Privacy by Design and its current role in promoting trust in technologyOneTrust DataGuidance David Krebs and Amanda Cutinha author an article for DataGuidance on Privacy by Design: Digital technology has and is continuing to transform the ways in which we interact with ourselves, each other, and the world at large. However, the benefits... |
2022 Year in Review – legal updates in Canadian marketing, advertising and product compliance2022 proved to be an interesting year in the advertising, marketing and product compliance space in Canada. From changes to labelling requirements for foods and natural health products, amendments to Canada’s Competition Act to address drip pricing, an increased focus... |
Failure to prevent a data breach not equal to invasion of privacy: Ontario Court of Appeal shuts the door on “intrusion upon seclusion” tortThe Ontario Court of Appeal has released a new trilogy of cases regarding the privacy tort “intrusion upon seclusion.” Specifically, whether the privacy tort is available as against commercial entities collecting and storing clients’ personal information, where there was a... |
A to-do list for incident responseCybersecurity incidents and data breaches arise without notice. Your organization may have fallen victim to a cyberattack or you may have received notice from a supplier that they have been attacked. Or perhaps a key employee has lost an unencrypted... |
Tactical and strategic steps for successful cyber incident preparednessTo kick-off this year’s cyber awareness month, we wanted to present an article that would look back on the past year along with our experience counseling organizations, large and small across all sectors, through the ordeal of cyberattacks, data extortion... |
Managing cybersecurity in M&A transactions: How to mitigate risk through due diligenceAs companies have become increasingly technology-driven in recent years, a target’s cybersecurity posture has become a key focal point in the diligence process. The COVID-19 pandemic has made this concern particularly acute: notwithstanding that an increasingly large number of people... |
Takeaways on privacy breach risk assessment and data security programs: Alberta Privacy Commissioner issues breach reportOn July 29, 2022 the Office of the Information and Privacy Commissioner of Alberta (the “OIPC”) issued its report on data breaches (PDF) (the “Report”). Alberta has been the leading Canadian jurisdiction with the most long-standing experience when it comes to reviewing,... |
David Krebs quoted in Canadian Lawyer article on Bill C-26Canadian Lawyer, "‘Vital systems’ cybersecurity law’ will expand information sharing, protect organizations: lawyer" In this article, David Krebs discusses Bill C-26, a two-part piece of proposed legislation which includes the Critical Cyber Systems Protection Act, and its effects: The proposed law would take requirements which already exist for banks under the Office of... |
Bill C-26: A strengthening of Canada’s cyber security through mandatory reporting of cyber incidentsWith the continuing threats posed by cyber criminals, state sponsored attacks, and other cybersecurity issues, the Canadian government has taken steps in line with those recently taken by the US government in order to protect and maintain oversight over critical... |
Federal Commissioner tables recommendations for privacy law reformIn the context of the Canadian Government’s plans to replace the current federal private sector privacy legislation in Canada – The Personal Information Protection and Electronic Documents Act (the “PIPEDA“), the Office of the Privacy Commissioner of Canada (the “OPC“) has... |
French data protection authority fines health software provider €1.5M for failing to protect personal informationCybersecurity attacks, data security, and privacy breaches are no longer confined to the technical and esoteric discussions of lawyers, IT professionals, and privacy communities but rather over the past two years have become part of “coffee row” and “water cooler”... |
Privacy Commissioners take stance against collection of biometric dataThe collection (and over collection) of personal information, cybersecurity incidents, and data breaches have never been more topical. Advancements in technology have led to greater global interaction and allowed for commercial efficiency in a time of limited connection. With advancements... |
Quebec’s new privacy law (Bill 64) is here – Canadian businesses take note!While federal attempts to modernize Canadian law, in the form of Bill C-11, is languishing in privacy purgatory, the province of Quebec has completed the first step of its journey to bring its law in close alignment with those of... |
OSFI updates cybersecurity breach notification requirementsThe Office of the Superintendent of Financial Institutions (“OSFI”) released a new Advisory on Technology and Cyber Security Incident Reporting, effective August 13, 2021 (the “Advisory”) which seeks to govern how federally-regulated financial institutions (“FRFIs”) should disclose and report technology... |
David Krebs quoted in National Magazine article on paying cyber ransomsNational Magazine, "The price of paying cyber ransoms" Big game hunting. That’s what the cybersecurity industry calls targeting large enterprises that cannot tolerate sustained disruptions to their networks, and who are willing to pay large sums of money to quickly see their operations quickly restored following a major... |
Ransomware trickles down into your supply chain – Kaseya cyberattack highlights cybersecurity risks and business impactOver the July long weekend, Canadian, American, and other international businesses were victims of a far-reaching ransomware attack. The REvil group, a ransomware syndicate also known as Sodin or Sodinokibi, are believed to be behind the attack. This gang’s most prominent... |
Cyberattacks in your supply chain – Canada Post data breach highlights risksOver the past twelve months, we have seen more and more clients experiencing a variety of cybersecurity incidents. Most prominently, these have been “business email compromise” incidents as well as malware deployments, such as ransomware attacks. The latter have received... |
Canadian organizations take note – Data Protection Authority fines foreign-based business under GDPR for not having “Article 27” representativeAs we have discussed in several previous articles, Canadian businesses and other organizations can be subject to the European General Data Protection Regulation (“GDPR”) for a number of reasons and in a number of different contexts, be it as a... |
Ransomware – Privacy law, sanctions, and the pandemicIt is trite to say that no matter the sector, size, or location of an organization, cyberattacks can be devastating. As we have seen throughout 2020 and this year in Canada and elsewhere, data breaches and operational interruptions caused by... |
“Made in Canada” – What is happening to Privacy by Design under the CPPA?“Privacy by Design” has long been understood as the “gold standard” of data protection and at the core of how to sustain privacy rights in the digital age. It is a concept that can be said to have been “made... |
Canadian privacy law 2.0: Artificial intelligence (AI) and Bill C-11, the Consumer Privacy Protection ActIn a recent announcement, the Canadian federal Privacy Commissioner of Canada (“OPC”) released a report containing recommendations on how AI should be treated under Canadian privacy law, and what protections need to be in place to ensure AI applications reach... |
Privacy Law & Data ProtectionThe federal Digital Charter Implementation Act was introduced for First Reading on November 17, 2020 as Bill C-11. If enacted, the new Consumer Privacy Protection Act will replace the privacy portions of the current Personal Information Protection and Electronic Documents Act (“PIPEDA”),... |
The dawn of Canadian Privacy Law 2.0: The Consumer Privacy Protection Act introducedThe long-awaited overhaul of federal private sector privacy law, as outlined in our previous blog post, is finally here. The Digital Charter Implementation Act was introduced for First Reading on November 17, 2020, as Bill C-11. If enacted, the new... |
M&A and cybersecurity – top nine ways to mitigate risk through due diligenceThe authors would like to acknowledge the contribution of Iain Paterson, Chief Executive Officer at Cycura, a global team of leading cybersecurity experts headquartered in Toronto, Ontario. While the COVID-19 pandemic[1] is by no means over, increasing M&A activity and... |
40% of data breach records insufficient – Canadian Privacy Commissioner releases findings on data breach register inspectionsAs the Canadian Office of the Privacy Commissioner (“OPC”) signaled it would do at the end of 2019, it completed a targeted investigation of data breach registers at a select number of organizations. The OPC released has now released a... |
Tragic death of patient in German cyberattack a reminder of vital importance of cybersecurity in healthcareOn September 10, 2020, a large university hospital in Dusseldorf, Germany, experienced a major cyberattack, apparently caused by a security vulnerability of an off-the-shelf software that allowed hackers to infiltrate the hospital’s systems. The hospital treats approximately 350,000 patients per... |
David Krebs comments in IT World Canada article on data breach class action lawsuitIT World Canada, “B.C. appeal court green-lights data breach class action lawsuit” The article discusses a recent decision from the British Columbia Court of Appeal that upholds a lower court decision certifying a data breach class action lawsuit against a trust company: The decision caught the eye of Saskatchewan privacy lawyer David Krebs of... |
British Columbia Court of Appeal upholds certification of data breach class actionFollowing in the footsteps of Jones v. Tsige from the Court of Appeal for Ontario in 2012, the recent British Columbia Court of Appeal decision in Tucci v. Peoples Trust Co. (2020 BCCA 246) appears to be solidifying the future... |
New privacy law could apply to all non-profits – Ontario government launches consultationsOn August 13, 2020, the Ontario Government (the “Government”) launched consultations on establishing provincial privacy legislation for the private sector. As one of the stated goals is to expand the scope and application of private sector privacy law to non-commercial organizations such... |
Ontario government launches consultations on establishing provincial privacy regime for private sectorOn August 13, 2020, the Ontario Government (the “Government”) launched consultations on establishing provincial privacy legislation for the private sector, likely including not-for-profits and charities. The collection, use, and disclosure of personal information is currently governed by federal legislation, the... |
Responding to cyber-attacks – lessons for Saskatchewan municipalities from recent data breachesPrivacy concerns are at the forefront of our increasingly digital world, with cybercrime such as ransomware, business email compromise and phishing attacks becoming a noticeable risk for organizations. It is essential for municipalities to understand their minimum responsibilities under Saskatchewan... |
European Data Protection Board (EDPB) releases FAQ on “Schrems II”: A primer for Canadian organizationsAs we have reported previously, on July 16, 2020, the Court of Justice of the European Union (“CJEU”) released its decision in the case of Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), which ruled that... |
“Schrems II” decides validity of personal data transfer mechanisms – impact on Canadian organizationsOn July 16, 2020, the Court of Justice of the European Union (“CJEU”) released its long-awaited decision regarding the validity of existing personal data transfer mechanisms outside the EU under the General Data Protection Regulation (“GDPR”), the so-called “Schrems II”... |
Ransomware attack on cloud-services provider affects charities and not-for-profitsA company that supplies cloud fundraising and accounting software to the charity and not-for-profit sector announced yesterday that it experienced a ransomware attack in May 2020. Blackbaud is the company behind such programs as Raiser’s Edge NXT, eTapestry, and The... |
IIROC issues Notice regarding cybersecurity in cloud services and application programming interfacesOn June 24, 2020, the Investment Industry Regulatory Organization of Canada (“IIROC”) released an Education Notice to members (“Cybersecurity – Cloud Services and Application Programming Interfaces”) outlining key elements of cybersecurity strategies pertaining to adoption and implementation of cloud services... |
British Columbia Information and Privacy Commissioner calls for changes to Personal Information Protection ActAs we’ve reported in past blog posts, Canada’s privacy regulators have been vocal about the need for change to the privacy and data protection laws that apply to the private, public and health sectors in Canada. Most recently, the British... |
COVID-19 contact tracing debate highlights need for privacy law reform: Lessons for developers and usersWe have been following the COVID-19 crisis and its impact on privacy law over the course of the past few months. It has become apparent during that time that the requirements of the pandemic and the contact tracing debate highlight... |
Enforceability of e-signatures during COVID-19 pandemicWhile the COVID-19 pandemic is having an enormous impact on Canadian organizations, including those within the charitable and non-profit sector, they must continue to operate despite the “physical distancing” measures imposed by the government. This is especially true given that... |
Privacy Commissioners: Privacy laws not a barrier to effective COVID-19 response, emphasize compliance when using contact tracing appsThe COVID-19 pandemic has created an unprecedented challenge for federal and provincial governments and other public health organizations in Canada. To respond in a timely and effective manner, government organizations require greater access to, and an enhanced ability to use,... |
Privacy and cybersecurity during COVID-19 – Tips for Canadian organizationsWith the emergence of COVID-19 in Canada, organizations are faced with many additional concerns and considerations in their daily operations and strategic planning. Remote work has become the norm, and the health of employees, customers and suppliers is a key... |
Privacy and cybersecurity during COVID-19 – Tips for Canadian organizationsWith the emergence of COVID-19 in Canada, organizations are faced with many additional concerns and considerations in their daily operations and strategic planning. Remote work has become the norm, and the health of employees, customers and suppliers is a key... |
Canadian Privacy Commissioner Tables Annual Report, Calling for Human Rights-Based Overhaul of Privacy LawsOn December 10, 2019, Commissioner Therrien presented his office’s 2019 annual report to Parliament, which was later followed by a press release highlighting key aspects of and views expressed in this latest report. Unsurprisingly, the need for privacy law reform... |
David Krebs quoted in Canadian Bar Association National article on data protectionCBA National, "Scoping Europe's long reach on data protection" David Krebs comments on the European Union’s General Data Protection Regulation (GDPR). Facing the threat of massive fines, Canadian businesses with interests in Europe are undertaking efforts to comply with the complexities of the European Union’s General Data Protection Regulation... |
David Krebs interviewed about Creating a Secure Cyber EnvironmentRisky Business David Krebs is interviewed on 650 CKOM program “Risky Business” about Creating a Secure Cyber Environment. Read the transcript or listen to the full episode |
David Krebs, Alicia MacNeil, and Eric Charleston are featured as part of Financier’s 2019 Annual Privacy Law ReviewAnnual Privacy Law Review Data protection is one of the most important issues of our time. There is a burgeoning understanding, among the general public, across business and throughout the world, of the importance of data and the consequences of a breach. The financial... |
“Once More Unto the (Data) Breach”…Looking back at Twelve Months of Mandatory Breach NotificationsAs described in numerous previous articles over the course of 2019, the past year saw an unprecedented number of breach notifications in Canada. In Europe, under the scrutiny of the General Data Protection Regulations (“GDPR”), there were a whopping 89,200... |
Implementing Privacy by Design“Privacy by design” (“PbD”) is not a new concept but one that has been receiving increasing attention and legal clout in Canada, Europe, and around the world. Broadly speaking, it requires designing a system or process in a manner that... |
Cybersecurity Risks in Medical Devices – Health Canada Adopts Guidance DocumentCanadian Privacy Law Review (posted with permission from LexisNexis) Cybersecurity and data breaches are topics of high concern for Canadians. As discussed in previous blog articles, data breaches in Canada, North America and Europe have illustrated how financially motivated hackers and human error can put personal data at risk,... |
Practical Strategies for Responding to a Cyber-AttackThe author would like to thank the co-author of this article, Claudiu Popa[1], for his contributions and expertise in this area. Organizations across industry sectors are learning to recognize just what cyber-attacks look like, as Canadian companies are experiencing dozens... |
Moving Back the Goalposts – Federal Commissioner Confirms a Transborder Transfers of Personal Data Remain a “Use”Six months after it started, the consultation process on the proper treatment of transborder personal data transfers has now closed. On September 23, 2019, the Federal Privacy Commissioner (“OPC”) confirmed that transborder transfers of personal data will remain a “use” of... |
Receiving a Data Breach Notification – Commissioner’s Guidance for Individuals, Lessons for OrganizationsAs reported by numerous previous articles, Canada’s federal data breach notification laws have been in effect since Nov 1, 2018, and require all organizations subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) to report to the federal... |
Cybersecurity Risks in Medical Devices – Health Canada Adopts Guidance DocumentCybersecurity and data breaches are topics of high concern for Canadians. As discussed in previous blog articles, data breaches in Canada, North America and Europe have illustrated how financially motivated hackers and human error can put personal data at risk,... |
Data Breaches, GDPR Fines, and Transborder Transfers – the Challenges of Assessing Cybersecurity and Privacy RiskData breaches, steep fines under GDPR, and changing requirements for transborder data transfers are just a few of the headline-making issues in the first half of 2019. It has been anything but quiet for cybersecurity and privacy professionals or organizations... |
Impact of Recent GDPR Enforcement on Privacy Due Diligence in M&AIn our last blog article, we discussed the British data protection authority’s (“ICO”) announcement to impose large fines on British Airways and Marriott Hotels for separate large-scale data breaches affecting those businesses. In this article, we will turn our minds... |
GDPR Shows its Teeth – UK Pursuing Record Fines for Data Breaches, Emphasizes AccountabilityIf there was any question as to the willingness of EU data protection authorities to pursue significant monetary penalties for violations of the European General Data Protection Regulation (“GDPR”), this past week has surely put those uncertainties to rest. The... |
David Krebs co-presents in webinar entitled “So Your Not-For-Profit Has Been Hacked…Now What?”Miller Thomson and BDO present a webinar on what to do in the event that your not-for-profit organization is faced with a cyber-incident. This webinar includes: Indications you’ve been hacked – things to look for PIPEDA regulations and understanding your legal... |
Canada’s Digital Charter Triggers Reframing of Consultation on Transborder Personal Data TransfersIn April of this year, as discussed in our previous blog posts, the Office of the Privacy Commissioner of Canada (“OPC”) called for changes to the way Canadian privacy law treats transborder personal data transfers, and commenced a consultation process.... |
Managing the Many Faces of Cyber-Attacks: Lessons for the construction industryThink BIG Magazine, 45-47 Imagine your company is part of a large infrastructure project with a host of suppliers, customers, as well as government participation and considerable public media attention. Now imagine that one morning you were told by one of your staff that... |
David Krebs and Luanne Schlosser are quoted in The Hill Times article, “Privacy watchdog proposing rule change that could see firms revise data-use policies”The Hill Times, "Privacy watchdog proposing rule change that could see firms revise data-use policies" Companies could soon be rewriting their privacy policies to fit a change the privacy commissioner is contemplating that could mean getting a person’s explicit okay in all cases when their data is to be transferred across the border. Though the... |
GDPR Turns One, eh? Current Impact on Canadian Businesses and the Road AheadThe one-year anniversary of the European General Data Protection Regulation (”GDPR”) has nearly arrived, and there is much buzz about the impact, the level of compliance of European organizations and what lies ahead. This article will explore GDPR’s current impact... |
Canadian Transborder Data Transfers: OPC Releases Supplemental Discussion DocumentAs we discussed in a recent blog post on this important issue, the Office of the Privacy Commissioner of Canada (“OPC”) last month announced its intention to interpret the “transfer” of personal information as a “disclosure” rather than a “use”... |
Moving the Goalposts for Canadian Data: Federal Privacy Commissioner Changes Position on Cross-Border TransfersA high profile data breach involving a US company, Equifax Inc.[i], and its Canadian subsidiary, Equifax Canada Co., along with the coming into force of the European Data Protection Regulation (“GDPR”), appear to be the driving forces behind the Office... |
What Exemption? – Pitfalls and Stumbling Blocks in CASL and Privacy ComplianceThe Canadian Anti-Spam Law (“CASL”) has been with us now for five years and it has been over 15 years since the Personal Information Protection and Electronic Documents Act (“PIPEDA”) came into force. Then why is CASL and privacy compliance... |
Data Breach Reporting Obligations in SaskatchewanAs we have written about in previous articles, data breach notification is now mandatory in Canada for the private sector in all jurisdictions where this was not already the case (e.g Alberta under the Personal Information Protection Act). Data breach... |
One Incident, Potentially Multiple Breach Reporting Requirements – OSFI Introduces Cyber Breach Notification Guidelines for Financial InstitutionsOn January 20, 2019, the Office of the Superintendent of Financial Institutions of Canada (OSFI) issued an Advisory (also read: OSFI’s Guidance on cyber incident management framework) regarding the responsibilities of federally regulated financial institutions (FRFI), including banks, federal credit... |
Data Breach Response and Notification – One Size Doesn’t Fit AllDavid Krebs guest authors a blog for Legal Works and Privacy Works Sweden, on the topic of data breaches, mandatory breach reporting and the GDRP. Read Article |
Seasonal Gifts & Entertainment: Avoiding ethical, reputational and legal pitfallsThis time of year is when we typically reach out to our customers, suppliers and employees to show appreciation and celebrate the season and end of year. Businesses foster relationships and build trust by interacting with their network, an important part... |
OPC Releases Mandatory Breach Reporting GuidanceOn October 29, 2018, the federal Office of the Privacy Commissioner (“OPC”) published the final version of its guidelines in connection with mandatory reporting of breaches of security safeguards (the “Guidelines”), ahead of the coming into force of the Breach of Security Safeguards Regulations (the “Regulations”)... |
