As the world has seen the technological revolution of the digital age accelerate in recent years, there has been a corresponding surge in criminal activity taking place in cyberspace. Hackers have launched cyberattacks against some of the world’s largest companies, and targeted both key infrastructure, and individuals - from the prominent to the virtually anonymous. As a result, data protection is more important than ever before for businesses and individuals. A second consequence of our evolving tech capabilities has been the use of software to access the information of private citizens, raising serious privacy concerns amongst advocates and governments worldwide. To help us understand the twin issues of cybersecurity and data protection, we asked Thomas Wong and Lisa Danay Wallace of WeirFoulds LLP to guide us through this murky online landscape.
What are the most common types of cyber attacks? How do they differ, and which ones are most often seen in Canada or affecting Canadian businesses?
Unfortunately, cyber attacks are becoming an increasingly prevalent reality for businesses across the globe. The COVID-19 pandemic, with its increased focus on remote operations, has only exacerbated the issue, likely because organizations quickly brought their capabilities online without always being able to implement security best practices. No industry is safe, and the impacts can range from an inconvenience to devastating an organization.
About 3 in 10 organizations saw a spike in the volume of attacks during the COVID-19 pandemic, and 25% of Canadian organizations experienced a breach of customer and/or employee data in 2020.[1]
At a global level, one of the most prevalent types of cyber attacks is a ransomware attack (23% globally in 2020 and 33% in Canada and the United States in 2020).[2] Ransomware is malicious software that “infects” a network, encrypts all or some of an organization’s data, and requires payment (usually in Bitcoin or other digital currency) for the necessary encryption key. Despite training and an organization’s best efforts, hackers gain access through a variety of means, whether it be a phishing attack or drive-by downloading.[3] Ransomware has become an industry in some places – with professional representatives to respond to inquiries, negotiate a ransom and deliver encryption keys.
Worryingly, 38% of Canadian organizations did not know if they had been the victim of a cyber attack or not in the last year.[4] The cost of these breaches is high, with Canadian organizations paying at total of $4Bil USD for ransoms and lost productivity in 2020 alone.[5] Moreover, the average total cost of data breaches for Canadian companies was $4.5Mil USD in 2020.[6]
What lessons can be learned from the Colonial Pipeline hacking? Should this incident be a cautionary tale for proactive cybersecurity measures to be taken, or a wake-up call for clients to avoid complacency?
In May of 2021, the world got a clear example of how simple security errors can have massive implications for not only the impacted organization, but an entire industry. On May 7th, 2021, Colonial Pipeline saw its operations completely shut down.[7] What was the point of entry that took down the largest fuel pipeline in the U.S. and led to oil shortages across the East Coast? A single compromised username and password to a then unused - but still active - VPN account.[8]
Based on investigation reports, the security breach was a ransomware attack and the entry point into Colonial Pipeline’s systems was a perfect storm of simple, and unfortunately common, security mistakes. Although the VPN account was no longer in use, it remained an active access point,[9] and the username and password were compromised.[10] Additionally, and perhaps most importantly, the password did not require two-factor authentication – a security measure requiring a second verifying step before a login can be successful.
Apart from the obvious financial risk associated with a ransom and a major operational shutdown, a cyber attack can be costly from the perspective of contractual claims and regulatory fines. Cyber attacks may expose and disclose:
- Confidential information, including information an organization is contractually bound to protect by its customers, suppliers and partners;
- Personal information, which carries litigation and regulatory risk; and
- Trade secrets or patent information, which could result in the loss of protection of an organization’s key intellectual property assets.
The Colonial Pipeline attack is a wakeup call for organizations of how quickly and easily their operations can be ground to a halt. Organizations should review their major supplier and internal security practices. Any service provider that is storing sensitive information or accessing an organization’s systems should be required to take appropriate steps to protect an organization’s data and systems. Some practices to consider:
- Organizations should get up-to-date security training from knowledgeable experts at a regular frequency as cyber threats are constantly evolving.
- Procedures and policies should be put in place and regularly updated in order to protect systems (e.g. two factor authentication) and prevent workarounds.
- Forward thinking and detailed breach plans. Engaging experts in advance, having a detailed and up to date breach plan and undergoing mock breach exercises can give an organization an important leg up in the event of a cyber attack.
- Having cyber insurance, and requiring the same of key suppliers, is one way to manage the potential costs of a cyber attack.
As Colonial Pipeline highlights, not all attacks require sophisticated entry points, and an organization’s defenses are only as strong as its weakest link.
How does the advent of facial recognition technology impact data protection concerns for individuals? What measures would be required to make it compliant with existing Canadian law, and what are some concerns raised by this new innovation?
Facial recognition technology (FRT) is fraught with substantial privacy concerns and has only become more controversial as the technology has evolved. FRT extracts biometric data from video recordings or other images and uses artificial intelligence to identify individuals by comparing the data to a predefined database of biometric data. One of the main privacy concerns arising from FRT is the difficulty in obtaining meaningful consent. The technology is being used by both the private and public sectors, each with its own privacy law implications.
Private Sector:
In 2020, the Privacy Commissioner of Canada, along with the Privacy Commissioners of British Columbia and Alberta, investigated Cadillac Fairview’s collection and use of the facial biometric data of visitors to their Canadian malls. The data included visitors’ demographics such as age and gender and were collected through embedded cameras inside digital information kiosks. Individuals were made aware of the collection of their data via signs placed on shopping mall entry doors that referred them to Cadillac Fairview’s privacy policy. The Privacy Commissioners determined that this was insufficient to obtain meaningful consent and that shoppers had no reason to expect that their image was being collected through the kiosks, or that it would be used with FRT. Cadillac Fairview’s approach raises one of the most criticized and prevailing issues with privacy practices - important information about the use of an individual’s information is often buried, whether on a website or on a physical sign.[11]
Special attention needs to be made to align collection and use of FRT with current Canadian privacy laws. Some ways in which the collection and use of FRT can be compliant with Canadian law include:
- Conducting a privacy impact assessment early in the development of any initiative to help develop standard operating procedures;
- Notifying customers about the use of FRT in an apparent manner (i.e., more detailed than the notification traditionally used for video surveillance);
- Providing customers an option to opt out of the collection or the opportunity to avoid areas equipped with FRT without preventing access to related products or services; and
- Updating privacy policies using clear and unambiguous language.
As well, if a third-party supplier is to be engaged with respect to FRT, attention must be paid to that supplier’s characteristics, the impact of privacy legislation on that relationship, the contractual relationship with that supplier, and the role of that supplier in the context of the aforementioned privacy impact assessment.
Public Sector:
FRT has broad applicability and potential uses for government agencies, such as law enforcement. These agencies are governed by different legislation than the private sector and may in some cases have broader exemptions regarding consent. Some examples include:
- In 2016, the Canada Border Services Agency (CBSA) ran a six-month facial recognition pilot that was used on 15,000 to 20,000 travellers a day. The CBSA did not post any signs to inform travellers of the use of facial recognition technology but instead posted a summary of the pilot on its website without specifying which airports would be participating.[12] No formal investigation on the CBSA regarding the pilot has been commenced.
- Contrastingly, the Royal Canadian Mounted Police (RCMP) came under fire in a report to Parliament from the Privacy Commissioner of Canada for its use of FRT earlier this year. The RCMP used AI software from Clearview AI, a U.S. based company, to match images of individuals against a database of three billion images scraped from internet websites by Clearview AI without users’ consent.[13]
How does the European Union’s General Data Protection Regulation (GDPR) affect Canadian clients? Are there spaces where Canadian law exceeds the parameters of the GDPR?
The General Data Protection Regulation (GDPR) is a law implemented by the European Union (EU) in 2018. The GDPR is believed by many to be the most stringent privacy law in the world. One of its most discussed features is its novel and broad reaching applicability. Adopted in 2018, the GDPR applies not only to businesses located in Europe, but to businesses that conduct business in Europe or that target Europeans. Article 3 of the GDPR defines territorial scope using two main criteria: (1) the ‘establishment’ criterion; and (2) the ‘targeting’ criterion. Defining its scope in this way has been viewed by many as the EU extending the application of its privacy regime to every country in the world. As a result, Canadian clients might be concerned about how the GDPR impacts them. The answer depends on whether a company is a data controller or data processor.
A “data controller” is the entity which determines the purpose and means of the processing of personal data. A “data processor” is the entity which processes personal data on behalf of the controller. Whether the GDPR will apply to a data controller or data processor is summarized by these flow charts.
On the one hand, a data controller will need to consider if:
- The data controller has an establishment in the EU (the test for “establishment” is in Article 3(1) and relates to the degree of connection the entity has to the EU);
- The data subject resides or stays in the EU;
- The data subject is traveling in the EU;
- Any data processed is in the context of activities of an establishment in the EU;
- The processing relates to the offering of goods or services; and if
- The processing relates to the monitoring of behaviour in the EU.
Data processors, on the other hand, will need to consider if:
- The data controller is an establishment in the EU and subject to the GDPR;
- The data processor is an establishment in the EU; and if
- The processing activities by the data processor are related to the targeting activities of the data controller such as processing activities related to the offering of goods or services to, or monitoring the behavior of, data subjects in the EU.
Canadian privacy legislation is not currently as stringent as the GDPR, thus Canadian companies that simply adhere to Canadian legislation may not be able to conduct their activities in the EU or may otherwise be in breach of the GDPR. While the Liberal Government’s Bill C-11 tabled in November 2020, and which would have enacted the Consumer Privacy Protection Act (CPPA) and established a Personal Information and Data Protection Tribunal, was a step towards a more robust private sector privacy regime, it still lacked certain obligations set out in the GDPR, including specific prohibitions on cross-border data transfers, and distinguishing between the responsibilities of data controllers and data processors. Moreover, because of the snap election called on August 15, 2021, the future of Bill C-11 has become uncertain, leaving the future of Canada’s privacy laws to be decided another day.
The current provincial privacy regimes in Canada also fall short when compared to the GDPR. For instance, in British Columbia (BC), the Office of the Information & Privacy Commissioner for British Columbia offered a comparison between BC’s current Personal Information Protection Act (PIPA) and the GDPR in 2018.[14] In almost every category, including consent, individual rights, mandatory breach notifications, cross-border transfers of personal information, data governance obligations, sanctions, and privacy impact assessments, the GDPR was found to be more robust and protective. In no area did BC’s PIPA provide stronger protections than the GDPR.
How do privacy laws differ between provinces? How would the proposed federal Consumer Privacy Protection Act (CPPA) have changed the current state of Canada’s data protection legislation had it been enacted by Parliament before this year’s election?
Canada’s current privacy regime is a web of federal and provincial privacy laws governing the collection, use, and disclosure of personal information. In November 2020, the federal government introduced Bill C-11, the Digital Charter Implementation Act, 2020, which if passed would have replaced the Personal Information Protection and Electronic Documents Act (PIPEDA), the current federal private sector privacy legislation applicable to commercial activities across Canada. However, on August 15, 2021, the current federal government called an election, rendering the future of Bill C-11 uncertain. It is unclear, depending on the structure of the next government, what legislative updates to the privacy regime will occur. Despite this uncertainty, Bill C-11 provided an interesting perspective to privacy in Canada.
In Canada, the collection, use and disclosure of personal information is governed by both federal and provincial legislation. PIPEDA applies federally with respect to commercial activities in the private sector and includes specific provisions and requirements with respect to federally regulated businesses. There is also the federal Privacy Act which applies to information that the federal government holds about individuals. Moreover, every province and territory have their own privacy laws which apply to relevant provincial and territorial agencies.
In addition to the federal legislation, some provinces have passed their own private sector privacy legislation. These provincial acts apply instead of PIPEDA if they are declared to be ‘substantially similar’ to PIPEDA. There is substantially similar legislation applicable in Alberta, British Columbia, and Québec.[15] Ontario has also sought public comment as it considers the creation of its own provincial private sector privacy legislation.[16]
Although ‘substantially similar’ to PIPEDA, there are material differences that organizations need to be aware of when collecting personal information from the applicable provinces. For example, in Alberta, an organization using a service provider outside of Canada must satisfy certain notification requirements to the applicable individuals.[17]
There is also sector-specific privacy legislation which should be considered. For example, certain provinces also have privacy legislation related to personal health information, namely New Brunswick, Newfoundland and Labrador, Nova Scotia, and Ontario.
Finally, within Canadian jurisdictions, there are common law principles developing in relation to privacy-related issues – and case-law in relevant jurisdictions should be considered.
The Consumer Privacy Protection Act (CPPA)
The CPPA as it was proposed would have resulted in a big change to the Canadian private sector privacy regime, while maintaining the ‘substantially similar’ applicability standard for provincial legislation.
The CPPA proposed language that would have had financial and operational impacts on the way that organizations collect and leverage personal information in Canada. For example, the CPPA would have expanded an organization's obligation to have privacy policies and procedures in place by requiring a “privacy management program” that accounts for the volume and sensitivity of the data collected by an organization.[18] The addition of the volume and sensitivity requirement would have imposed a positive obligation on organizations to tailor their internal policies and procedures. The CPPA would also have introduced an express right for users to request deletion of their personal information. This would have required organizations to pivot their data strategies to be able to operationalize such a request and adjust their use of data such that a deletion of data is contemplated. This would have had interesting implications in the artificial intelligence space.
***
Thomas Wong is a Partner in the Corporate Practice Group at WeirFoulds. His practice is focused on intellectual property, information technology law, and privacy law.
Thomas regularly advises clients on various contractual and commercial matters, including those relating to e-commerce, cloud computing, hosting services, outsourcing and telecommunications and Internet services. He has experience in drafting and negotiating software development and licensing agreements for clients in a variety of industries including to e-commerce, food products, and pharmaceuticals.
***
Lisa Danay Wallace practises in the areas of information technology and intellectual property law with a focus on high tech and Internet-based companies. She also acts for companies from all industries to assist them when they are customers of technology, and with their privacy and other compliance needs.
Lisa has hands on experience drafting and negotiating a wide array of contractual agreements. Her experience allows her to manage files independently and as part of a team. She has a passion for new technology, and for assisting clients in contracting for new and emerging technologies.
[1] Canadian Internet Registration Authority, “CIRA Cybersecurity Report, 2020”, online: CIRA https://www.cira.ca/cybersecurity-report-2020.
[2] IBM Security, “X-Force Threat Intelligence Index 2021” at 7 & 30, online (pdf): IBM https://www.ibm.com/downloads/cas/M1X3B7QG.
[3] Phishing is the impersonation of legitimate organizations via email, text message, advertisement, etc., to obtain sensitive information. Usually, this involves taking a victim to a fake company’s website to fill that sensitive information. After the website has been visited, drive-by downloading can occur as well. Drive-by downloading is when an individual unknowingly visits an infected website and then malware is downloaded and installed without that individual’s knowledge.
[4] Canadian Internet Registration Authority, “CIRA Cybersecurity Report, 2020”, online: CIRA https://www.cira.ca/cybersecurity-report-2020.
[5] Emsisoft, “Report: The Cost of Ransomware in 2021: A Country-by-Country Analysis” (27 April 2021), online: EMSISOFT Blog https://blog.emsisoft.com/en/38426/the-cost-of-ransomware-in-2021-a-country-by-country-analysis/.
[6] IBM Security, “Cost of a Data Breach Report 2020”, online: IBM https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/.
[7] See William Turton & Kartikay Mehrotra, “Hackers Breached Colonial Pipeline Using Compromised Password”, Bloomberg (4 June 2021), online: https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password?sref=Wg6QzS2e; Sara Morrison, “How a major oil pipeline got held for ransom”, Vox (8 June 2021), online: https://www.vox.com/recode/22428774/ransomeware-pipeline-colonial-darkside-gas-prices.
[8] Ibid.
[9] Ibid.
[10] Ibid.
[11] Supra note 4.
[12] Tom Cardoso and Colin Freeze, “Ottawa tested facial recognition on millions of travellers at Toronto’s Pearson airport in 2016,” Globe and Mail (19 July 2021), online: https://www.theglobeandmail.com/canada/article-ottawa-tested-facial-recognition-on-millions-of-travellers-at-torontos/.
[13] Office of the Privacy Commissioner of Canada, “RCMP’s use of Clearview AI’s facial recognition technology violated Privacy Act, investigation concludes” (10 June 2021), online: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2021/nr-c_210610/.
[14] See Office of the Information & Privacy Commissioner for British Columbia, “Competitive Advantage: Compliance with PIPA and the GDPR” (March 2018), online: https://www.oipc.bc.ca/guidance-documents/2135.
[15] It is worth noting, however, that PIPEDA continues to apply to federal works, undertakings or businesses that operate in these provinces as well as all interprovincial and international transactions by all organizations subject to PIPEDA in their commercial activities.
[16] Ontario, Modernizing Privacy in Ontario, White Paper (Toronto: Ministry of Government and Consumer Services, 17 June 2021).
[17] Personal Information Protection Act, c P-6.5, s 13.1 (3)(a).
[18] Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, 2nd Sess, 43rd Parl, 2020 (second reading 19 April 2021), s 9(1) and 9(2).