Category Archives: Businesses

Cybersecurity 101: Common Sense Can Make All the Difference

Posted on by

The Slaw blog had a good basic post yesterday morning on cybersecurity for law firms. It made me want to share some of their advice, to which I’d add a few of my own and which may apply not only to professionals but also to any type of organization.

As you may notice, a lot of this is basically common sense, as applied in the digital age:

  • Start by asking yourself what type of data your organization handles, and contemplate what problems you may have were it to fall in other hands or become unavailable;
  • Inventory all devices which your organization uses, including in particular those that connect to its systems and/or the Internet and make sure your personnel knows the dangers associated with plugging anything new (for ex., an infected USB stick);
  • Realize that anything you plug into the Internet (i.e. make accessible) may become a point of entry for eventual hackers or infections, in particular any devices that have not been fully updated (including any firmware and software running on it) – make sure all your hardware and software are regularly updated (starting with your router and computers/servers);
  • Stop allowing or using weak passwords and force everyone to use a solid password manager;
  • Better yet, have everyone in the organization access every tool that can be through Two Factor Authentication (2FA);
  • Acknowledge that employees require on-going cybersecurity training and reminders, and actually schedule it so that it does happen, at least every year,. Including as to things like:
    • The risks associated with using passwords (such as weak or reused ones);
    • Problems which may be triggered by navigating one’s browser to a malicious site or clicking on a link in an email;
    • The dangers of activating, opening or clicking on attachments;
    • The concept of social engineering and its role in many attacks;
  • Know in advance who you will call in case of an incident to investigate or remedy, and make sure your personnel knows what your game plan is;
  • Do not assume you are safe because no one would bother attacking you, as we’re all potential victims of cybersecurity incidents, as anyone can fall victim to an attack without even having been specifically targeted.

With Québec’s passing of a new personal information stature, further to Bill 64, I’d say now’s a good time to brush-up on your cybersecurity practices and safeguards!

Modifications to Bill 64 as Adoption in 2021 Remains Likely

Posted on by

The Québec bill proposing substantial amendments to an Act respecting the protection of personal information in the private sector (Bill 64) keeps making progress through the legislative process, as  the parliamentary committee recently published its report, including by proposing further changes to that piece of legislation.

The commission proposed several modifications to the initial version of the bill, including the following:

  1. Creating certain new rights for individuals as to their personal information;
  2. Requiring businesses to check, beforehand, that information exported outside Québec would be protected by laws (in the other jurisdiction at issue) that are “adequate”;
  3. Adding an obligation to inform individuals of the actual identity of third-party businesses and partners to which the organization may be disclosing information (as opposed to merely disclosing the types of third parties);
  4. Allowing business to delegate the roles of their Chief Privacy Officer (as required under the bill), to someone outside the company, if they so choose (for example, to allow outsourcing of that function if no one in the company has the requisite expertise);
  5. Forcing businesses that use information that has been depersonalized, to take reasonable precaution against eventual use of such information to “reidentify” the individuals at issue;
  6. Allowing use of personal information, even without consent, for purposes of delivering products or providing services to the individuals at issue;
  7. Allowing use of personal information, even without consent, in the context of purchase-type corporate transactions, but also other commercial operations such as mergers, financings, etc.;
  8. Expressly adding to the Québec statute the possibility of settling claims against businesses that violated the statute, by having them enter into undertakings with authorities, as is allowed under the Federal statute;
  9. Modifying the amount of certain penalties provided by Bill 64, being understood however that the maximum penalty of $25M (or 4% of annual turnover) remains untouched;
  10. Limiting what business must provide to individuals who ask to see “their” own data, by excluding therefrom data that was indirectly produced or induced from the initial data actually provided by each individual.

It is generally agreed Bill 64 is likely to complete the legislative process in 2021, as its formal adoption seems more than likely to follow before the end of the year, with fairly minimal modifications being made to it between now and then.

Canada a Little Closer to Recognising Right to be Forgotten

Posted on by

The Federal Court recently issued a decision further to a reference triggered by the Privacy Commissioner and involving Google, and in particular the extent to which search engine may be considered businesses that are governed by rules pertaining to the protection of personal information. In short: yes, Google should be considered a normal business and, yes, search engines may be considered as holding and using personal information.

In practice, one consequence of the recent ruling at issue is that individuals the personal data of whom is held and displayed by the likes of Google, when third parties make searches on the Web, would seem to be covered by normal rules requiring that the information be up-to-date, exact and still relevant. In short, in certain cases, it could be that individuals may require search engines to stop their algorithms from referencing inaccurate or obsolete information.

Though the Federal Court decision at issue was technically NOT about the right to be forgotten, this judgment does open the way for Canadians to claim a right to deindexation of erroneous or obsolete Web search results, akin to the right to be forgotten that European law now grants citizens. This could happen with or without legislative changes to provide for it expressly.

Though people are already invoking the right to have stuff about them deindexed (by search engines), for now, providers like Google aren’t too keen to start recognizing that such a right does indeed exist in the U.S. or Canada. Now, as the Privacy Commissioner starts investigating and processing complaints about search engine results, to be seen whether a right to deindexation will indeed materialize in Canada, and how fast.