Data Breaches, GDPR Fines, and Transborder Transfers – the Challenges of Assessing Cybersecurity and Privacy Risk

Data breaches, steep fines under GDPR, and changing requirements for transborder data transfers are just a few of the headline-making issues in the first half of 2019.  It has been anything but quiet for cybersecurity and privacy professionals or organizations grappling with these issues and how to assess risk these areas. There have been: two major recent data breaches in Canada, being the Desjardins and Capital One incidents; announcements of precedent-setting fines for breaches under GDPR; and a much-publicized seesaw surrounding the consultation process regarding the Canadian Privacy Commissioner’s (“OPC”) changing interpretation of transborder data transfers. All of these issues have arisen in the context of the government’s announcement that it is considering sweeping changes to Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and a sharp rise in cyber-attacks in Canada. Also, organizations with operations in the United States are preparing for the coming-into-force of the California Consumer Privacy Act (“CCPA”) in January 2020 and assessing how to fold it into the management of their existing privacy program.

Given this current landscape, properly assessing cybersecurity and privacy risk has never been more important (or perhaps more difficult) than now.

The Capital One and Desjardins Breaches

Just a few weeks ago, on July 19, Capital One made public a massive data breach that affected over six million Canadians and 100 million Americans. The incident occurred via a sophisticated attacker gaining access through a known vulnerability (the attacker has since been apprehended). The personal information at issue included social insurance numbers (“SINs”) of over one million Canadians, transaction history, credit scores and other identifiable information. The scale of this breach is, from a Canadian perspective, unprecedented and, according to Capital One, will cost the company approximately $100-$150M. Capital One is taking considerable steps in communicating about the breach and meeting public expectations as to how the risks can be mitigated. On July 31, the OPC announced that it will commence a formal investigation into the matter after receiving numerous complaints since the breach was made public.

The Capital One breach came just about four weeks after the previous jaw-dropping incident at the Desjardins Group, the third largest federation of credit unions in North America, which resulted in unauthorized access to the personal information of about 2.7 million Canadians in Ontario and Quebec. The incident also involved an attack by a single individual, an employee accessing information and passing it on to third parties for the purposes of committing fraud. Desjardins has not released any specifics regarding the cost to resolve the breach but given the number of affected individuals, the data at issue (SINs, transaction history) and the steps Desjardins is taking (including offering up to $50,000 of protection against identify theft), it will likely be very significant for the organization.

Both the OPC and the Quebec Privacy Commissioner will be investigating the incident and whether the group complied with PIPEDA and Quebec legislation. A class action lawsuit has also been filed against Desjardins in Quebec for failing to safeguard customer information.

Canadian Privacy Law Reform

The consultation process into how transborder personal data transfers should be viewed under PIPEDA closed on August 6, 2019. The OPC has not, as of the date of this article, commented on when to expect further feedback or updates on the submissions received and what it means going forward. One possible (speculative) scenario is that, given the cross-border aspect of the breach, the OPC will wait to further comment until the Capital One investigation has closed. Recall that the OPC’s position regarding a) the necessity of giving more powers of enforcement to his office and b) the re-interpretation of PIPEDA with respect to cross-border transfers were triggered and fueled by the investigations into Facebook and Equifax.

Lastly, but importantly, the federal government announced in May that it is considering (and preparing for) a significant overhaul of PIPEDA. Essentially, every aspect of the law is in play for reform, from applicability of the law, to enforcement, scope of individuals’ control and international data transfers. One central consideration is surely the desire to have PIPEDA remain “adequate” under GDPR, but there are others, such as changes in technology and applications of those technologies that were not contemplated when PIPEDA came into force over 15 years ago. As with the data transfer issue, the timelines associated with this process are unclear at this point.

GDPR Enforcement and CCPA Coming-into-force

As we wrote about in previous articles, the UK ICO took a strong position in pursuing large fines for two data breaches that occurred in 2018. In both the Marriot and British Airways cases, there was no egregious, uncooperative or devious behaviour to speak of, yet the fines were substantial. Given the quiet start to GDPR enforcement over its first twelve months, this sent a strong signal to other Data Protection Authorities (“DPAs”), as well as organizations subject to GDPR. We have yet to see significant enforcement of the GDPR with businesses that do not have operations in Europe (and are subject to GDPR under Art. 2(a) or 2(b)). Also, there a number of provisions of the GDPR that have not been fully tested or commented on by DPAs, some of which may affect Canadian organizations just the same as others subject to the GDPR.

As for the CCPA, it has been called the Californian version of the GDPR, passed in the shadow of its European cousin during 2018, and comes into effect January 1, 2020. It shares many of GDPR’s features but also differs in important ways.[1] How the law will be interpreted, applied and enforced will remain to be seen during the course of 2020, but it is certainly quite likely that many Canadian organizations doing business in California will need to consider how the CCPA may affect their processes and risk.

Summary

The Desjardins and Capital One data breaches, their current investigation by the regulators and ongoing consultations into Canadian privacy law reform are taking place with the backdrop of developments in Europe (for example, the hundreds of millions in GDPR fines at stake in the Marriot and British Airways data breaches) and elsewhere. Both GDPR and CCPA provide their respective supervisory authorities,[2] significantly more enforcement powers than those that currently exist under the Canadian federal and provincial regimes, which is not going unnoticed in current debates. This current landscape makes a compelling case for taking a closer look at the resulting potential consequences for overall data protection risk facing organizations. It also highlights the complexity of conducting a tailored assessment.

It has been whirlwind first half of 2019; we will keep monitoring these areas and hope for additional clarity and guidance over the next six to nine months.

[1] Some differences include scope of application, powers of the supervisory authority and process to collect and amount of potential fines

[2] European national “Data Protection Authorities” under GDPR, the Attorney General under CCPA.