M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted onĚý on October 19, 2022.

On September 29, 2022, the Office of the Privacy Commissioner of Canada (the OPC) published the results of itsĚýĚýinto the 2018 data breach involving Marriott International, Inc. (Marriott), finding many of the hotel giant’s privacy controls inadequate and recommending remedial steps to prevent future breaches.

Marriott announced that it experienced a data breach involving the unauthorized access of a Starwood Hotels (Starwood) database on November 30, 2018, as previously reported by the E-TIPS® NewsletterĚý. Starwood is a separate hospitality company that was acquired by Marriott in 2016, with the unauthorized access reportedly starting before the acquisition (i.e., spanning from 2014 to 2018). The threat actor reportedly obtained access to personal information contained in up to 12.8 million records where the country-of-residence information was listed as Canada. These records included information on guest profiles and contact details, guest reservations, passport details, and encrypted payment card information.

The incident prompted the OPC to launch an investigation into Marriott’s primary operating company for Canadian hotels, Luxury Hotels International of Canada, ULC. During the investigation, the OPC considered the following key issues:

1. ł§˛ą´Ú±đ˛µłÜ˛ą°ů»ĺ˛ő.ĚýThe OPC reviewed whether there were proper information security safeguards in place to protect personal information. It found several deficiencies in its investigation, including with respect to access controls, anti-virus software, logging and monitoring, and information storage. The OPC found that these deficiencies represented a failure to implement proper protection measures and were a contravention of Principle 4.7 of theĚýPersonal Information Protection and Electronic Documents ActĚý(±Ę±ő±Ę·ˇ¶Ů´ˇ).
2. Accountability.ĚýFollowing the acquisition of Starwood, Marriott was accountable for implementing policies to properly protect personal information. The OPC found that despite undergoing a post-acquisition assessment of Starwood’s systems and making certain improvements, Marriott failed to adequately perform ongoing security assessments in contravention of Principle 4.1.4 of PIPEDA.
3. Information Retention.ĚýThe OPC determined whether the compromised information was held for an appropriate period of time and found that certain personal information was retained for longer periods than necessary in violation of Principle 4.5 of PIPEDA.
4. Notification and Mitigation.ĚýGiven that the OPC considered the compromised information as presenting an ongoing risk of harm for those affected, it reviewed whether appropriate notification and mitigation measures were used in response to the breach. Marriott conducted both direct notification for those individuals in which it had a valid email address and indirect notification for the remaining individuals (e.g. issuing press releases and providing breach information on a dedicated website). Additionally, Marriott implemented various mitigation measures, such as offering one year of free web monitoring to affected individuals, establishing a dedicated call centre, implementing a process for individuals to verify whether a passport number was involved in the breach, and notifying credit card networks of the incident. Although the OPC would have preferred the web monitoring protection to be for a longer time period, it ultimately found the above notification and mitigation measures to be adequate.

In concluding its report, the OPC acknowledged the remedial steps carried out by Marriott, such as the decommissioning of the Starwood database in December 2018. It also recommended implementing further action to ensure compliance, including having Marriott (i) retain an independent assessor to review any enhancements it has made to its systems; and (ii) review its organizational and governance measures as it relates to selected privacy practices. With both recommendations, the OPC requested that Marriott submit reports detailing their findings and proposed timelines for addressing any action items arising from the reviews.

The post Office Of The Privacy Commissioner Of Canada Publishes Results Of Investigation Into Marriott Data Breach Of 2018 appeared first on IPOsgoode.

Photo by ()

Tiffany Wang is an IPilogue Writer, IP Innovation Clinic Fellow, and a 2L JD Candidate at Osgoode Hall Law School.

Ěý

In July, the European Union delivered an unprecedented fine against Amazon—a record $887 million USD. Luxembourg’s National Commission for Data Protection (CNPD) penalized Amazon for their . The $887 million fine is almost triple the amount of General Data Protection Regulation .

. La Quadrature du Net claims to represent the .

Amazon refuses to remain idle. The multinational firm has already declared it will initiate the to refute this penalty. Amazon voiced that there has been and continues to promise that . The irony here, however, rests in the reality that

The EU’s penalty against Amazon . Legislation still has teeth despite Luxembourg’s historically friendly stance toward Amazon .

The unprecedented fine also underscores the EU’s of Amazon. Amazon has . Even though Amazon claims that collecting data helps to foster a better online retail environment, regulators and lawmakers. In fact, growing suspicion clouds the correlation between data and Amazon’s . The 2018 privacy investigation only fuels the . .

Amazon’s slogan is “Work hard. Have fun. Make history”. Indeed, Amazon has made history with its $887 million penalty. But is this the “history” that Jeff Bezos envisioned?

The post EU Penalizes Amazon $887 million for GDPR Infringement appeared first on IPOsgoode.

On March 15, 2021, the Ontario Court of Appeal (the Court), inĚýFamily and Children’s Services of Lanark, Leeds and Grenville v Cooperators General Insurance Company,Ěý, reversed the lower court’s decision that found that Co-operators General Insurance Company (Co-operators) had a duty to defend Family and Children’s Services of Lanark, Leeds and Grenville (FCS) and Laridae Communications Inc. (Laridae) against two claims in relation to a cyber hack.

Laridae was retained by FCS to perform communication and marketing services, including working on FCS’ website. FCS subsequently discovered that its website had been hacked and that a report containing personal information of 285 clients and subjects of FCS’ investigations was disclosed on Facebook without authorization. Both companies were insured by Co-operators and claimed that Co-operators had a duty to defend against the following two claims that arose out of the event:

1. a $75 million class action brought against FCS alleging that FCS was negligent in securing its website; and
2. a third-party claim in that proceeding brought by FCS against Laridae for negligence and breach of contract.

Co-operators denied that it had a duty to defend because its policies excluded claims arising from the distribution of data by means of an internet website. All three parties brought applications to determine the rights that depend on the interpretation of the policies.

The Court disagreed with the lower court’s finding that the matter could not be addressed by way of application, stating that there were no material facts in dispute requiring a trial and that the policy provisions in issue were clear and unambiguous. Upon assessing the issue, the Court found that the substance and true nature of both claims arose from the wrongful appropriation and distribution of confidential personal information on the internet. The Court held that all claims asserted were covered by the clear and unambiguous language of the exclusion clauses, and therefore Co-operators had no duty to defend either claim.

The Court did not waver when faced with FCS and Laridae’s argument that applying the data exclusions would nullify meaningful coverage under the policy. The Court held that the policies clearly stated that Co-operators would not insure against all risks, and therefore, holding the parties to the terms of the agreement, aligned with the reasonable expectations of the parties.

Written by M. Imtiaz Karamat, Osgoode Alumnus and Student-at-Law at Deeth Williams Wall LLP.

The post Ontario Court Of Appeal Finds Insurance Coverage Does Not Apply To Cyber Hack appeared first on IPOsgoode.

On April 3, 2021, Business InsiderĚýĚýthat information relating to over 530 million Facebook accounts had been made publicly available online. It isĚýĚýthat 3.49 million accounts belong to Canadians and the leaked data included names, locations, birthdates, email addresses, and other identifying information.Ěý

In response, Facebook issued aĚýĚýthat stated that the information was not leaked through a recent hack, but was the resurgence of data that was taken from the platform in 2019. Facebook claimed that the information was obtained via data scraping, where automated software is used to obtain public information from the internet and distribute it to online forums. The company believes that malicious actors took advantage of the vulnerability in Facebook’s contact importer feature, which is designed to help users easily find and connect with friends through their contact lists. Through exploiting the feature, the malicious actors were able to obtain information from users’ public profiles. Facebook has assured the public that the malicious actors had limited access to users’ information and the leaked data did not include financial information, health information, or passwords.

The news release also stated that Facebook made changes to its contact importer feature in 2019 to address the issue. More specifically, it modified the feature to prevent malicious actors from imitating the Facebook app and uploading a large set of phone numbers to find matching Facebook users. Facebook stated that it will work to get the data set taken down and that it will continue to combat the misuse of its platform’s features.

Written by M. Imtiaz Karamat, Osgoode Alumnus and Student-at-Law at Deeth Williams Wall LLP.

The post Facebook Addresses Resurgence Of Information From 2019 Data Breach appeared first on IPOsgoode.

Disingenuous and Deceptive Behaviour

Prior to the whistleblower revelation of Facebook's involvement in Cambridge Analytica influencing , it had been popularising various quizzes and games on its platform. This was Ěýto engage users in order to conductĚýĚýto check ifĚý instigation of "emotional contagion” was possible through social media. Succeeding in such attempts, it gave multiple third partiesĚýaccess to its users’ data (e.g., content posted on Facebook and messages exchanged through Messenger). Thus, it is imperative to regulate such social media platforms. Facebook superficially handles its privacy policies throughĚý, which hampers the meaningful andĚýĚýfrom users. Accordingly, the Canadian regulators are making painstaking efforts to protect citizens from such undue influences by penalizing such activities. The Bureau explicitly confirms thatĚýĚýdo not in their entirety protect the users to control their respective messenger chats and other private activities. Rather, there are loopholes (such as, installation of third-party apps) by which third parties can access such information rendering enormous profits to Facebook. Though Facebook had contended to refrain from such activities in 2015, that such practice continued until 2018.

Intertwined Relationship of the Regulators in the Privacy Dispute

Due to complexity of the cases and inadequacy of laws in the field of data privacy, the OPC and Competition Commission have gone to great lengths to achieve a comprehensive settlement and enforcement in this case. As both had different approaches and interests, being regulated under different laws, including PIPEDA and the respectively, achieving consistency with regards to regulations can be a challenge. Intertwining both regulators helped in bridging the gap between the “” of federal and provincial privacy laws, while Competition Bureau sought an administrative penalty helping in the enforcement proceedings. Though the OPC has been criticized in the past for lack of enforcement powers, coalition of both regulators has demonstrated benefit to the Canadian privacy regime.

In conclusion, considering theĚýcurrent scenario, it is foreseeable that more regulators mayĚýinterpret privacy issues differently and as per their mandates. This is because the privacy law framework in Canada, and elsewhere, has not entirely addressed online infringement issues and it will take a considerable period of time to develop comprehensive statutes to regulate these novel and often nefarious online activities.

Written by Aishwerya Kansal, IPilogue Contributor. Aishwerya is pursuing Master’s in Law in International Business Laws at Osgoode Hall Law School, and she is also an IP Innovation Clinic Fellow.

Ěý

The post THE ONGOING SAGA: FACEBOOK HEMORRHAGING ITS USERS PRIVACY appeared first on IPOsgoode.

The Office of the Privacy Commissioner of Canada (OPC) estimates that in the last 12 months, . This included the breach of personal financial data with institutions like and . These incidents serve as a reminder that even if data collection or a breach occurs domestically, cybersecurity has global implications as local data easily becomes cross-jurisdictional with a click of a link. Thus, breach of data can damage the institutions’ operations and reputation, and trigger significant legal and compliance issues. ĚýAs such, individuals and companies should be aware of the provincial, federal, and international rules that govern them to better manage the legal risks of civil liability.

A data breach can impose civil liability in the event of a cyber intrusion if the party failed to and reasonable security measures. of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) indicates that personal information must be protected by security safeguards proportionate to the sensitivity of the information. states that these methods must include both physical, organizational, and technological measures to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification. The organization must also prioritize cybersecurity by ensuring that appropriate data protection measures for the third-party vendors are developed and monitored and that their employee policies and training are sufficient to reduce the scope and frequency of breaches happening.

Another way civil liability might be imposed is when an entity fails to mitigate the damage once a breach has occurred. requires organizations subject to PIPEDA to report any breaches of security safeguards involving personal information that pose to the Privacy Commissioner, which is likely to result in an investigation. The companies also need to notify affected individuals about those breaches and keep records of all data breaches within the organization.

Additionally, the gravity of the breach can affect the outcome of an M&A process. It is standard practice for buyers to conduct due diligence for data breaches and draft merger agreements with legal protections to manage the risk involved with an M&A deal. One such protection that buyers might use is an , which gives buyers the option to exit a deal if an issue that poses long-term loss or risk arises. Moreover, buyers might lower their buying prices following the long-term risk. During the Yahoo acquisition by Verizon, Ěý, in the wake of two massive

Although prevention is better than intervention, it is unrealistic to expect businesses and individuals to fully protect themselves against sophisticated cyber security attacks. Thus, a cyber risk management approach should be prioritized in addition to prevention, such as blocking threats by using firewalls. In order to mitigate cyber risks, a carefully prepared cyber incident response plan should be put in place prior to the breach. This plan will allow companies to mitigate the legal risks by detecting the breach in a timely manner, analyzing the scope of the damage, containing the incident by using quarantines and checking any backdoors to reduce the risk of further compromising the data. Finally, the incident response plan should include communications guidelines, such as which legal authorities or third-parties to inform, as well as the PR and communications strategies to mitigate any reputational risk.

Moreover, before any cybersecurity incidents actually occur, companies should purchase to mitigate economic losses, such as loss of income, loss of profits, costs for notifying the customers or monitoring the credit of affected customers for a period of time, legal liability of the third-parties, fines and penalties, and cyber extortion, such as ransomware.

Written by Elif Babaoglu, Contributing IPilogue Editor and JD Candidate at Osgoode Hall Law School. Elif is also the co-director of events at the Osgoode Privacy Law Society.

The post Managing the Risks of Cybersecurity Breaches appeared first on IPOsgoode.

Companies like Facebook, Google (Alphabet), Amazon, and Uber have long presented themselves as creative pioneers who collect and analyze massive amounts of user data to improve the human condition. Savvy marketing and personal acts of altruism have combined to create a calculated image of these companies as rebels and outsiders, doing no evil, working to leverage data analytics to disrupt tired and unimaginative incumbents in order to connect and empower the world. The tech community’s first major crisis occurred via the unbridled economic hype and enthusiasm presaging the , and current big tech companies may be similarly humbled by ongoing pricks to the veneer covering the structural deficiencies of their data-driven business practices. Recently, French President Emmanuel Macron has about the need to “dismantle […] these big giants” as a competition issue, and, here in Canada, there is a growing call for a that prioritizes domestic interests.

Facebook’s current time in the spotlight is just the most recent instance of big tech’s proclivity for moving fast and, unintentionally, breaking the wrong things. Zuckerberg may have inadvertently said as much himself in the immediate wake of the Cambridge Analytica revelations. In an interview with the New York Times, he , “If you had asked me, when I got started with Facebook, if one of the central things I’d need to work on now is preventing governments from interfering in each other’s elections, there’s no way I thought that’s what I’d be doing, if we talked in 2004 in my dorm room.”

Such a revelation may be an instructive lesson for a fresh-faced undergraduate student thinking through the implications of disruptive technologies for the first time. However, they are worrisome when the head of a global technology behemoth who has run the company for over a decade and has utters them.

But they’re not terribly shocking. Since the early 1990s, lawmakers and technologists have advanced the idea of increased connectivity through information and communication technologies (ICTs) as, what then-Secretary of State Hillary Clinton would call them some 20 years later, the . In with the New York Times, Zuckerberg echoed a similar sentiment to defend Facebook’s revenue model: “The thing about the ad model that is really important that aligns with our mission is that — our mission is to build a community for everyone in the world and to bring the world closer together. And a really important part of that is making a service that people can afford. […]Therefore, having it be free and have a business model that is ad-supported ends up being really important and aligned.” However, a from Facebook Vice President Andrew Bosworth that seemingly downplays “the ugly” side of Facebook’s activities effectively punctures this grandiose narrative. Today’s big tech firms have come of light-touch regulation from lawmakers and responded by giving normative and ethical concerns a back seat to connectivity and disruption.

More recently, though, legislators on both sides of the Atlantic have begun to rethink this arrangement. In the European Union (EU), next month’s enforcement date for the new will introduce heavy fines for companies that do not comply with harmonized data privacy regulations. And at a into Russian online disinformation activities during the 2016 Presidential election campaign, Senator Dianne Feinstein from Facebook, Twitter, and Google that “You created these platforms, and now they’re being misused. And you have to be the ones who do something about it—or we will.” Depending on the outcome of Zuckerberg’s appearances this week, the US Congress may begin to make good on Sen. Feinstein’s threat.

Regulating or, in the words of Macron, dismantling big tech will be no easy task. These companies have amassed large stores of data about our innermost feelings and have developed technologies that . These companies have also entranced governments with the promise of jobs and economic prosperity . It is imperative that any attempts to harness big tech for the public good are not done in a knee-jerk or . The challenges these companies and new emerging technologies pose require long-term and strategic thinking around the social, economic, ethical, and democratic impacts of our increasingly data-driven society.

Joseph F. Turcotte is a Senior Editor with the IPilogue and theĚýĚýCoordinator. HeĚýholds a PhD from the Joint Graduate Program in Communication & Culture (Politics & Policy) at żě˛ĄĘÓƵ and Ryerson University (Toronto, Canada).

The post Breaking Up With Big Tech? appeared first on IPOsgoode.

The Office of the Privacy Commissioner of Canada (“OPC“) has provided its views on the data breach reporting and notification requirements that are soon to be prescribed by regulation under theĚýPersonal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA“).

On June 18, 2015, the (also known as Bill S-4) received Royal Assent in Canada’s Parliament. The Digital Privacy Act amended PIPEDA. ĚýAmong other important changes, the Digital Privacy Act amended PIPEDA to require mandatory notification of both the OPC and affected indivdiuals, and introduced a record-keeping requirement (and fines for organizations which fail to meet either of these new requirements).

These newĚýdata breach requirements in PIPEDA will come into force once the Government passes regulations, and to that end, the Government has circulated a and solicited comments.

The OPC has provided its , and as body charged with administering and ultimately enforcing the resulting regulations, the OPC’s views are of significance (although they are not determinative of the final form of the regulations).

When Organizations Will Need to Report

A challenge organizations face when dealing with a breach affecting personal information is whether to report the breach to the OPC. Currently voluntary, this dilemma will not go away when it becomes mandatory – rather, the question will simply become one of how to determine whether the trigger (“real risk of significant harm”) has been met.

The OPC is of the view that the current set of factors enumerated in subsection 10.1(8) of PIPEDA are sufficient and any other further guidanceĚýon conducting a risk assessment couldĚýbe provided by the OPC in due course. [1]

The Discussion Paper had also asked if encryption should provide a kind of “get out of jail free” card insofar as encrypted information that is lost or accessed would be presumed to present no or a low Ěý“real risk of significant harm”. The OPC was against equating encryption with aĚýdiminished risk of significant harm. This raises the question of why the OPC has regarded the use of encryption as an adequate security safeguard to be considered under Principle 4.7.3.

What the Report Should Look Like

The OPC is of the view that anyĚýnew mandatory breach reports should be in written Ěýform (digital or paper) andĚýrequireĚýthe following information:

• Name of responsible organization;
• Contact information of an individual who can answer questions on behalf of the organization;
• Description of the known circumstances of the breach, including:
  • Estimated number of individuals affected by the breach;
  • Description of the personal information involved in the breach;
  • Date of the breach, if known, or alternatively estimated date or date range within which the breach is believed to have occurred;
  • A list of other organizations involved in the breach, including affiliates or third party processors;
• An assessment of the risk of harm to individuals resulting from the breach;
• A description of any steps planned or already taken to notify affected individuals, including:
  • date of notification or timing of planned notification;
  • whether notification has been or will be undertaken directly or indirectly and, when applicable, rationale for indirect notification;
  • a copy of the notification text or script;
• A list or description of third party organizations that were notified of the breach, pursuant to s. 10.2(1) of PIPEDA, as well as Privacy Enforcement Authorities from other jurisdictions;
• A description of mitigation measures that have been or will be undertaken to contain the breach and reduce or control the risk of harm to affected individuals,
• A description of the organization’s relevant security safeguards, taking into consideration any improvements made or committed to, to protect against the risk of a similar breach reoccurring in the future.

The informationĚýis not substantially different than that already required by Alberta, which already has a mandatory breach reporting regime, although the OPC’s proposed approachĚýwould require more detail. [2] Also, the proposal that organizations provide a “description of the organization’s relevant safeguards” is not found in the Alberta requirements and may give rise to privilege and litigation risk issues. As well, organizations are likely to balk at disclosing this information because it potentially telegraphs an organization’s security strategy and vulnerabilities to bad actors. This is particularly true since this information is at risk of public disclosure via the Access to Information regime.

The OPC believes organizations should have an ongoing obligation to provide updates “as soon as feasible”, a requirement also not found in the Alberta requirements.

What Notification to Individuals and Third Parties Should Look Like

The OPC essentially adopts its own document, “” and proposes that the regulations require the following elements be includedĚýin notifications to affected persons:

• Description of the circumstances of the breach incident;
• Date of the breach, if known, or alternatively estimated date or date range within which the breach is believed to have occurred;
• Description of the personal information involved in the breach;
• Description of the steps taken by the organization to control or reduce the harm;
• Steps the individual can take to reduce the harm or further mitigate the risk of harm;
• Contact information of an individual who can answer questions about the breach on behalf of the organization;
• Information about right of recourse and complaint process under PIPEDA.

The OPC is of the view that direct notification should be required (e.g. direct communication with each affected individual) and that indirect notification (e.g. via newspaper ads, websites, etc.) should be allowed only with permission and only in certain circumstances. Organizations will be pleased to know that the OPC accepts that “prohibitive costs to the organization and [unreasonable interference] with its operations” are one of the circumstances in which the OPC would accept indirect notification. However, the OPC suggests that organizations must first “[demonstrate] that they may validly use indirect notifications”. It is unclear if to be “valid” an organization will have to demonstrate, for instance, prohibitive costs or other criteria, or that “validity” will be evaluated on the basis of likelihood of the message effectively reaching the target demographic.

On this latter point, the OPC is of the view that indirect notification wouldĚýneed to be to the appropriate geographic market, be relevant to the product or service and the type of customer interaction, be for an appropriate length of time and in plain English, and where appropriate, allow organizations to use third parties to conduct such notification

With respect to the notification of third parties (potentially vendors, industry organizations, other organizations in that sector), the OPC has sensibly supported a permissive approach to notifying third parties, instead of a mandatory one.

What an Organizations Record Keeping Obligations Would Be

The OPC appears to regard the new record-keeping requirements (which require organizations to keep a record of all breaches of security safeguards) as a mechanism for general oversight.

The OPC is of the view that such records Ěýshould include “sufficient information to demonstrate compliance with PIPEDA’s new notification requirements and should contain sufficient information to enable the Office to effectively perform its oversight functions.” More significantly, “[t]he content of these records should also assist the OPC in understanding the process through which organizations determine whether or not to notify affected individuals.”

Relying on this, the OPC believesĚýthe following data elements should be included in records of breaches:

• Date or estimated date of the breach;
• General description of the circumstances of the breach;
• Nature of information involved in the breach;
• Summary and conclusion of the organization’s risk assessment leading to its decision whether to notify/report or not.

These are not particularly onerous, except that including a rationale as to whether to report or not to report such a breach introduces fertile ground for plaintiffs’ lawyers to explore as they make a case for negligence or breach of privacy. ĚýOrganizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches could face fines of up to $100,000 per violation.

As a consequence of this, organizations will be torn between sufficiently documenting such breaches in order to demonstrate that they evaluated reporting the breach to the OPC and affected individuals (thereby avoiding “knowingly” failing to report) and not including so much information that it could be subsequently used against them.

The OPC would like to see all such incidentsĚýdocumented and recorded on an individual, non-aggregated basis. For organizations such as financial institutions or large retailers which face upwards of Ěý200 threat incidents a week, this could be onerous.

With respect to retentionĚýthe OPC suggests thatĚýrecords be maintained for a period of five years from the date of creation of the record, after which records could be destroyed.

An Organizations Obligations to non-Canadians

The OPC notes thatĚýorganizations that are subject to PIPEDA may collect personal information which pertains to individuals who reside outside of CanadaĚý(for instance, residents of the U.S.).ĚýAs such, the OPC is of the viewĚýĚý the data breach notification and reporting requirements should consider the extent to which organizations may have to notify individuals outside of Canada who may be affected by a data breach undergone by an organization subject to PIPEDA. At a minimum, the OPC suggests that regulations should require organizations toĚýconsider the breach notification laws of those jurisdictions., as well as any local notification requirements.

Future OPC Guidance

The OPC clearly sees itself as playing an instrumental role in the future primacy landscape, and has indicated thatĚýĚýonce the Government passes final regulationsĚýit isĚýprepared to develop guidelines that will complement the content of regulations and provide additional compliance assistance for organizations.

© McCarthy Tétrault LLP

is Counsel in McCarthy Tétrault’s National Technology Group.

[1] Subsection 10.1(8) reads “The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual includeĚý(a)Ěýthe sensitivity of the personal information involved in the breach;Ěý(b)Ěýthe probability that the personal information has been, is being or will be misused; andĚý(c)Ěýany other prescribed factor.

[2] Section 19 of theĚýPersonal Information Protection Act Regulation, Alta Reg 366/2003

The post Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations appeared first on IPOsgoode.