CYBER SECURITY WEBINAR
Brent: Alright. Once again, good afternoon. Thank you all for joining us. There are a quite a number of you on line which is great to see. Thanks for making the time. Welcome to our talk on Cyber Security and Privacy Risks in a Remote Work Environment. Just want to do a little bit of housekeeping at the beginning. As you'll see at the bottom of your screen, I believe, there's a tab called Q&A. So if you have questions as we go through the session feel free to type them in there. You don't need to save them to the end. This box will save the questions and I think we're going to take questions at the end of our discussion and they'll be there waiting for us. If you do ask a question in the Q&A other participants will see your login name, I believe so. If there's a question you wouldn't be comfortable raising your hand and asking in a live seminar, probably it's best that you contact us offline. You can upload a question. If you see one that you'd really like to see answered, by clicking I believe it's a thumbs up. At the end we'll have a sense of sort of where people's priorities are for that. There's also some survey questions. You click the pull tab for those but I think they will be going up throughout the talk. Your answers to those will not be obvious to your fellow participants so you can go ahead and answer those without fear that people around you will know your answers and they will perhaps give you a bit of a self-diagnostic as to how your company is doing on some of these issues that we're talking about. This presentation is going to be recorded and it will be available on our website in a couple of days if you'd like to check it our or refer others to it. The program counts for one substantive credit towards the mandatory CPD requirement for the Law Society of Ontario, for those of you who are lawyers watching the broadcast. I'm here with our panel today. My name is Brent Arnold. I'm a partner in Gowling's advocacy department, specializing in commercial litigation and also cyber security. I'm a breach coach and I lead some of the firms cyber security and tech initiatives. My co-panelist is Christopher Oates. He's also from our Toronto office and works out of our advertising and product regulatory group, with a particular focus on matters related to privacy and electronic commerce. Also joining us is Cindy Kou who's a business lawyer and works, again, in our Toronto office on a broad range of corporate, commercial and regulatory matters, also with a focus on privacy and cyber security. So that's your panel. I'm going to take you through where we're hoping to go today. Oh. I have to start with the usual disclaimer. What you're hearing today is a high level summary. It's not legal advice and shouldn't be relied on as such. If you've got specific questions you should be talking to counsel.
Here's our very rough agenda. I'm going to talk about some cyber security risks that are sort of emergent, or heightened, in this time. Chris is going to talk about the privacy and regulatory issues associated with the remote work in this COVID environment. Cindy's going to tell you a bit about what you can do, on the front end, with your contracts to give you better protection with respect to privacy and data security. So that's the road map.
What are the risks that are now particular to, or at least heightened, by this remote work environment. Here's what we'll talk about. Existing risks that are now exacerbated by this remote work situation. The intensification of cyber attacks that we're seeing in this sort of new normal and risks caused by departure from internal controls, now that we're all rather hurriedly working remotely, and so is our staff.
The risks that we're facing out of remote work are in some ways very much the risks we were always seeing, but in the old days it was mostly your executives and your sales people, the people on the road you worried about with this. It's people leaving laptops in places where they shouldn't. It's people losing USB keys with client information, corporate information, on it. To some extent this risk is less now that everyone's stuck in their houses but you'll remember that period we had were some people were working from home but the restaurants were still open. If we see a phase in the next few weeks where there's a laxening of social gathering restrictions, but you still have people working from home, this risk is going to increase even more. Anytime you have a scenario where things are leaving the office, this is risk. One thing that I think it's safe to say has gotten worse with this situation is carelessness around communications. You've got people working from home, sometimes they've got roommates, they've got family members, other people around them, and they're taking cell and Zoom calls around these people. They've got client documents, either in paper form or on the computer sitting out where other people can see them, and there's use of video conference platforms without proper controls in place. They do have these controls to make sure that privacy and data security is optimal as possible. We're seeing risks to do with bring your own device environment because now, for a lot of people, that's exactly what we're facing. Some enterprises were set up to have all of their people working from home. Others, start ups, smaller companies, that sort of thing, or companies that were already working in a bring your own device environment, now have employees working from home with those devices. So, that creates the problems you would expect. You've got people working on devices that are operating out from under the umbrella of the enterprise security and you've got also problems around people choosing to use those devices over the devices that they've been given by the company. If using the device given by the company is in someway more cumbersome. You've got people emailing things from their work accounts to their home accounts. People using their home computers instead to do things because they don't like working through the VPN, especially if they are working from their home with slow internet. People find workarounds so there's a real danger that people will take that opportunity and the lack of supervision to work in a way that they wouldn't be allowed to work in the office. And these devices, of course, can be operating without any virus protection, without firewalls, without anything protecting logins, that sort of a thing. Again, a risk I think we're going to see more of as we see people going out more, but still not back in the office full time, is unsecure WiFi. Hopefully your employees at home have password protection on their WiFi. Hopefully they're not going in places now where there's a danger that they're working with unsecured WiFi, which is always a problem in restaurants and coffee shops and public libraries, all of this, and some of you probably heard about this, the description I've heard that I liked the most is "WiFi Pineapples" because they kind of look pineapples. People going into places that don't actually have WiFi, setting up an account that looks like it belongs to the coffee shop or restaurant or whatever that the person's sitting in, and they're using that, it's essentially a WiFi hub that people sign into, unsecured, and they're harvesting their data. Again, a concern we're going to see more of as we see people either being allowed to go out in public, we're starting to bend the rules around the social distancing as they start to chafe at the restrictions as this situation drags on. We're also seeing in this time, and I know that you'll have heard about this because it's everywhere, a real intensification in cyber text. We've seen dramatic increase in the quantity of the text, the sheer volume and the ingenuity of the people taking advantage of the situation. We're seeing hackers exploit, essentially employee panic over COVID-19, everyone's looking for information. Everyone's watching their social media accounts and watching the news, minute by minute to see what's going to happen. And their seeking information when they feel like they're not getting enough information from official sources fast enough and there's the real danger. You've got also the problem with the lack of sophistication of some of the people working from home. Typically your executives are used to it, again, your sales force are used to it, but a big company suddenly now has administrative assistants, other clerical and staff people working from home who never had that option before, and possible haven't been trained for it. Certainly maybe haven't developed certain habits and discipline around it. You'll also deal with, perhaps, the like of enterprise controls around people working from home, if you're in an environment that wasn't remote at all before and you're not set up for this. There's the real danger there that you've got people working, for the first time, in an environment that's largely unsupervised and unprotected.
Just to give you a sense of the scope, and there are stats all over the place, but these were some of the ones that jumped out at me. The cyber security provider, Kaspersky, reported a spike in South Africa in daily attacks; from 30,000 to 310,000 on March 18th. So, a massive increase. 71% of security professionals are reporting an increase in security threats, or attacks, since the beginning of the outbreak. Interesting to me, here, the story of end of 2018 through 2019 was all about ransomware. Ransomware was the most descended, most prominent risk. What we're seeing now is the different sort of weighing of those things. We're seeing a lot more phishing attacks. Again, taking advantage people that are looking for information. They're clicking on links. They're clicking on emails. From there you have the development and increase in attacks from sites promising information about the pandemic. Then ransomware, actually down towards the low end of that, but still an increase of 19%. The sheer magnitude of these things is increasing. What are the kinds of attacks we're seeing? Again, the most notorious one that we've seen recently, fake COVID-19 info maps that people click on to sort of figure out where is the virus spreading, how fast, what are the hotspots kind of a thing, that are actually downloading malware onto the devices. We're seeing a spike in phishing emails as well. Often coming from what appear legitimate and authoritative sources. The kind of email where you want to be getting information from. The people posing as World Health Organization, posing as the Center for Disease Control, promising information on COVID but what they're actually doing is installing malware, and in some cases, ransomware. We're also, and this is one of the interesting ones particularly for those of you who've transferred from phone call and in person meeting to video conference. We're starting to see fake conference invites. Think about how many Zoom invitations or other sites, services, you get in the course of a day that are actually fake. They're very real looking but they're malicious and they install malware. Lastly, and this is not your employees fault if they fall for this, this is more an enterprise risk, we're seeing the exploitation of loopholes, vulnerabilities, gaps in virtual private networks. Especially in situations where companies have had to mobilize VPN's, who don't usually use them, get something off the shelf and get it out into running in people's homes in a hurry. So we are seeing enterprise level attacks on VPN's and other remote working software.
Finally, and this is one that I think people aren't talking enough. One of the risks you have is your internal controls, control over transactions, authorizations for things, if you're usual method is somebody walks over to somebody's desk and gets a web signature, sees the person face to face, or they make a phone call when they get an email instruction. They call the person at their desk, they can see on the display that they're talking to someone at the phone in the office that's supposed to be the person they're getting authorization from, and that's your method, and these are typical methods of authenticating instruction. None of that's possible now. People are calling each other on cell phones and you can imagine, easily, a scenario where somebody who gets phished, hacker gets control of someone's email account, sends an email in their name so the email address that's it coming from would be the correct address, and the instruction looks like an instruction that would be typical coming from that person, and the method of authentication is call the person. Well, maybe I don't have that person's cell phone number and I'm nervous to ask my boss what their cell phone number is. Or maybe the email says, "Call me at this number." and it's not the correct person's cell phone, it's the hacker's cell phone. And they say, "Yes, of course, go ahead with the transaction." So you can see easily situations where the controls that people have in place, to make sure that malicious hackers don't scam a company, start to fall apart because they weren't designed for this remote work environment.
I'm going to turn it over now to Christopher Oates, but I just was wondering whether or not at this point, if anyone has any questions for the things we've covered so far let me know. Otherwise I think I'm going to, actually, I see I have one question. I think I'm going to do what I said at the beginning, and I'm going to hold the questions until the end, but keep them coming and I'm going to turn this over to Christopher Oates.
Chris: Thanks Brent. I'm happy to be speaking to you all today. Brent, in his discussion, discussed a number of increased risks and spikes in attack, like we've been all seeing in our new working from home situation. I'm going to speak briefly as to what the breach reporting obligations are if you've actually suffered a breach. One of the repeated themes for me today is going to be the privacy laws still apply and they apply in the same manner as they would have prior to the COVID pandemic. Though there may be sort of circumstantial considerations that applies to certain exceptions of them. But from a breach reporting perspective, the first two bullets on the slide detect if we've suffered a breach, is sort of a threshold matter to responding to it in a number of very prominent breaches that have occurred. The organization was compromised and it's information was accessed for an extended period of time before it was even aware of it. The second, likewise, applies broadly to any organization that suffered a breach and that's contain it. Despite the fact that the horses may have left the barn you still need to shut the door and respond to it in that manner. Now by the time we get to the third bullet, if things begin to differentiate depending on who your organization is, what data's been impacted and what do all client's do? So most of these slides are focused on the Federal privacy law, the private sector privacy law, that is the Personal Information Protection Electronic Documents Act, or PIPEDA. However, other laws, for example the Province of Alberta, has private sector privacy laws which includes mandatory breach reporting. The Commissioner in Quebec, who issued voluntary guidance on it, and separate laws may have separate requirements as well. So, for example, many health information laws for the health sector have breach reporting.
The first question is who are you and what law applies to you and what are the obligations under that law and those may differ from ones on the next few slides. In evaluating what's happened it's essential to consider what information was affected. Was the information in fact personal information from a privacy perspective? If it was corporate information there are obviously very serious implications to that but that's less of a privacy law question and more of corporate governance and risk matter. If personal information what was the cause and extent of the breach? How many people were affected? Where are those people? Again, which speaks to the law that applies to it. And what was the circumstances of the breach? Was this a USB left in a taxi or was this a malicious scenario where you've suffered theft or loss of data.
Lastly, with answers to those three questions, what is the risk harm that any identifiable individuals may be exposed to? Once ... you'll be able to assess your reporting obligations. As many of the laws we've referred to will include mandatory data breach reporting. For example, to the regulator or to the affected individuals.
Lastly, and this will be important for all organizations is develop a plan to prevent further breaches. We'll touch a few times on the concept that the law continues to apply but it does entail consideration of the current circumstances. If you suffered breach that's a circumstance that will cause you to assess your preparedness in your responses. Plug the hole to speak so that similar scenarios don't occur again. We move to the next slide now. We'll discuss what actually triggers the reporting obligations under the Federal law.
The answer from PIPEDA is, it's a harm test. The statute requires organizations to consider whether or not the breach they suffered in the context represents a real risk of significant harm to an individual. But that's a contextual analysis that looks at what information has been affected. So is it non-sensitive information or is it sensitive information? For example, financial information, health information. What was the context of the breach? We aim to a probability whether or not the information will, or will not, be misused. The phrasing in the statute is significant harm and there's sort of a laundry list of harms in the statute that obviously fall within it. I mean, if we're talking financial damage or bodily harm, clearly that's triggering the threshold. But one of the learnings we've had, particularly stemming from the case law in Alberta where there's a similar requirement this tends to be interpreted by the regulators as heavily low bar. I don't think organizations should be looking at a data breach scenario and determining that the harm is insignificant and there have been many cases. Another thing I've noticed, this is an area that may differ depending on what sector you're in and what law applies. This is Federal private sector law, for example, health laws have different tests. One of the ones of interest is the Ontario Personal Health Information Protection Act ("PIPA") which includes, among the various categories of reportable breaches, a pattern similar breach is occurring. Which may not individually be reportable to the ... sides but if there is a pattern of data breaches that becomes reportable. That concept is important from a risk management perspective under state Federal law as well. Simply because if you're experiencing a pattern of low level breaches it may indicate suspect issues which need to be addressed before you have a major one.
The next slide speaks to who your obligated to notify under the Federal law if you've crossed the significant harm threshold. The answer is it's tripartite. There's an obligation to give notice to the affected individuals, the Federal Privacy Commissioner and, lastly, any other organizations or government institutions that may be able to reduce this harm. That's a contextual consideration. The notice to the individuals and the Commissioner are subject to prescribed disclosure requirements and regulations under the Act. It's important to consider those when preparing a breach notification. Notification to other organizations and institutions would be fact specific. So for example, If you've been a victim of theft or crime, perhaps the RCMP are appropriate or the relevant police force. If financial information has been compromised, perhaps the credit reporting bureaus if the affected financial institutions, that's ...
Lastly, on this point, there is an obligation under the Federal law to retain records of all breaches you suffer. Even in cases where you determine that they don't meet the real risk of significant harm threshold. Those records should contain, again, prescribed information which includes largely the nature and circumstances of the breach. Essentially it's a ... Commissioner oversight to make to sure you are reporting correctly. But from an internal government's perspective they'll also you to detect patterns of breaches. If there are ongoing breaches that are occurring, the record retention obligation will assist you with detecting those. With that I'm going to turn it back over to Brent for some recommendations on hopefully preventing this sort of thing from occurring.
Brent: Thanks, Chris. Some of this is common sense and some of this is going to be, for maybe less sophisticated companies, an exercise in remedial catch up. First of all, make sure that employees are aware of, and following, following is key, corporate policies around device use and data security. It's too often the case that we see companies, for compliance purposes, policies on the books and the employees are simply not aware of them. New employees start and it's not part of their training. All this is a problem. If you don't have policies in place around this now's a really good time to start getting those implemented. Also your incident response plan is key. If you don't have one you should be getting one and that's something that we can help you with. In a situation like this, were you're dealing with heightened risk, it's absolutely crucial and I would say that companies that find themselves caught up short in this crisis, are the victim of a incident and don't have a plan in place, after the number of months we've had were the guidance has been out there telling people that it's something that they need to do, I think they're going to be judged more harshly then they might have been otherwise. Because this is exactly the sort of scenario that people have been warning about for years. Make sure, and this is key, and this will be in a lot of circumstances an unanticipated problem, even for companies that have an incident response plan in place, make sure it's something that can actually be implemented, remotely. Because for those of you were everyone is working remotely, often an incident response plan, the first thing is a phone call gets made to a breach coach or insurer, and everyone gets gathered into a war room and you set up computer terminals and everyone's ready to work together collaboratively. That's obviously a much greater challenge where your systems have been hacked and now you have to use those systems to coordinate a response to an incident. If you're incident response plan doesn't contemplate the contingency of everyone having to work remotely to address the breach, now's a good time to have that relooked at.
You should be reminding your employees at this point, especially the ones who aren't used to working at home and they're perhaps experiencing some early frustration with the systems that are being made available in the remote work environment, remind them of their cyber risk and date protection training. There also scared and this is exactly the sort of environment where they're more likely to be clicking on things they shouldn't. Because they're trying to figure out what's going on, they're worried about their loved ones, their finances and so on. If your employees haven't gotten these hard training around cyber risk and data protection, again, this is something you out to be looking at and if you're experiencing down time, maybe now's the time to be looking into getting that training. Monitor your transactions closely. We talked a few minutes ago about the dangers when your internal controls aren't geared to this sort of remote environment. So keep a really close eye on any transactions, and if you've got work arounds in place to deal with the contingency of not being able to get wet signatures and face to face approvals of things, make sure that those are still done in a way where you can get proper authentication. I would suggest, just as a very simple example, you're better off face timing or Zooming or some other way, reaching out to a superior, who you can see, to have them say, "Yes. That's alright. Go ahead." as opposed to a phone call to a number you don't know sent to you by an email that you think is legitimate but can't really be certain. So make sure that your remote work arounds are capable of making sure that you're still confident that the authentication is real. With this I'm going to turn it back to Chris.
Chris: Okay, thanks, Brent. We move to the next slide we'll just give a brief overview of some of the privacy law. Continued applications.
So we won't dwell on this slide because it's content should be pretty obvious based on the discussions so far and based on the fact that we have a relatively sophisticated audience. This one may be more useful for say employees who are working from home for the first time and that sort of thing. Yes, privacy law still applies. Yes, the anti-spam also continues to apply and no, there are not COVID-19 specific exceptions, but relax their requirements. There are exceptions built into the law on that, speak to data sharing, that may be appropriate based on a examination of the circumstances and which we find ourselves. But those are contextual and aren't matters that can be ... I think for employees who are working from home for the first time, the message is that while it may feel like it, based on these unusual and scary situations. Were not in the Wild West from a regulatory perspective nor are we kind of post-apocalypse. The law continues to apply and it will be important that all of your staff understand that just so you continue to be able to meet your own obligations as an organization. Because you remain accountable for the information you possess.
Now, as I said, the application of the law is somewhat fact specific depending on what provisions you're looking at and what information you're collecting and what you're doing with it. But, from the perspective of PIPEDA, the Federal part of sector law, the core obligation remains that consent is required to collect user disclosed information. The standards of that ... security haven't relaxed. Adequate security is something that was discussed in Brent's discussion on data breach or cyber risk prevention. That's all relevant from a privacy law perspective, insofar as it speaks to me, in your obligations to provide adequate security. Now what are some of the heightened risks we may see in our current situation? What have we seen people asking us about? In many cases there may be data access questions, or data collection questions which come up in the normal course and continue to come up. But in the current sort of COVID pandemic scenario we've seen cases where business partners are requesting employee health information, for example, if they have people visiting on site and if you're providing that, it's a disclosure of personal information. Likewise we have organizations that are looking at perhaps collecting more information. So, employee or visitor screening if you have people coming onto your premises. If you're an essential business that is still open and you may be asking yourself, "Well, what is the appropriate level for that?" and the answer is it's somewhat dependent on the circumstances and information being collected. There are broad concepts of reasonability and appropriateness and those are circumstance specific. It would depend on who the organization is and what data is being collected and what thought is being given to other provisions in the law. For example, data minimization, security and limiting data retention. So all those play into the appropriateness of collection and also your overall circumstances as an organization. If you're a frontline health care provider, the law that applies is going to be different, then the primary ones discussed in this deck which is the private sector privacy law. But the circumstances make it much more pressing to ... that information that it would be if all of us working remotely from home and not exposing other people to what we've been exposed to.
Another key concern is a relaxed or weakened security. Brent discussed some of the security related issues with everybody transitioning for working from home and using, perhaps, personal devices for the first time. Another scenario that may arise from that is the inadvertent use of service providers. For example, if employees are finding work arounds and sending information to their personal devices, or programs or applications they may be used to using in a personal capacity but not professional capacity, the perhaps we're getting into scenarios where you're now having your data processed by a third party processor, where you haven't appropriately vetted their terms of service, or the security they're able to provide you. As an organization with control of data, the Federal law has obligations that you use contractual means to ensure the data remains protected when you transfer it to processing. What those contractual means can look like and some considerations in negotiating contracts are something that will be looked at by Cindy, our third speaker.
Lastly, another one I've seen is we've all received and perhaps sent a flurry of COVID-19 related emails, perhaps from companies we haven't dealt with in many years, and one question I would have is are we sending commercial messages under the cover of sending a COVID related information. I think the advice there is to ask yourself what the purpose of the message you're sending is. Is it a true health notice or are we essentially saying, "Yes. We're working remotely. Our physical office is shut down but here's how you can still do business with us." If it's getting into the latter territory, that's a commercial message which is subject to the anti-spam law and it's standard requirements. Again, that law doesn't have specific exceptions allowing you to essentially advertise or send commercial communications, under the cover of a pandemic.
There's a few key compliance tips up on the next slide. Largely, these are sort of standard privacy type of considerations. As I've said several times, the law continues to apply and doesn't have broad exceptions based on we're in a pandemic. Collection, use and disclosure under the Federal private sector law requires consent and there are standards and guidance issued by the Commissioner indicating what that consent needs to look like. Broadly, it's focused on person who's providing consent, rather than what you may understand as a sophisticated business person or lawyer. What does the individual who's targeted by our actions thinks is happening and do they understand the nature, purpose and consequences of what they're referring to. Broadly, the Federal guidance is that looks at four key considerations. What information has been collected? What's the purpose for that collection and who are you sharing it with, if you're sharing it with anybody? Is there any potential risk of harm to the individual as a result. With respect to purposes, it's generally not possible under the Federal law to get consent for undisclosed or unduly broad purposes. Consent means to be informed and understandable and if you don't understand what people are agreeing to based on your consent plan and policies, certainly know no individual will understand it. I always raise the red flag when discussing privacy language with lawyers or sophisticated business people or marketers and we're trying to parse a phrase based on common position or it's overall level of comprehensibility and if you're sophisticated in market and having trouble understanding the language being proposed, at that point it's probably not meaningful for the average reader and you can probably just start over.
Lastly, I had mentioned this a little bit earlier but there's important principals of data minimization and limited protection. So generally it's appropriate to collect only that data you need for the purposes of which you're collecting it and to retain it for only as long as needed for those purposes, subject to legal or other obligations.
Now on the next slide we'll look at some of the guidance from the Federal Commissioner. The Federal Privacy Commissioner has issued guidance on some of the cases where, a number of things I just don't apply, so cases where personal information may be collected without consent. Similar guidance has been issued by a number of the Provincial Commissioners but here we're primarily looking at Quebec with this slide and the following slides. Broadly, probably the most important line, if we flip back, the most important line in the guidance is that the Privacy Commissioner which continues to apply. So there isn't, as I say, sort of a holiday from legal compliance. The corollary of the fact that the law still applies and the fact that the Commissioners are issuing guidance in the recent days. The various information and privacy Commissioners in the Federal office of the Privacy Commissioner of Canada continue to operate despite the current circumstances. So they haven't closed up shop entirely though they are working remotely in subject to increased pressures and perhaps delays, as a result of the circumstances. The Federal Commissioner indicated there may be a delay in their response for organizations that are reaching out that to them or ongoing appeals, for example, for access of information. That sort of thing. They haven't indicated ... guidance that they're going to be extending timelines or anything like that for organizations who are receiving access to information requests or that sort of thing. The guidance has differed depending on which law your subject to and which Commissioner you're dealing with. For example, the Ontario Commissioner has likewise indicated that it may have delayed response times itself. And has also indicated that in applying whether or not (a) an institution has essentially refused to disclose information subject to access requests being refused. One of the circumstances they consider is the current circumstances that we're faced with. From a Federal perspective, right now, there's generally a 30 day timeline for responding for individuals asking to access their information. However, there is an ability to extend that by 30 days if responding within initial timeline poses an unreasonable interference on the operation of the organization. Now generally that's quite a high test, however, depending on your circumstances it may be one where if your entire workforce is working remotely and the documents you are asked to access are physical and inaccessible for the time being. It may be one where the context bears on that consideration. In that context there is an ability to extend the timeline by a further 30 days but there is an obligation to provide notice on doing so. The ordinary statutory regulations that would apply will continue to apply.
Another takeaway from the guidance is that the exceptions where information can be collected, used or disclosed without consent are limited. So there aren't open ended exceptions ... we have sort of a holiday on compliance because we're in a pandemic. The law is prescriptive in when information can be disclosed without consent. It is a contextual analysis as to whether or not a particular set of facts allows you to benefit from it. Another point is that there's a broad concept of reasonability in PIPEDA. There's an overarching concept that organizations can only collect, use and disclose information where a reasonable person would consider it appropriate in the circumstances. That continues to apply whether or not you're collecting based on consent or your trying to benefit from an exception for the need for consent. Broadly, you should consider is the information you are processing necessary to meet the needs, the ends you're trying to achieve by that process, including a disclosure. It is likely to meet the need? Is the loss of privacy proportionate to the benefits received? Is there a lesser basic means to achieve the same end? This ties back to the data minimization principal we had discussed earlier where organizations should only be collecting the information they actually need.
The next slide we'll look at some of the specific exceptions. Again, I note that these are those set out in PIPEDA and the guidance provided is that of a Federal Commissioner rather than the Provincial Commissioner. So it will be important to consider what block applies to you rather than trying to rely on exceptions under PIPEDA if you're actually subject to PIPA or the law in BC or another privacy law. You need to look at the statute that's applicable in the context. Another thing I note is these exceptions are long standing provisions in PIPEDA. They're not new in our current situation but, of course, the current circumstances are ones which would bear consideration in applying the exceptions. I note that the guidance does tend to provide very clear cases of where it would be likely that these would apply. Don't, by any means, take these as exceptions to cursorily apply or disclose information without consent. As I say, consent is the standard. The exceptions are limited and specific. An organization is needed to stand ready to demonstrate that they're actually falling within those if they are relying on them. The first is collection in the interest of the individual where consent can't be obtained in a timely manner. This perhaps illustrates that these are limited. The examples given by the Commissioner is a case where somebody is critically ill and that would probably be a case where it would be reasonably obvious to most organizations that that would be appropriate and I suspect on the frontline. If one of your colleagues was critically ill or passed out or something like that, there are often safe emergency contacts for that sort of thing which can be reached out to and perhaps result in a collection of information about that individual which is then disclosed to a health care provider. That is a collection use of personal information in a commercial context of a corporation but maybe falling within this exception and is probably not something that your staff would think twice about if things are set up appropriately.
The next is legally required disclosures. These would be cases where a government, or law enforcement organization, has a lawful authority to require you to disclose information and the information is for the purposes of enforcing the law of Canada, or for a Province, for that matter. A pre-pandemic scenario would have been police either kicking down the door in extenuating circumstances or serving with you a warrant and collecting information. There is what I've always termed safety valves in the privacy law for organizations subject to those kind of obligations. Now, in our current context, an example may be a public health authority requiring disclosure for contact tracing or something like that. If we get to a scenario where those authorities are demanding information and have the legal authority for it. That may be something which happens down the road and there are provisions in the privacy law which would account for that.
There are two more on the next slide. This is by no means a full breach. The first of these is perhaps the counterpart of legally required disclosure. The previous one would be a compelled disclosure where you are under a legal obligation to disclose information to the authorities. This is the counterpart where you believe the information is relevant to law enforcement and are choosing to disclose it to the authorities on your discretion. Historically still, today may be cases where you believe there's been a breach of law and you're going to the authorities. Conversely, maybe if there's breaches of quarantine orders, or that sort of thing, and you're going to the authorities to disclose information about that. Again, these are all things that would be looked at in the context but there are exceptions in the law that contemplate these.
Lastly, where use of disclosure is required to respond to an emergency that threatens life, security or health of an individual. This is very similar to the first one where you're unable to obtain consent in a timely manner in an emergency situation. It is, however, one that illustrates some of the differences between the various privacy laws and the importance of determining what law you're subject to when seeking to apply a law. So many of the privacy laws, where disclosing information in an emergency scenario require notice to the affected person. The person's information that your disclosing, in other words, that's not uniform, however, so it's important to check what exception your applying to and what their requirements apply. There's also some regional variation. An interesting one is, the slide looks at PIPEDA and PIPEDA isn't clear on who is threatened by the emergency situation, where you're disclosing information. For example, if I was to issue some sort of credible threat to physically harm somebody, and Brent was to report that, that may well be within the scope of PIPEDA. The Quebec law, on the other hand, looks at disclosure of information where the threat is to the individual who's information is disclosed rather than more broadly. It's somewhat narrower. There may be other provisions in the law which define the context but it is an important nuance in looking at these disclosures. So, again, it's important to consider what law applies to you.
Lastly, before I turn it over to, I believe Cindy will be next, organizations need to be cautious of relying on the consent exceptions and I think we've made that relatively clear over the previous discussions. It's going to be important to be able to demonstrate you're complying and in doing so it's important to keep records of what you're doing. That would include things like what information are you disposing? Who is the recipient? What is the context? What is the specific legal basis you're relying on for disclosing that information? What basis are you relying on those exceptions. For example, have you received medical guidance that indicates collection of information without consent is necessary in the context? Have you documented a request from a government institution and has it demonstrated it's lawful authority to grant you information? If so, what was that? Really in a corporate compliance and record keeping policy. With that I'm going to turn it over to my colleague to discuss some of the considerations in contracts.
We want to be very clear on, and every contract that you enter into, what information and data is moving between the parties. I'll just stop for a minute to talk about the distinctions between IP and confidential information and personal information. Every once in a while we'll see agreements that conflate all of these and I can understand why because it's all about sharing of information. But depending on what's actually important in your use case it will be important to specify out each of the different layers. You can see IP as sharing of information that's specifically protected by Canadian Intellectual Property Rights like copyright or patent or trademarks. You can see personal information is being a very specific set of information that includes any factual or subjective information, whether or not it's recorded, about an identifiable individual. Both of those are kind under, you can see them as under the tent, the same tent as confidential information because you might want to keep all of that private. Just a reminder that what personal information is and it can be something really obvious like somebody's age or somebody's name. Or it can be the combination of different pieces of information that would allow you to identify an individual. For example, if you had my name, Cindy, and my postal code, maybe I live somewhere super densely populated and there's a lot of Cindy's living in the same postal code. But if I live somewhere very not densely populated and there is only one address on that postal code then just knowing my first name would be enough to consider that personal information. Just as a reminder, in your confidential information provisions you want to make sure that any personal information always stays personal information, even if there are certain exceptions that allow for information to not be considered confidential information any more. Next slide, please.
How do you figure out what data is being collected or used or disclosed. This is a super long list. I'll pick a few of my favourite ones. The one that I go to all the time is the first one. Whenever I start a new contract I ask what is the flow of information. It seems very simple and usually the answer that I get is, "Oh! Well, we give this and we do this and then the app or software spits out back and that's what the app does." But that doesn't actually tell us very much about who is sharing what information and where the information comes from. If you're going through this exercise it's very helpful, I find, to draw a picture, you can call it the life cycle of a piece of information for the contract. Who gets it? Where are the consents? How do they pass it off to somebody else? What does that person do to manipulate it? And then how does it get sent back or shared with the original party or some third party? If you can sketch out the life cycle of that piece of information as it flows through your contract then you're in really good shape for a bunch of these other considerations.
Another important consideration for your contracts is what obligations will apply in the event of a breach. The items on this list are generally very common considerations for parties who have their data being processed by somebody else. A lot of the agreements that we see, it's one party giving data to somebody else, and that somebody else will manipulate it or process it or control it for them. But some cases you might need to have these be neutral obligations. Usually we will see an obligation to immediately respond to the breach and to notify you, as the giver of information, of the breach. There may also be insurance obligations including an amount specifically setting out cyber security risk for a specific amount. There's often an indemnification and a defense obligation. If somebody else has a breach that causes you to suffer damage due to data loss or privacy loss or breaches under your other contracts, than that's often an obligation that you want to see your service provider provide. Then mitigation root cause analysis and resolution. These are often considerations we have when we want the other side to quickly try to fix the problem, do a deep dive investigation to figure out what caused the breach and make sure that they've taken all the steps necessary to prevent that source of breach from happening again. Last slide, please.
Alright. So, you may all say, "Cindy, that's nice but if I already entered into the contract the barn doors already open." What you can do though is you can still pull copies of your contracts and you might want to consider openly allowing your employees and your contractors and your subcontractors, all your personnel to proactively disclose what contracts they might have entered into through downloading or on their personal devices or through use and so then you can really understand what universal contracts you're looking at. Then you've got to review your contract terms. Can you live with the terms? Are there some that you might have to try to amend or terminate? Otherwise can you figure out where your risk is and then only use a specific technology for a very low risk use and instruct your personnel to do so? So that you can still continue to have the benefits of the technology but maybe not for your super sensitive information.
Considering all that you might want to think about what policies like bring your own device policy or your remote work policies, that might need to be updated, and maybe some controls about who can download or click through or accept or otherwise bind your organization to contracts. Alright.
Brent: Thanks a lot, Cindy. Thank you, Chris. We're coming up close to the end and I think we're going to cherry pick a couple of questions that we think we can answer in a short term. Before we do that, because you all went to all the trouble of answering the poll questions, I would like to scroll through the poll questions just so you can see where you are vis a vis your fellow guests and I can tell you we have people here from a range of very sophisticated and big companies. So that's the cohort that you're in. If I can ask our invisible moderator to bring up those poll answers. Let's take a look. Alright. Just give me one second folks.
Well, it looks like we may not have that available, unfortunately, but if anyone's curious they can always reach out to us and I'm happy to tell you where things ended up. In the meantime, maybe we'll take a minute and go to the Q&A and grab some of the questions that we think we can answer quickly for you.
Chris: I'll take the mic for a few of the questions. As we said, we're running a little bit short of time but if anybody would like to reach out by email we'll be happy to pick some of these up offline. The first one is, some of these are fact specific, so we'll discuss them a little bit in general terms. But regarding frontline services your question for employee information, screening, temperature, for example, and whether this is a violation of the employee's privacy and if you need to take added precautions, because we have that personal information. There's a fair bit to unpack here but perhaps we'll just back it up from the end of the question to the beginning. So if you need to take added precautions, I think that's probably a yes. Generally you need the obligations under the privacy laws, are keyed on the sensitivity of the information you have. Health information is more sensitive than non-health information. If you've expanded your collection then I think increased precautions would be appropriate. Now I referenced PIPEDA in that sentence, but of course this gets us into where they law is more complicated because depending on the nature of the organization that may or may not be the appropriate law. Broadly, PIPEDA would apply to employee information in the context of Federal work undertakings, as opposed to Provincially regulated private sector employees, which may or may not be subject to laws that cover personal information in the employment context, depending on where they're located. Alberta, BC and Quebec have Provincial laws that apply to the area and they have different requirements than Federal law. Whereas if you're a Federal worker undertaking then the Federal law we've been discussing this slide will apply. More broadly, I think the consideration you're asking for, collecting that data, would be ones that we have discussed in the slide deck, that's the broad questions of proportionality consent and reasonableness. Is this information necessary to meet the purpose ... comprising the health of your other employees or customers or patients, depending on the line of business. That would be depend on who you are. The answer may differ for different organizations. So for example, if you're a long term care home, or something like that, then (a) PIPEDA wouldn't be the applicable, but, (b) you're depending on a vulnerable population, that's a different consideration than if you're operating a drive-thru or something like that. It's a very contextual analysis and would really be worth looking at sort of who you are and if you can actually justify that collection and if there are other collections that would perhaps meet and your purposes without collecting sensitive data. So that could be things like questioning people if they've experienced health symptoms that would be typical of COVID and perhaps not recording that information. So, again, applying the principals of data minimization and proportionality.
There's also a question about productivity and monitoring software, so I think a lot of what I had just said for the previous question would be applicable for that one as well. Broadly, organizations needs to be (a) considering what law actually applies, and, (b) whether what they're doing is proportionate to meet their ends and they can justify the impact on a person's privacy. For monitoring software, again, there's a fair amount of subtlety based on what law applies and whether it applies in the employment context but I would call out that. From a PIPEDA perspective we had discussed the reasonableness principal and the idea of information collections to be reasonableness or consent to side and the Commissioners issued inappropriate data practice guidelines. One of the things that was considered unduly invasive would be monitoring somebody using their own device. But again I caution. It is a factual specific matter. You need to look at the information collected and the purposes for which it's being collected, in the overall context, in determining appropriateness.
I suspect that's all we have time for. As I said, if anybody would like to reach out by email, we'd be pleased to hear from you.
Brent: Perfect. Thanks very much. There was one other question I'll address briefly. Somebody mentioned that they're at a firm where they're being asked to take, specifically, Zoom off of their devices and is there a way that they can still access the content. This and other talks, as we do them, will be posted to the website. You can just view them at your leisure as regular feed and we invite you to check out the collection as well as the COVID portal where we've been aggregating all kinds of resources to help our clients through this difficult time.
Thanks to the panel, and thanks for all you of you for joining us and we'd love to hear feedback and, as we said, feel free to reach out to us. You'll get the slide deck shortly and you can see our contact there. Thanks everyone and have a great day.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.