Addressing Privacy, Security andEvolving Data Breach ObligationsPresented By: Lisa Abe-Oldenburg

Regulatory Compliance for Financial Institutions

November 20, 2014

Addressing Privacy, Security andEvolving Data Breach Obligations

1. Evolution of Payments Technology and Risk2. Responding to Data Breaches – Understanding

the changes to Canadian Data breach notification law

3. Organizational Data Practices4. Due Diligence of Third Parties

Evolution of Payments Technology and Risk

• Storage, provisioning and management of card credentials and other personal information

• Movement from NFC to Cloud-based software and databases

NFC Model• ID stored locally/physically (e.g. cards and chips) • Complex issuance•TSM and Secure Element ecosystem• Standards based•Transactions treated as "Card Present"

Cloud Model• ID stored centrally/online (app on device with data connection)• Simpler issuance• No standards or security model yet fully defined•Transactions treated as "Card Not Present"

Evolution of Payments Technology and Risk

• PCI DSS, EMV and ISO standards provide some security, reliability and interoperability

• Compliance vs. Security• Contracts to be reviewed – existing and new• Security also impacted by equipment, premises,

personnel, processes• Risk at point of data collection, storage, use,

disclosure, transfer• Transitioning to third parties (e.g. end of term, sale of

business, outsourcing, subcontracting, affiliates) & knowledge transfer by employees

• Big data issues • Must deal with changes to technology and risk over

time

Third party risk

Problem:• loss of control, risk of liability, data breaches and leaks• You remain responsible for your outsourcersResolution:• Keep core business and data in-house or encrypted• Need reports, notification, testing, monitoring, management

oversight, auditing, control, return, change process, confidentiality, security, segregation, export controls, disaster and continuity/recovery planning, early termination

• Have clear service/security level requirements; consider benchmarking

• Negotiate limitations on liability and disclaimers, warranties and indemnities, guarantees, hold-backs, alternative dispute resolution, performance bonds, insurance

• Thresholds of risk tolerance will affect negotiations

Risk Analysis

• Examine all stages: asset transfer, new development or technology implementation, testing phase, transitioning in phase, operational/services phase, transitioning out phase, business continuity/disaster management, etc.

• Construct a responsibilities matrix to clarify each party’s obligations and dependencies (e.g. on other parties)

• Analyze what could go wrong at each stage• Assess risks, liabilities and remedies

• Business operational risk, financial risk, regulatory compliance risk, liability risk, reputational risk

Risk Mitigation

• Preparation is key to prevention of data loss or breach• Due diligence and risk assessments• Internal governance structures and policies in place• Know the business (data assets), points of access/control• Consult with all stakeholders and legal counsel• Legal contracts in place with terms that address risk,

risk mitigation, compliance and security

Responding to Data Breaches

• What are your legal obligations if there is a data breach?• Note, this presentation only covers data breaches in the

private sector and not breaches with respect to public sector, health or employee information.

• Under federal private sector privacy law, PIPEDA, breach notification is currently voluntary - to notify individuals of breaches involving their personal information, or to notify the OPC

Responding to Data Breaches (cont.)

• The Canadian Data Breach Guidelines drafted in 2007 in consultation with commissioners' offices, advocacy groups and representatives from industry, encourage organizations to:• Contain the breach and conduct a preliminary assessment of

what occurred;• Evaluate the risks associated with the breach;• Notify the parties affected by the breach;• Take adequate steps to ensure that such an incident does

not recur in the future.

Responding to Data Breaches (cont.)

• The OPC encourages organizations to notify the office or appropriate provincial privacy commissioners of “material” breaches of security safeguards that involve personal information—determining whether a breach is “material” involves, among other considerations, assessing the sensitivity of personal information and the number of individuals affected.

• PIPEDA does include requirements around adequately safeguarding personal information through the use of physical, technological and organizational measures.

• Absence of “appropriate” controls resulting in breaches currently does not trigger any regulatory consequences, such as fines or penalties.

Responding to Data Breaches (cont.)

• Proposed amendments to Canada's federal privacy legislation (PIPEDA) under Bill S-4 (Digital Privacy Act) will require businesses and organizations to track data breaches and report them to individuals and the OPC if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual

• The Bill sets out factors to assess risk, requirements for the content and timing of the notification and record keeping requirements of all breaches

• Also an obligation to report to other organizations or government if risk could be reduced

• Non-compliance would be punishable by fines of up to $100,000

Responding to Data Breaches (cont.)

• The Bill also gives new powers to the privacy commissioner to:• negotiate voluntary but binding compliance agreements with

organizations that commit to taking action on privacy violations;

• extend the period within which a complainant may apply to the Federal Court of Canada to order compliance or award damages; and

• release information about non-compliant organizations if it is in the public interest.

Responding to Data Breaches (cont.)

• Alberta enacted amendments to its private sector Personal Information Protection Act (PIPA) to address incidents involving the “loss of or unauthorized access to or disclosure of the personal information” including mandatory breach reporting.

• SCC decision (Alberta (Information and Privacy Commissioner ) v. United Food and Commercial Workers, Local 401, 2013 SCC 62) struck down Alberta's PIPA in its entirety as unconstitutional

• Declaration of invalidity was stayed for 12 months (to Nov. 15 2014) in order to provide enough time to legislators to decide how to make this act constitutional

• Motion to extend suspension filed by AG of Alberta on Oct. 1, 2014

• SCC granted 6 month extension on Oct 30 2014

Responding to Data Breaches (cont.)

• Other provinces, e.g. Ontario, New Brunswick and Newfoundland and Labrador, only require breach notification with respect to personal health information.

• Alberta PIPA requires notice to the province’s Privacy Commissioner of loss of, or unauthorized access to, personal information under the organizations' control - only if a reasonable person would consider that there exists a real risk of significant harm to an individual. Commissioner decides whether individuals should be notified.

Responding to Data Breaches (cont.)

• “real risk of harm” must be more than merely speculative and not simply hypothetical or theoretical. A breach relating to highly sensitive personal information, such as financial information, is more likely to meet this standard and require reporting.

• The commissioner has interpreted “significant harm” to mean “a material harm...[having] non-trivial consequences or effects. Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one’s professional or personal reputation.”

Responding to Data Breaches (cont.)

• Manitoba recently enacted Personal Information Protection and Identity Theft Prevention Act (PIPITPA) – private sector law (Bill 211) not yet in force (awaiting proclamation)

• PIPITPA will generally require breach notification to an individual directly if personal information is lost, accessed or disclosed without authorization – no harm threshold

• Also fines of up to $10,000 for individual and $100,000 for other persons (companies) guilty of an offence under PIPITPA

Responding to Data Breaches (cont.)

• PIPITPA will also create a private right of action for an individual to sue an organization for damages arising from its failure to: • protect personal information that is in its custody or control; or • provide reasonable notice if the organization was not satisfied

that the lost, stolen or accessed information would be used lawfully.

• In Québec, the Commission d'accès à l'information du Québec ("CAI") in its 2011 Quinquennial Report entitled "Technology and Privacy, in a Time of Societal Choices" recommends to include, in both its public sector and private sector data protection laws, mandatory security breach reporting.

• Jurisdictions outside Canada may have extraterritorial implications, e.g. California has its own breach notification law

Organizational Data Practices• Designate privacy and technology officers to

ensure compliance under Canadian and foreign laws

• Consult with the regulators when in doubt about systems and privacy policies

• Have a data breach protocol plan in place - how to notify, who, and when? E.g. the regulators, individuals, ASAP

• Limit access to electronic records to a need-to-know basis and password protect; control dissemination of apps

• Draft and keep records of proper consents prior to collecting, using or disclosing any personal information or providing apps

Organizational Data Practices (cont.)• Identify purposes for the collection, use and

disclosure, and limit collection, use and disclosure to those purposes, which must be reasonable

• Develop, implement and review privacy and security policies, CASL policy (see new CRTC Bulletin 2014-326), technology policy, including procurement, software, BYOD and services policies

• Train employees and get acknowledgments• Protect personal information and data from theft,

modification, and unauthorized access

Organizational Data Practices (cont.)

• Keep personal information only for as long as reasonable to carry out the business or legal purpose or as required by law and destroy or anonymize records once no longer needed

• Develop a procedure for information requests/access, correction and deletion

• Review and revise all contracts with third parties to ensure obligations flow through

• “Stress test” data and app operations - privacy and data policies can be a marketing opportunity

• After a data breach occurs, comply with data breach guidelines and notification requirements

• Offer credit monitoring to clients

Due Diligence of Third Parties• Policies, procedures and standards, privacy, security and

data practices• Governance, Board and C-suite involvement/priorities• Promises, commitments, warranties, contracts• Technology and facilities• Certification• Contingency capability • People, management, training, supervision, minimum

proficiency levels• Legislative and regulatory compliance• References, history of breaches, attacks, business

interruptions and reporting • Foreign legal, political, economic and social implications

Contract Due Diligence and Terms to Negotiate• Data and personal information• Costs, insurance, change management (e.g. in legislation)• Obligations, duties, restrictions and controls• Ownership and transferability of data; proper consents ,

tracking, monitoring and data storage• Service/performance levels• Breadth of warranties, indemnities, given and received• Disclaimers and limitations on liability - exclusions• Audit rights (technology and security), reporting• Force Majeure• Subcontracting and affiliates• Territories and legal jurisdiction• Assignment, change of control• Term, termination, remedies

Confidentiality and Security Terms

• Confidentiality and security standards • Which party has responsibility for protection

mechanisms? • Who owns the data?• Definition of confidential information of each party• Scope of information to be protected?• Background checks of employees and

subcontractors• Training obligations• Powers of each party to change security procedures

and requirements?

Confidentiality and Security Terms

• Obligations:• non-disclosure of other party’s confidential info• technologically isolate customer data and records at

all times• location of records and data storage• security/retention• return/destruction• exclusions, e.g. permitted disclosures• notification and mitigation

• Term for each obligation• Liability for losses if security breach• Injunctive remedies• Notification of potential or actual security breaches

Confidentiality and Security Terms

• Third party validation, audit of procedures, policies and practices

• Requirements of OSFI guidelines• Security controls, firewalls, compliance person• Record return and destruction• Privacy and security policies, compliance with

laws/regs• Termination and survival

Privacy Terms

• Specify which party shall be responsible for obtaining the necessary consents

• Who should retain control over data management • Both parties to comply with all privacy requirements• Handling of specific requests, corrections, etc.• Retention time limits and protecting the personal

information • Specify protection, encryption, security and segregation

of the personal information• Require appropriate notices• Include warranties and covenants that reflect applicable

privacy laws’ compliance, during term of contract, transitioning and thereafter

Privacy Terms• Restrict use of data only for specific purposes –for which

consent was obtained• Prohibit subcontracting, assignment (without consent)• Require agreements with employees, subcontractors,

affiliates• Deal with limited/authorized access, use, disclosure,

retention periods, disposal, audit and inspection rights and training of all relevant employees

• Require compliance with applicable laws and customer privacy, security and data management policies

• Consider other provisions such as termination, survival, remedies, indemnities

Privacy Terms

• Consider retention of personal information in Canada • Restrict cross-border data flow, require storage and

processing in specified countries• Segregate any personal info from non-personal data• Isolate any data that may be subject to disclosure• Deal with potential conflicts between foreign and

Canadian privacy laws

Summary of Best Practices and Tips

• Insist on provider transparency: participants/subcontractors, jurisdictions, data flow and processing, type of cloud and who has access

• Engage all organizational teams that may have input to the protection of privacy and security, e.g. operational, procurement, contracts negotiation, privacy, employment (HR), compliance, audit, insurance, IT, security, risk, Board of Directors

• Directors' liability for breach of their duties in risk management and oversight

• Have proper testing, plans and policies in place• Get early involvement of experienced legal counsel

Lisa K. Abe- Oldenburg, B.Comm., J.D.

Abe-oldenburgL@bennettjones.com

Tel.: 416-777-7475

www.bennettjones.com

• This presentation contains statements of generalprinciples and not legal opinions and should notbe acted upon without first consulting a lawyerwho will provide analysis and advice on a specificmatter.