David Krebs

Associé | Saskatoon

306.667.5632

Portrait de David Krebs

( Disponible en anglais seulement )

OSFI updates cybersecurity breach notification requirements

The Office of the Superintendent of Financial Institutions (“OSFI”) released a new Advisory on Technology and Cyber Security Incident Reporting, effective August 13, 2021 (the “Advisory”) which seeks to govern how federally-regulated financial institutions (“FRFIs”) should disclose and report technology...

Plus

( Disponible en anglais seulement )

David Krebs quoted in National Magazine article on paying cyber ransoms

National Magazine, "The price of paying cyber ransoms"

Big game hunting. That’s what the cybersecurity industry calls targeting large enterprises that cannot tolerate sustained disruptions to their networks, and who are willing to pay large sums of money to quickly see their operations quickly restored following a major...

Plus

( Disponible en anglais seulement )

Ransomware trickles down into your supply chain – Kaseya cyberattack highlights cybersecurity risks and business impact

Over the July long weekend, Canadian, American, and other international businesses were victims of a far-reaching ransomware attack. The REvil group, a ransomware syndicate also known as Sodin or Sodinokibi, are believed to be behind the attack. This gang’s most prominent...

Plus

( Disponible en anglais seulement )

Cyberattacks in your supply chain – Canada Post data breach highlights risks

Over the past twelve months, we have seen more and more clients experiencing a variety of cybersecurity incidents. Most prominently, these have been “business email compromise” incidents as well as malware deployments, such as ransomware attacks. The latter have received...

Plus

( Disponible en anglais seulement )

Canadian organizations take note – Data Protection Authority fines foreign-based business under GDPR for not having “Article 27” representative

As we have discussed in several previous articles, Canadian businesses and other organizations can be subject to the European General Data Protection Regulation (“GDPR”) for a number of reasons and in a number of different contexts, be it as a...

Plus

( Disponible en anglais seulement )

Ransomware – Privacy law, sanctions, and the pandemic

It is trite to say that no matter the sector, size, or location of an organization, cyberattacks can be devastating. As we have seen throughout 2020 and this year in Canada and elsewhere, data breaches and operational interruptions caused by...

Plus

( Disponible en anglais seulement )

“Made in Canada” – What is happening to Privacy by Design under the CPPA?

“Privacy by Design” has long been understood as the “gold standard” of data protection and at the core of how to sustain privacy rights in the digital age. It is a concept that can be said to have been “made...

Plus

( Disponible en anglais seulement )

Canadian privacy law 2.0: Artificial intelligence (AI) and Bill C-11, the Consumer Privacy Protection Act

In a recent announcement, the Canadian federal Privacy Commissioner of Canada (“OPC”) released a report containing recommendations on how AI should be treated under Canadian privacy law, and what protections need to be in place to ensure AI applications reach...

Plus

( Disponible en anglais seulement )

Privacy Law & Data Protection

The federal Digital Charter Implementation Act was introduced for First Reading on November 17, 2020 as Bill C-11. If enacted, the new Consumer Privacy Protection Act will replace the privacy portions of the current Personal Information Protection and Electronic Documents Act (“PIPEDA”),...

Plus

( Disponible en anglais seulement )

The dawn of Canadian Privacy Law 2.0: The Consumer Privacy Protection Act introduced

The long-awaited overhaul of federal private sector privacy law, as outlined in our previous blog post, is finally here. The Digital Charter Implementation Act was introduced for First Reading on November 17, 2020, as Bill C-11. If enacted, the new...

Plus

( Disponible en anglais seulement )

M&A and cybersecurity – top nine ways to mitigate risk through due diligence

The authors would like to acknowledge the contribution of Iain Paterson, Chief Executive Officer at Cycura, a global team of leading cybersecurity experts headquartered in Toronto, Ontario. While the COVID-19 pandemic[1] is by no means over, increasing M&A activity and...

Plus

( Disponible en anglais seulement )

40% of data breach records insufficient – Canadian Privacy Commissioner releases findings on data breach register inspections

As the Canadian Office of the Privacy Commissioner (“OPC ») signaled it would do at the end of 2019, it completed a targeted investigation of data breach registers at a select number of organizations. The OPC released has now released a...

Plus

( Disponible en anglais seulement )

Tragic death of patient in German cyberattack a reminder of vital importance of cybersecurity in healthcare

On September 10, 2020, a large university hospital in Dusseldorf, Germany, experienced a major cyberattack, apparently caused by a security vulnerability of an off-the-shelf software that allowed hackers to infiltrate the hospital’s systems. The hospital treats approximately 350,000 patients per...

Plus

( Disponible en anglais seulement )

David Krebs comments in IT World Canada article on data breach class action lawsuit

IT World Canada, “B.C. appeal court green-lights data breach class action lawsuit”

The article discusses a recent decision from the British Columbia Court of Appeal that upholds a lower court decision certifying a data breach class action lawsuit against a trust company: The decision caught the eye of Saskatchewan privacy lawyer David Krebs of...

Plus

( Disponible en anglais seulement )

British Columbia Court of Appeal upholds certification of data breach class action 

Following in the footsteps of Jones v. Tsige from the Court of Appeal for Ontario in 2012, the recent British Columbia Court of Appeal decision in Tucci v. Peoples Trust Co. (2020 BCCA 246) appears to be solidifying the future...

Plus

( Disponible en anglais seulement )

New privacy law could apply to all non-profits – Ontario government launches consultations

On August 13, 2020, the Ontario Government (the “Government”) launched consultations on establishing provincial privacy legislation for the private sector. As one of the stated goals is to expand the scope and application of private sector privacy law to non-commercial organizations such...

Plus

( Disponible en anglais seulement )

Ontario government launches consultations on establishing provincial privacy regime for private sector

On August 13, 2020, the Ontario Government (the “Government”) launched consultations on establishing provincial privacy legislation for the private sector, likely including not-for-profits and charities. The collection, use, and disclosure of personal information is currently governed by federal legislation, the...

Plus

( Disponible en anglais seulement )

Responding to cyber-attacks – lessons for Saskatchewan municipalities from recent data breaches

Privacy concerns are at the forefront of our increasingly digital world, with cybercrime such as ransomware, business email compromise and phishing attacks becoming a noticeable risk for organizations. It is essential for municipalities to understand their minimum responsibilities under Saskatchewan...

Plus

( Disponible en anglais seulement )

European Data Protection Board (EDPB) releases FAQ on “Schrems II”: A primer for Canadian organizations

As we have reported previously, on July 16, 2020, the Court of Justice of the European Union (“CJEU”) released its decision in the case of Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), which ruled that...

Plus

( Disponible en anglais seulement )

“Schrems II” decides validity of personal data transfer mechanisms – impact on Canadian organizations

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) released its long-awaited decision regarding the validity of existing personal data transfer mechanisms outside the EU under the General Data Protection Regulation (“GDPR”), the so-called “Schrems II”...

Plus

( Disponible en anglais seulement )

Ransomware attack on cloud-services provider affects charities and not-for-profits

A company that supplies cloud fundraising and accounting software to the charity and not-for-profit sector announced yesterday that it experienced a ransomware attack in May 2020.  Blackbaud is the company behind such programs as Raiser’s Edge NXT, eTapestry, and The...

Plus

( Disponible en anglais seulement )

IIROC issues Notice regarding cybersecurity in cloud services and application programming interfaces

On June 24, 2020, the Investment Industry Regulatory Organization of Canada (“IIROC”) released an Education Notice to members (“Cybersecurity – Cloud Services and Application Programming Interfaces”) outlining key elements of cybersecurity strategies pertaining to adoption and implementation of cloud services...

Plus

( Disponible en anglais seulement )

British Columbia Information and Privacy Commissioner calls for changes to Personal Information Protection Act

As we’ve reported in past blog posts, Canada’s privacy regulators have been vocal about the need for change to the privacy and data protection laws that apply to the private, public and health sectors in Canada. Most recently, the British...

Plus

( Disponible en anglais seulement )

COVID-19 contact tracing debate highlights need for privacy law reform: Lessons for developers and users

We have been following the COVID-19 crisis and its impact on privacy law over the course of the past few months. It has become apparent during that time that the requirements of the pandemic and the contact tracing debate highlight...

Plus

( Disponible en anglais seulement )

Enforceability of e-signatures during COVID-19 pandemic

While the COVID-19 pandemic is having an enormous impact on Canadian organizations, including those within the charitable and non-profit sector, they must continue to operate despite the “physical distancing” measures imposed by the government.  This is especially true given that...

Plus

( Disponible en anglais seulement )

Privacy Commissioners: Privacy laws not a barrier to effective COVID-19 response, emphasize compliance when using contact tracing apps

The COVID-19 pandemic has created an unprecedented challenge for federal and provincial governments and other public health organizations in Canada. To respond in a timely and effective manner, government organizations require greater access to, and an enhanced ability to use,...

Plus

( Disponible en anglais seulement )

Privacy and cybersecurity during COVID-19 – Tips for Canadian organizations

With the emergence of COVID-19 in Canada, organizations are faced with many additional concerns and considerations in their daily operations and strategic planning. Remote work has become the norm, and the health of employees, customers and suppliers is a key...

Plus

( Disponible en anglais seulement )

Privacy and cybersecurity during COVID-19 – Tips for Canadian organizations

With the emergence of COVID-19 in Canada, organizations are faced with many additional concerns and considerations in their daily operations and strategic planning. Remote work has become the norm, and the health of employees, customers and suppliers is a key...

Plus

( Disponible en anglais seulement )

Canadian Privacy Commissioner Tables Annual Report, Calling for Human Rights-Based Overhaul of Privacy Laws

On December 10, 2019, Commissioner Therrien presented his office’s 2019 annual report to Parliament, which was later followed by a press release highlighting key aspects of and views expressed in this latest report. Unsurprisingly, the need for privacy law reform...

Plus

( Disponible en anglais seulement )

David Krebs quoted in Canadian Bar Association National article on data protection

CBA National, "Scoping Europe's long reach on data protection"

David Krebs comments on the European Union’s General Data Protection Regulation (GDPR). Facing the threat of massive fines, Canadian businesses with interests in Europe are undertaking efforts to comply with the complexities of the European Union’s General Data Protection Regulation...

Plus

( Disponible en anglais seulement )

David Krebs interviewed about Creating a Secure Cyber Environment

Risky Business

David Krebs is interviewed on 650 CKOM program « Risky Business » about Creating a Secure Cyber Environment. Read the transcript or listen to the full episode

Plus

( Disponible en anglais seulement )

David Krebs, Alicia MacNeil, and Eric Charleston are featured as part of Financier’s 2019 Annual Privacy Law Review

Annual Privacy Law Review

Data protection is one of the most important issues of our time. There is a burgeoning understanding, among the general public, across business and throughout the world, of the importance of data and the consequences of a breach. The financial...

Plus

( Disponible en anglais seulement )

“Once More Unto the (Data) Breach”…Looking back at Twelve Months of Mandatory Breach Notifications

As described in numerous previous articles over the course of 2019, the past year saw an unprecedented number of breach notifications in Canada. In Europe, under the scrutiny of the General Data Protection Regulations (“GDPR”), there were a whopping 89,200...

Plus

( Disponible en anglais seulement )

Implementing Privacy by Design

“Privacy by design” (“PbD”) is not a new concept but one that has been receiving increasing attention and legal clout in Canada, Europe, and around the world. Broadly speaking, it requires designing a system or process in a manner that...

Plus

( Disponible en anglais seulement )

Cybersecurity Risks in Medical Devices – Health Canada Adopts Guidance Document

Canadian Privacy Law Review (posted with permission from LexisNexis)

Cybersecurity and data breaches are topics of high concern for Canadians. As discussed in previous blog articles, data breaches in Canada, North America and Europe have illustrated how financially motivated hackers and human error can put personal data at risk,...

Plus

( Disponible en anglais seulement )

Practical Strategies for Responding to a Cyber-Attack

The author would like to thank the co-author of this article, Claudiu Popa[1], for his contributions and expertise in this area. Organizations across industry sectors are learning to recognize just what cyber-attacks look like, as Canadian companies are experiencing dozens...

Plus

( Disponible en anglais seulement )

Moving Back the Goalposts – Federal Commissioner Confirms a Transborder Transfers of Personal Data Remain a “Use”

Six months after it started, the consultation process on the proper treatment of transborder personal data transfers has now closed. On September 23, 2019, the Federal Privacy Commissioner (“OPC”) confirmed that transborder transfers of personal data will remain a “use” of...

Plus

( Disponible en anglais seulement )

Receiving a Data Breach Notification – Commissioner’s Guidance for Individuals, Lessons for Organizations

As reported by numerous previous articles, Canada’s federal data breach notification laws have been in effect since Nov 1, 2018, and require all organizations subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) to report to the federal...

Plus

( Disponible en anglais seulement )

Cybersecurity Risks in Medical Devices – Health Canada Adopts Guidance Document

Cybersecurity and data breaches are topics of high concern for Canadians. As discussed in previous blog articles, data breaches in Canada, North America and Europe have illustrated how financially motivated hackers and human error can put personal data at risk,...

Plus

( Disponible en anglais seulement )

Data Breaches, GDPR Fines, and Transborder Transfers – the Challenges of Assessing Cybersecurity and Privacy Risk

Data breaches, steep fines under GDPR, and changing requirements for transborder data transfers are just a few of the headline-making issues in the first half of 2019.  It has been anything but quiet for cybersecurity and privacy professionals or organizations...

Plus

( Disponible en anglais seulement )

Impact of Recent GDPR Enforcement on Privacy Due Diligence in M&A

In our last blog article, we discussed the British data protection authority’s (“ICO”) announcement to impose large fines on British Airways and Marriott Hotels for separate large-scale data breaches affecting those businesses. In this article, we will turn our minds...

Plus

( Disponible en anglais seulement )

GDPR Shows its Teeth – UK Pursuing Record Fines for Data Breaches, Emphasizes Accountability

If there was any question as to the willingness of EU data protection authorities to pursue significant monetary penalties for violations of the European General Data Protection Regulation (“GDPR”), this past week has surely put those uncertainties to rest. The...

Plus

( Disponible en anglais seulement )

David Krebs co-presents in webinar entitled « So Your Not-For-Profit Has Been Hacked…Now What? »

Miller Thomson and BDO present a webinar on what to do in the event that your not-for-profit organization is faced with a cyber-incident. This webinar includes: Indications you’ve been hacked – things to look for PIPEDA regulations and understanding your legal...

Plus

( Disponible en anglais seulement )

Canada’s Digital Charter Triggers Reframing of Consultation on Transborder Personal Data Transfers

In April of this year, as discussed in our previous blog posts, the Office of the Privacy Commissioner of Canada (“OPC”) called for changes to the way Canadian privacy law treats transborder personal data transfers, and commenced a consultation process....

Plus

( Disponible en anglais seulement )

Managing the Many Faces of Cyber-Attacks: Lessons for the construction industry

Think BIG Magazine, 45-47

Imagine your company is part of a large infrastructure project with a host of suppliers, customers, as well as government participation and considerable public media attention. Now imagine that one morning you were told by one of your staff that...

Plus

( Disponible en anglais seulement )

David Krebs and Luanne Schlosser are quoted in The Hill Times article, « Privacy watchdog proposing rule change that could see firms revise data-use policies »

The Hill Times, "Privacy watchdog proposing rule change that could see firms revise data-use policies"

Companies could soon be rewriting their privacy policies to fit a change the privacy commissioner is contemplating that could mean getting a person’s explicit okay in all cases when their data is to be transferred across the border. Though the...

Plus

( Disponible en anglais seulement )

GDPR Turns One, eh? Current Impact on Canadian Businesses and the Road Ahead

The one-year anniversary of the European General Data Protection Regulation (”GDPR”) has nearly arrived, and there is much buzz about the impact, the level of compliance of European organizations and what lies ahead. This article will explore GDPR’s current impact...

Plus

( Disponible en anglais seulement )

Canadian Transborder Data Transfers: OPC Releases Supplemental Discussion Document

As we discussed in a recent blog post on this important issue, the Office of the Privacy Commissioner of Canada (“OPC”) last month announced its intention to interpret the “transfer” of personal information as a “disclosure” rather than a “use”...

Plus

( Disponible en anglais seulement )

Moving the Goalposts for Canadian Data: Federal Privacy Commissioner Changes Position on Cross-Border Transfers

A high profile data breach involving a US company, Equifax Inc.[i], and its Canadian subsidiary, Equifax Canada Co., along with the coming into force of the European Data Protection Regulation (“GDPR”), appear to be the driving forces behind the Office...

Plus

( Disponible en anglais seulement )

What Exemption? – Pitfalls and Stumbling Blocks in CASL and Privacy Compliance

The Canadian Anti-Spam Law (“CASL”) has been with us now for five years and it has been over 15 years since the Personal Information Protection and Electronic Documents Act (“PIPEDA”) came into force. Then why is CASL and privacy compliance...

Plus

( Disponible en anglais seulement )

Data Breach Reporting Obligations in Saskatchewan

As we have written about in previous articles, data breach notification is now mandatory in Canada for the private sector in all jurisdictions where this was not already the case (e.g Alberta under the Personal Information Protection Act). Data breach...

Plus

( Disponible en anglais seulement )

One Incident, Potentially Multiple Breach Reporting Requirements – OSFI Introduces Cyber Breach Notification Guidelines for Financial Institutions

On January 20, 2019, the Office of the Superintendent of Financial Institutions of Canada (OSFI) issued an Advisory (also read: OSFI’s Guidance on cyber incident management framework) regarding the responsibilities of federally regulated financial institutions (FRFI), including banks, federal credit...

Plus

( Disponible en anglais seulement )

Data Breach Response and Notification – One Size Doesn’t Fit All

David Krebs guest authors a blog for Legal Works and Privacy Works Sweden, on the topic of data breaches, mandatory breach reporting and the GDRP. Read Article

Plus

( Disponible en anglais seulement )

Seasonal Gifts & Entertainment: Avoiding ethical, reputational and legal pitfalls

This time of year is when we typically reach out to our customers, suppliers and employees to show appreciation and celebrate the season and end of year. Businesses foster relationships and build trust by interacting with their network, an important part...

Plus

( Disponible en anglais seulement )

OPC Releases Mandatory Breach Reporting Guidance

On October 29, 2018, the federal Office of the Privacy Commissioner (“OPC”) published the final version of its guidelines in connection with mandatory reporting of breaches of security safeguards (the “Guidelines”), ahead of the coming into force of the Breach of Security Safeguards Regulations (the “Regulations”)...

Plus