Cover Up the Data that I Must Not See!

By Pierre-Marc Gendron

“Things like that offend our souls, and fill our minds with sinful thoughts.” Tartuffe, III, 2 (v. 860-862)

Mobile technologies completely revolutionized our life habits. Once a tool allowing only sporadic Internet access, mobile devices now offer the possibility to do just about anything one would have done on a computer. In a series of two (2) articles, we will provide an analysis of the issues pertaining to cybersecurity as well as an overview of best practices in terms of corporate governance pertaining to cybersecurity.

From a commercial standpoint, mobile technologies and the computerization of businesses now allow for the collection of a vast array of information about consumers. The combination of all this data provides very accurate profiles of consumers in order to predict their behaviours. Some businesses will not hesitate to change the products displayed on their website’s home page or the words appearing on their website’s interface based on the profiles of their users.

This data is extremely valuable for businesses and, as a result, businesses develop and use more and more methods to collect and analyze it. However, from a legal perspective, this data may constitute personal information and thus be subject to a duty of protection on the part of the businesses collecting it. Indeed, these profiles make for an ideal target for hackers seeking to steal personal information.

Nowadays, the question to ask oneself regarding cyberattacks is not “will my business suffer an attack?”, but rather “is my business prepared for the attacks it will face?” Whether it be a start-up or a multinational company, no business is immune to a cyberattack. Moreover, attacks will continue to be a threat despite the efforts and techonology put into trying to prevent them.

At first, it might be tempting to believe that cybersecurity concerns only IT departments. However, from a legal standpoint, the issues raised by cybersecurity are a matter of privacy protection. This first article provides an overview of the most important laws applicable to privacy protection in the private sector.

The criterion to establish if data constitutes personal information is whether it pertains to a specific individual and makes it possible to identify him or her. According to case law, information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.

Both the Parliament of Canada and the National Assembly of Quebec have adopted laws pertaining to the protection of personal information. For Quebec businesses, the applicable law is not necessarily that of Quebec. The provincial law applies only where the collection, communication or use of the information are limited to the province’s territory. As soon as the collection, disclosure or use of the information takes place outside the province, the federal law applies.

The federal law (Personal Information Protection and Electronic Documents Act) and provincial law (An Act Respecting the Protection of Personal Information in the Private Sector) share essentially the same principles, although their implementation differs slightly.

These laws make it mandatory for a business to obtain individuals’ consent prior to collecting, disclosing or using personal information. Such consent must be free and informed, so that the individual may reasonably understand how his or her personal information will be communicated or used. The collection of personal information must also be limited to what is necessary for the purposes identified at the time of collection. The disclosure, use and retention of personal information must also be limited to the purposes for which consent was obtained and for as long as necessary for the accomplishment of such purpose.

Businesses also have the obligation to put appropriate security measures in place, taking into account the sensitive nature of the personal information collected. These measures must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

Among other things, the amendments made to the federal statute on June 18th, 2015 will soon create an obligation for businesses to report any breach in their security measures to the Privacy Commissioner of Canada, as well as to the individuals whose personal information was compromised and to whom it is reasonable to believe that the breach will cause a real risk of serious harm. Businesses will also have the obligation to keep a record of all breaches to their security measures. For the time being, these provisions are not yet in force.

A cyberattack is sure to have an impact on your profitability. Indeed, in the aftermath of an attack, you will incur several expenses including expenses to re-establish operations, restore your data and indemnify your clients. However, the consequences may be a lot more dramatic. The Ashley Madison case is a recent example of the potentially devastating consequences related to a cyberattack, pursuant to which millions of individuals saw their personal information related to an adultery-promoting website exposed. Following this scandal, the firm’s CEO was forced to resign and at least one suicide related to this attack has been reported.

In the next edition of the newsletter, a second article on this topic will show how to apply these concepts within your business.