The Lexpert Special Editions profiles selected Lexpert-ranked lawyers whose focus is in Corporate, Infrastructure, Energy and Litigation law and relevant practices. It also includes feature articles on legal aspects of Canadian business issues.
Issue link: https://digital.carswellmedia.com/i/1338565
www.lexpert.ca 17 EMPLOYEE TRUST MUST BE ACCOMPANIED BY OVERSIGHT • In December, the federal privacy commissioner released his report on the massive breach of Desjardins Group's customer data between 2017 and 2019, committed by a "malicious" employee • Investigation found Desjardins' protec- tion measures were inadequate in four areas, and the breach highlighted "the dangers presented by insider threats, intentional or otherwise" In addition, says Grenier, companies will have to comply with data breach notifica- tion requirements. "Given the quantity of breaches we see nowadays, that [proposed legislation brings] enhanced security obligations and [for] retaining data: having a structure, being disciplined with what information is collected, what is kept and when is it neces- sary to delete personal information." Companies open themselves up to great risk by keeping personal customer informa- tion for longer than they need to or that is not necessary to its operations, Grenier says. e manner of hacking into corporate accounts has also grown more vicious, she adds. While several years ago one might see criminals hacking into a site and holding the data ransom by encrypting it, now they will steal the information and sell it first — or at least will threaten to do so on the dark web or an auction site. Worse, companies are faced with sanctions if they are found to be at fault in the breach. Companies must ensure that that their privacy policies are worth the paper they're written on — or the websites they're displayed on. "Sometimes, there's a gap between theory and practice," says Grenier. is must be addressed through vigilant employee training, regularly updating security poli- cies and understanding and honouring regulatory compliance obligations. "You really do have to live privacy throughout your operations on a day-to-day basis," Fabiano adds. "So, if you haven't trained your people on privacy matters and in a way that's relevant to their day-to-day duties, you're just asking for trouble . . . breaches or lapses that could be real headaches in the future." Enhanced consent regime Under the new privacy legislation, clearer consent will be required of customers and companies will have greater obligations for secondary use of information such as customer profiles aer they have opened an account. Companies will now be required to disclose what they do with all the informa- tion they collect. ere is also a global trend to enhance data subject rights that Bill C-11 supports, says Laila Paszti, of counsel at Norton Rose Fulbright LLP's Montreal office. Data subjects can now require a company to delete their data on a subject, also known as "the right to be forgotten." "But how will a company determine if the individual making the request is really that person?" asks Paszti. e new consent regime in Bill C-11 also sets out several exceptions to consent, she says. A company doesn't have to seek consent if it is transferring an individual's personal information to a service provider; however, it does require a company "to really scrutinize the way in which it's gaining consent," and when draing privacy policies, it may prove difficult for companies to determine all the circum- stances under which they would need to get that consent, Paszti says. "Part of the impetus for this legislation is for Canadian companies to compete in an increasingly global world," she adds. Although the proposed legislation is a boon to privacy protection, "at the same time, it will negatively impact companies . . . because they will have to grapple with how this will affect their processing of personal information and how it will require them to retool their data platforms."