The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/918234
w w w . C A N A D I A N L a w y e r m a g . c o m J A N U A R Y 2 0 1 8 51 es approach when it comes to breach reporting, which means "if you're going to report in one you're going to report in all." But she acknowledges you can't say that across the board — best prac- tices vary from company to company and industry to industry, depending on the sensitivity of the information. "You could be reporting in another jurisdiction where literally the stress of reporting the breach might cause more damage than the breach itself," she adds. De Rico says the difficulty is finding that gold measure. There are interna- tional third-party standards such as the ISO/IEC 27001 standard or business- specific standards such as the Payment Card Industry Data Security Standard, that De Rico uses as tools to give him a measure of compliance. Though he doesn't encourage litiga- tion, De Rico notes that courts give guidance as to what the standard is that needs to be followed. A few class actions that have been introduced and autho- rized in Canada — Condon c. Canada, Belley c. TD Auto Finance Services Inc./ Services de financement auto TD inc. and Zuckerman c. Target Corporation — will "allow us to see actual situa- tions where organizations will either be classified as having been diligent in the way they deploy processes, procedures and security measures or will be con- demned because of a deficiency in the way they did it," he says. "Information security is a difficult field to identify those levels because it's constantly moving." In September, the government released proposed Breach of Security Safeguards Regulations giving more information about amendments from the Digital Privacy Act that impact Canada's Personal Information Protec- tion and Electronic Documents Act. The government states the key change is the establishment of mandatory breach reporting, and the aim is to "codify existing best practices" and harmonize Canada's regime for reporting with those of other jurisdictions — currently, only Alberta has mandatory report- ing requirements — and "reducing the burden of reporting for organizations operating in multiple jurisdictions." Hulton predicts 2018 will be the year the regulations come into force. "Its implications must be considered when developing corporate legal poli- cies and incident response plans deal- ing with data breaches that cross the border," she says. "We need the Canadian regulations to be formalized so we know where we stand," Kolnhofer says. "What's intended with these new regulations is to get us more up to speed and on par with other initiatives around the world." A harmonized approach to breach reporting across Canada "would be the dream," Hulton says, but there are the pro- vincial laws to take into account that may impact different sectors' comfort levels with the changes. With the regulations imposing more obligations on businesses, some clients have been less than receptive, but Hulton says "we can usually talk them down — it's always fear of unknown." It's an education process, Kolnhofer says, because "anything that imposes requirements that involve restructuring or an infusion of financial obligation to upgrade an infrastructure is always going to be resisted," especially by smaller and mid-size businesses. "The way we address it is to suggest this is actually a positive change for the business as well," Kolnhofer says. "It's ulti- mately for their protection because it will require them to have protections upfront, the idea being you have less risk of being breached." Mandatory reporting puts every- body on the same playing field, which is an advantage, De Rico says, as some mature businesses whose inclination was to report in all jurisdictions in the event of a breach, legal obligation or no, hesitated because of the reputa- tional risk of doing so. That won't be an option because of the broad definition of risk, which if reached would trigger the mandatory reporting. "It will be very difficult for someone like me to say, in light of a breach, that there is no risk in the sense of how it is defined in the regulation," says De Rico. Kolnhofer agrees that the wording is vague, saying what's concerning is the "real risk of significant harm" as sort of a breach threshold. "We're going to see that lead to some litigation or possible issues in terms of how the government is going to decide whether there's been compliance or not, particularly where they're imposing monetary fines and how is that going to be measured," she predicts. "That seems to be a predominant area of ambiguity." De Rico thinks the new Canadian regulations will mean more work for cybersecurity lawyers as many busi- nesses "will have difficulty meeting their obligations because there hasn't been that much incentive in deploying the resources to secure networks and secure data storage environments." "You go from the micro or small business, pass by the mid-size business to the telco or bank — within that range you find everything. You find . . . robust processes and you find the desert," he says. YOU COULD BE REPORTING IN ANOTHER JURISDICTION WHERE LITERALLY THE STRESS OF REPORTING THE BREACH MIGHT CAUSE MORE DAMAGE THAN THE BREACH ITSELF. WENDY HULTON, Dickinson Wright LLP