Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/479188
April 2015 34 INHOUSE I n d u s t r y s p o t l i g h t of the recent news to kick-start a conversa- tion among the stakeholders who can help get that plan going. deTermine legal's role and conTriBuTion To ongoing organizaTional reviews Some of the attacks and data breaches that have taken place involved techniques that would have been unthinkable years ago. As a result, corporate counsel may not be pre- pared to know all the potential threats, but the scope of their responsibility for data- breach mitigation or notification needs to be well-understood. "Legal is always the quarterback in these matters," says Jason Maloni, senior vice presi- dent and litigation practice chair at Levick in Washington, D.C. In March Maloni will be in Ottawa for a Conference Board of Canada event dedicated to cyber security, where he will discuss tips for addressing the fallout from data breaches. Of course, the in-house team may turn to external counsel, but avoid a jack-of-all- trades, Maloni says. "I can't state how impor- tant it is not just to have a lawyer involved, but the right lawyer involved. With health-care records, you need someone who understands the health-care legislation. If you're dealing with payment data, it's got to be someone flu- ent in those transactions. One lawyer is not like another lawyer." Kerr says she serves in more of an advisory capacity at Fraser Health Authority, where data protection falls under the information management team. However Chantal Ber- nier, counsel with the privacy and security practice at Dentons Canada LLP, suggested there is sometimes an "over-delegation" of IT security to the CIO. "General counsel has a crucial interpre- tative role, almost a translator's role, in the sense of interpreting the legal principles to ensure they are met in a variety of constantly changing technical applications," she says. Kerr suggests in-house lawyers may also help remind the organization that organiza- tional reviews of risks and data-breach plans are never fully complete. "You're always a step behind the changes in technology, but that's part of the reason why the idea of doing a privacy and risk as- sessment is a living process, a living docu- ment," she says. answer The quesTion, "whaT have we goT To lose?" Part of what makes data-breach mitiga- tion and notification so challenging is what Kardash calls "data ubiquity" — the fact that information is now distributed across organizations, fed to mobile devices, sitting on the servers of third-party vendors and suppliers via cloud computing and in some cases hosted outside of Canada entirely. "The harder it is to identify the data in your company and being able to keep that clear, the more you're going to have natural chal- lenges," he says. "That doesn't mean it can't be overcome, it just requires a more vigilant data governance." Daniel Caron, legal counsel at the Office of the Privacy Commissioner of Canada, sug- gests data governance should start with mini- mizing what kind of information is collected. Perhaps because of all the various channels that can collect customer or employee infor- mation, too many organizations have a ten- dency to hoard as much as possible just in case it might prove valuable later. This is one of the concerns U.S. federal telecommunications chairwoman Edith Ramirez recently raised in a speech about what's called the "Internet of Things," which could potentially mean data gets exchanged between everything from laundry machines to thermostats. "If you don't have the data in the first place, you can't get breached," Caron says. After minimizing data collection, consider isolating or at least making sure what's criti- cal has a greater degree of encryption or other protection, Bernier suggests. "You know you'll be breached, but the breach will not be consequential, because the personal information, the critical informa- tion, is secured or is segregated in a manner that makes it hard to reach," she says. Information also changes shape consider- ably over time. Just ask Kerr, who points out that what we once thought of as a patient re- cord — a piece of paper with a doctor's near- illegible scrawl — now may be just one com- ponent of a multimedia file exchanged across institutions. "It does make things very complicated in terms of figuring out how to strike the balance between the need to share information, which is legitimate, but also the need to protect in- formation appropriately so that people who don't need it don't have access to it," she says. Maloni offers a good way to test this: Once you know what's valuable, where do you keep it? "Too many folks would strug- gle to answer that question," he says. Take The daTa Breach Plan Beyond The Boardroom Conversations about risk mitigation and noti- fication may start out at the top, but that's not where they should end. "It's about discussing [the plan] with front- line managers to make sure they put into prac- tice whatever is set up. It's not a job for one person," Caron says. "You can have those at the top setting up the strategy and the struc- ture, but employees must know what the strat- egy is and know the importance of protecting information." For Kerr, it's a matter of articulating when the alarm bells should go off, and who should hear them. "I think a big issue is whether or not your employees recognize that there's been a privacy breach," she says. She gives the example of a home-health nurse who may have lost her bag on a subway or B.C.'s SkyTrain. That should prompt an immediate discussion about what might have been in the bag — physical records, a BlackBerry, or lap- top with electronic patient files — and what can be deleted remotely. "Staff need to know both what they should and shouldn't be doing with information, but when it gets compromised, to recognize it im- mediately and report it up the chain as your breach policy requires," she says. Before you noTify, Think Through whaT you're saying — and how When the worst happens and an organization '' '' We're already seeing a palpable change across our client base and in a number of different sectors in how senior management and those at the board level are addressing cyber-security threats. ADAM KArDASH, Osler Hoskin & Harcourt llp