The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1499770
44 www.canadianlawyermag.com "Data is like toothpaste. Once it comes out, it's out, and there's no way to get it back in" David Mousavi, NRT Technology FEATURE PRIVACY AND DATA to create a "data security matrix" that looks at where the data is, who accesses it, where it's stored, and how it is managed and used. "From our data matrix, it helps inform how we train employees and make sure our team members in the organization know their obli- gations," says Mousavi. "That's where we talk about logging off computers when you leave, other basic practices. It sounds simple, but these things are how breaches can happen." Data and privacy Significant legislative changes are happening that will affect data, privacy, and cybersecurity. Bill C-27, the proposed artificial intelligence and data act, deals with reforming the Personal Information Protection and Electronic Documents Act (PIPEDA), creating a new privacy tribunal, and implementing AI regula- tion. Bill C-27 would significantly increase fines for non-compliance. The legislation aligns with Europe's General Data Protection Regulation (GDPR). Quebec passed similar privacy legisla- tion last year and is the first province in Canada to do so. "Privacy laws were vanilla in the past," says Helen Deschamps Marquis, national leader in cyber, privacy, and digital law at Deloitte Legal Canada. "Privacy officers know about the data, IT knows about performance, and general counsel know about legal risk. Privacy officers were managing data and dealing with processes. Once you have stronger laws, you need to look at legal risk. You need to have a different approach." Organizations that incorporate privacy into their systems are at a competitive advantage with consumers and in recruiting employees. Deschamps Marquis recom- mends that organizations do a gap assess- ment to determine where their data is stored and identify policy gaps. "The challenge for GCs is not under- standing the law but getting informa- tion and asking the right questions," says Deschamps Marquis. "Some people think their organization doesn't have data. They say no, but then you find out they track people, for example, through marketing applications. You need an assessment to find out what is the current situation." Another central area for improvement is the use of multiple systems. Many organiza- tions use various databases and software that don't necessarily share information easily. Deschamps Marquis says this is a serious cybersecurity issue when employees are given access to large amounts of data because systems can't talk to each other. "I was talking to a financial institution yesterday, and they mentioned how people need access to this one system for work, and they have access to everything," says Deschamps Marquis. "That's a problem. We shouldn't be sharing all the information, just what you need. Most general counsel don't have a complete picture of who has access, who is giving access, and how information is deleted." Deschamps Marquis recommends incor- porating privacy-by-design principles into systems, which includes having privacy as a default setting, ensuring data is destroyed when no longer needed. Also, "You need to take a privacy-by-design approach where your systems are transparent, and people are able to see how the data is being used," says Deschamps Marquis. Managing data and legal risk As the amount of data increases, so does the work. The new legislation takes a big step toward more user protection but needs to be more comprehensive. There are still ongoing issues in data privacy and risk. Cybersecurity is a growing practice that's come into prominence in the past 10 years. Imran Ahmad started his cybersecurity prac- tice in 2013. His practice picked up when the Target breaches occurred in 2014, affecting millions of Americans and Canadians. He wrote the first cybersecurity textbook, Cybersecurity in Canada: A Guide to Best Practices, Planning and Management, in 2017. He recommends that in-house counsel look for support when making data decisions. "The bigger issue is timelines and having to make quick decisions," says Ahmad, partner, head of technology, and co-head of informa- tion governance, privacy, and cybersecurity. "You have to have the right vendors, and you need a plan on how to manage this. For example, when you're handling a merger, you have to make a decision in a few hours, and you can have a forensic firm there for advice about the cybersecurity risks." More data breaches have led to increased costs in cybersecurity insurance. Cybersecurity insurance covers various costs, from legal and CYBERSECURITY TRENDS IN 2022 30 percent of organizations experienced a data breach 15 percent of organizations reported a loss of customers following a cyberattack 30% 15% Sources: Canadian Internet Registration Authority (CIRA) 2022 Cybersecurity Report