, 2018, private sector organizations hit with a breach have strict reporting requirements. If there is risk of significant harm to those whose data is compromised — the ROSH test — all individuals affected and the office of the privacy commissioner need to be notified. But also within 2015 amend- ments to PIPEDA, says Ahmad, is a require- ment to track any cyber-incident or breach that has occurred within their organization, even if the incident doesn't meet the ROSH threshold. This can even include an employee who lost a laptop with encrypted data but found it soon after, says Ahmad. "But you need to now, in a ledger, keep a record of that incident for a period of two years. And the regulator can literally knock on your door and say, 'Can I see your register, please?' And you have to basically present it to them; it's a real compliance requirement and potentially there are fines for non-com- pliance if you don't," he says. In his practice, Ahmad is now seeing more proactivity by data-holding organizations. While organizations traditionally focused on cyber-incident response, in the past 18 months, he's seen time and money spent on designing a comprehensive pre-breach plan. A data inven- tory is key, he says, because knowledge of where the data is kept, how it is kept and what kind of data is kept will be essential when the breach occurs. A pre-breach plan includes vendor management and proper vetting of any other third party with which an organization shares data because, if the breach occurs with them, according to Canadian and other privacy laws around the world, the organization is on the hook. Ahmad's clients are revising contracts to include clauses to require third parties to notify the organi- zation within 24 hours, to co-operate with them in the investigation and agree on an indemnification if a breach occurs. The function provided by breach coaches — lawyers who guide organizations through data breaches when they occur — are beginning to be handled before the problem and this makes the problem less serious when it happens, he says. It also ensures that "that response is much more effective because we've invested time on the front end and significantly reduced our costs," he says. The less data an organization stores, the less serious is a secu- rity breach, says Susan Wortzman, a partner at McCarthy Tétrault LLP in Toron- to. She founded Wortzmans, a law firm specializing in the management of digital information, which is now called MT>3. It was acquired by McCarthy Tétrault in 2016. Wortzman is now the firm's go-to on e-discovery and information management. Wortzman says a key to protecting against data breaches is the same advice she used to give clients who were hiring her to handle their e-discovery and wanted to reduce their costs — better data governance and stop hoarding. "Stop keeping everything forever," she says. "Every- body thinks they need to keep all this information for- ever. All it's really doing is creating this huge risk. "Most of our clients are sitting on . . . between 15 and 30 copies of every email [and] every document. . . . If you just did better data governance and you got rid of all of that, you can be getting rid of 70 per cent of your data," she says. "[Clients say,] 'This was so important. I worked on this transaction — it was two years of my life. There's no way I'm getting rid of all these records relating to this deal.' And 10 years later, they've still got some PST file stashed away with all this data that they're never going to look at again. . . . It's definitely the hoarder mentality." "I just think that's going to throw the whole of outsourcing into disarray. . . . I can't really think of a situation nowadays where organizations process their own data." Bernice Karn, Cassels Brock & Blackwell LLP