Canadian Lawyer InHouse

NOVEMBER 2017 20 INHOUSE Under PIPEDA's mandatory reporting and notification regime, organizations that experience a data breach must report the incident to the Office of the Privacy Commissioner of Canada and notify affected individuals. Naïm Antaki of Gowling WLG (Cana - da) LLP says clients have asked what it all means. From a business standpoint, compli- ance is top of mind, but how do you trans- late it into operational efficiency? "It's very rare businesses will be orga- nized on a geographical basis. Often, it is by business lines that cover various jurisdic- tions, so the question is what more do I need to be doing than I'm already doing?" It will require collaboration from not only the legal department but also the IT department, risk management — it will be a team effort, says Antaki. Notification is required in all circum - stances where it is reasonable to believe that the breach creates a "real risk of significant harm to the individual," which is defined to include humiliation, damage to reputation or relationships and identity theft. PIPEDA indicates that the notice must be given in the "prescribed format," which is now outlined within the proposed regulations. The report to the commissioner and notification to the affected individual will contain: • Description of the circumstances of the breach (and in the case of the report to the commissioner, if known, the cause); • The day on which or period during which the breach occurred; • A description of the personal information that is the subject of the breach; • A description of the steps that the or - ganization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm; • A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm (and in the case of the report to the commissioner, a description of the steps the organization has taken to reduce the risk of harm). For the notification to individuals, the or - ganization must provide a toll-free number or email address for the affected individual to obtain further information, and it must provide information about the organiza - tion's internal complaint process and the af- fected individual's right to file a complaint with the commissioner. For the report to the commissioner, the organization must provide an estimate of the number of individuals in respect of whom the breach creates a real risk of sig - nificant harm, a description of the steps that the organization has taken or intends to take to notify each affected individual and the name and contact information of a per - son at the organization who can respond to questions about the breach. While big organizations have largely been working toward this for some time, it's the smaller organizations that will do it when they have to, but now is a good time to start getting procedures in place, as there is potential civil liability just for failing to notify now. "That's a new thing for plaintiff side counsel to play with that we haven't had before," says Brent Arnold, partner with Gowling WLG. "There's a greater compliance cost than there would be without the reporting regimen. Some organizations get hit with hundreds of thousands of breaches a year so, for some or - ganizations, this will be something that ends up being a full-time job for some people. Get ready is what my overall advice would be." Antaki says small organizations can look at things broadly such as IT policies and con - tracts and make sure third-party providers notify you if something happens with them. "One of the key things is the concept of control — it's not necessarily who has custo- dy of the information but who has the con- trol of the information based on the prin- ciples already in PIPEDA. If you outsource some of those obligations, you have to make sure you have the contractual obligations in place in order to respond to what you need to do," he says. Insurance is another important element. From a cybersecurity standpoint, do you need to consider getting cyber-insurance? 4. ENVIRONMENT: CLIMATE CHANGE INITIATIVES The interest in addressing climate change has historically been cyclical, most recently going back to former U.S. vice president Al Gore's An Inconvenient Truth in 2006, but env i ron men - tal lawyers believe interest is gearing back up, in some part due to increas- ingly extreme weather events as we saw this past summer, causing more mo- mentum at the regulatory level. "I think there is a growing understand- ing that what we're seeing in short-term weather patterns is unusual. People haven't experienced these types of weather events so severely or so close together in the past, and I think that is at least driving a con - versation," says Tyson Dyck, partner in the environmental practice at Torys LLP. "There's been more of an appetite for gov- ernment regulation only to see it fall away." Ontario plans to join the Québec-Cali- fornia carbon market as of Jan. 1, 2018, un- der a harmonization and integration agree- ment announced on Sept. 22. The Ontario Ministry of the Environment and Climate Change has also proposed changes to its cap-and-trade regulations. This will allow all three governments to hold joint auctions of greenhouse gas emissions allowances and to harmonize regulations and reporting. "It's been a steep learning curve, but there has been a lot of successes in the Ontario program so far. They had a short timeline to get that program up and run - ning so the way it's rolled out has been quite smooth," says Dyck. "I think a lot of clients are looking to the horizon and seeing some changes to the program and asking what it will mean for their business," he says. Ontario's program is approaching some key milestones, but across Canada, various climate change initiatives are taking off. Alberta, for example, launched its Climate Leadership last year and a series of initia - tives are being rolled out over a couple of years. Federally, the government has pro- posed a national price on carbon to work with various provinces to ensure they are living up to the federal benchmark. It will be interesting to see if Saskatche - wan starts its own climate change initiatives with Premier Brad Wall stepping down. "To date, they have been fairly resistant

• Cover