Patrick France, étudiant en droit, Université de Sherbrooke
In July of 2017, credit monitoring firm Equifax suffered a security breach, compromising the information of approximately 150 million individuals. To date, it is one of the largest data breaches to have ever occurred, with sensitive information such as credit card information, names, social security numbers and other information being stolen by hackers. In addition to their reputation suffering a massive blow due to backlash from ordinary citizens, Equifax was forced to “pay up $700 US million in fines and penalties to settle with various regulatory bodies”. Although not all security breaches are of this magnitude, it is important to ask what can be done to prevent them in the first place, and what can be done reactively once they have occurred? To address this issue, it will be argued that legal professionals play a critical role in planning against and managing a cyber breach, and that legislatures in Canada and around the world are central to the regulation of data protection and the imposition of sanctions for those who fail to comply.
Firstly, legal professionals are instrumental in the fight against cybercrime, which in total has cost the global economy more than $445 billion[1]. Although experts such as computer engineers are seen as most critical in securing networks and preventing cyberattacks, lawyers can be of assistance in many different ways. The first way that lawyers can be assets is by providing legal advice, more specifically in regard to privacy laws and statutes. When a large company such as a bank stores sensitive client information on their servers and that information is compromised during a breach, there is an obligation to inform that client of the breach under specific privacy laws. An example of such privacy laws in Canada is the “Personal Information Protection and Electronic Documents Act” (PIPEDA), a federal Act applicable to “private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity”. This act under s.10.1(3) imposes a notification duty on organizations towards clients of any security breach involving their personal information “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”. In regard to assessing a “real risk of significant harm” s.10.1(8) PIPEDA states that there are 3 factors that should be considered: “(a) the sensitivity of the personal information involved in the breach, (b) the probability that the personal information has been, is being or will be misused and (c) any other prescribed factor”. The wording of this section seems quite vague, and this is where legal expertise on when and how to notify individuals can be of added value to a cybersecurity team. Secondly, lawyers are critical in communication efforts with law enforcement both nationally and internationally. Section 10.2(1) PIPEDA gives the option to private organizations subject to PIPEDA to notify government institutions of a data breach if they believe that they may be able to reduce the risk of harm. This implies that a concerned organisation could ask help from the RCMP, if they believe it to be necessary, with communications ideally being managed by a legal team. This leads to the third argument in favor of involving lawyers in cybersecurity: attorney-client privilege. If a company wishes not to disclose certain information regarding a data breach to regulators or law enforcement, they can invoke attorney-client privilege, where said information was confided to a member of their legal team. As a result, companies can control the flow of information when providing updates, which is quintessential in preserving reputation and “protecting certain documentation from discovery during the legal process”. In addition to reputational loss, lawsuits and fines can force a firm to close its doors[2]. Thus, it is clear that all of the above mentioned points highlight the importance of involving lawyers in the cybersecurity discussion.
Secondly, it is important for legislatures in Canada and across the world to regulate data protection efficiently, especially in a world where everything is connected and a “majority of services, such as financial systems, the power grid, health systems, the power grid, health systems, administration and the military run on networks connected to the internet”. Historically, jurisdictions like Europe were seen as role models when it came to data protection, with initiatives such as GDPR, which imposed fines as a percentage of a company’s global revenue for failing to secure private information. However, other jurisdictions such as Canada and the United States were not always as quick to impose such measures. More recently, Canada has worked to address the issue of data protection federally, with the first reading of bill c-27 having been completed in the Senate on June 16th 2022. This bill is an example of Canada wanting to improve its current data protection laws, by also imposing penalties similar to those in Europe for organizations who do not adequately protect user information. If this bill is passed, faulty companies could be “liable to a fine of up to 5% of global revenue or CA$25 million, whichever is greater.” In Quebec, measures were also taken to impose greater obligations on private organizations storing sensitive customer data. Following the Desjardins security breach, which compromised the information of over 4.2 million of its members, the Quebec government introduced and adopted bill 64. Bill 64 entitled “An Act to modernize legislative provisions as regards the protection of personal information”, was a complete revamp of the province’s personal information protection laws. This bill created more stringent obligations than PIPEDA in regard to record keeping and security breaches for example. In regard to record keeping, the bill creates a duty to maintain records of a security breach for a period of 5 years, which is more than the 2-year period under PIPEDA. Furthermore, whereas PIPEDA uses the notion “breach of security safeguards”, bill 64 uses the notion of a “confidentiality incident”, which appears to be broader in nature and could thus mean that organisations have a duty to notify individuals of a security breach in more situations than under PIPEDA. In short, it is clear bill 64 serves as another good example of a government taking more initiative in regard to cybersecurity. In a global economy however, it is not enough for jurisdictions like Canada, Quebec, or Europe to take data protection and security breach issues seriously; it is a collective effort requiring the involvement of all countries. The United States, which is “ranked first in global security threats”[3], seems to be lagging behind by not imposing their own GDPR measures. Furthermore, while other countries have adequacy agreements to improve the flow of data between countries, which is essential during a cybersecurity breach of a multinational company for example, the United States has no such agreements, requiring special ones to be drafted if need be. This highlights a serious problem in the global fight against cybercrime and protecting the data of common citizens: what good are stringent national governmental measures when key players are not also imposing such measures? It is clear that more needs to be done, but Canada and Quebec’s recent push for legislative reform imposing tougher sanctions on faulty players, is a step in the right direction.
To conclude, cybersecurity breaches are on the uprise across the globe. Law firms such as Norton-Rose, who advise clients on issues of cybersecurity, dealt with 500 breaches this year as opposed to last year’s 320. It is not just large corporations whose networks are at risk of being compromised, resulting in reputational and financial losses, but also small firms for whom a security breach could mean closing their doors indefinitely. This highlights the importance of involving lawyers in the cybersecurity prevention and breach management processes, seeing as they can provide a certain expertise that other professionals may not. It is also clear that governments should be creative in their legislative efforts, in order to set forth clear guidelines for companies to follow to protect the broader public. As more governments take the protection of data protection seriously to curb cybercrime, one can ask what more can be done to harmonize legislation across jurisdictions and thwart the efforts of criminals who seek to hinder our global network?
À qui de droit 