Category Archives: Legislation

The Ever-Increasing Menace of Ransomware in 2021

Posted on by

I attended the MAPLE-SEC conference this week which I thought was quite good to provide a good overview of the state of cybersecurity and cybercrime, in Canada, in 2021.

On thing we learned during the conference was that a majority of businesses faced with a ransomware incident during the last year, ended-up paying the criminals, to get their data back and/or to avoid its disclosure to third parties. Not too surprisingly, this type of crime is pretty consistently on the rise, as the typical victim ends-up capitulating and rewarding criminals, by paying some sort of ransom.

We also learned recently that a 2021 report by cybersecurity firm Sophos revealed that about a third of businesses were the victim of some sort of ransomware attack during the last year. That makes for ALOT of businesses and data!

With stats like these, it’s not surprising that insurers offering cyber-insurance products are now feeling the pinch. Cyber-insurers are now apparently losing considerable money because of this type of policy. Because of this, an expert in insurance law who spoke at the MAPLE-SEC conference warned everyone that cyber-risk insurance coverage is about to get substantially more expensive for businesses everywhere. His advice as to this was to get the best cyber-insurance you can afford, right now.

Recent stats clearly show ransomware is unfortunately here to stay, as we’re now seemingly paying the price for collectively minimizing the importance of cyber-security for so long.

Québec Adopts New Personal Information Protection Statute

Posted on by

Québec formally adopted last week an overhaul of its statute meant to regulate personal information handling by businesses, in the province. Bill 64 was an attempt to bring the Québec Loi sur la protection des renseignements personnels dans le secteur privé in line with more modern pieces of legislation used abroad, including the famed GDPR, in Europe.

The revised statute now includes more strenuous obligations for organizations handling such data, and includes potentially huge fines (we’re talking millions) for businesses which may be caught violating the law. Yes, I think we can safely say that the province of Québec now has a real piece of legislation to govern how organizations are supposed to protect personal information when collecting, using or communicating it.

Though the statute was formally adopted, one should note, however, that most provisions included in Bill 64 will come into force only in September 2023, thus giving business about 2 years to shape-up. During that time, the Québec watchdog (the “CAI”) will also seek to provide guidance by coming-up with rules and protocols that it expects businesses to apply and abide by.

A limited number of provisions will come into force in September 2022, including those related to the obligation for businesses to disclose security incidents that may have exposed personal information to loss of theft, including for example pursuant to hacking incidents. The Québec media reports that the government intends to curb a culture of negligence when it comes to adequately handling and protecting personal information. After almost 30 years of being governed by an obsolete statute as to personal data, Québec businesses certainly have work to do!

Modifications to Bill 64 as Adoption in 2021 Remains Likely

Posted on by

The Québec bill proposing substantial amendments to an Act respecting the protection of personal information in the private sector (Bill 64) keeps making progress through the legislative process, as  the parliamentary committee recently published its report, including by proposing further changes to that piece of legislation.

The commission proposed several modifications to the initial version of the bill, including the following:

  1. Creating certain new rights for individuals as to their personal information;
  2. Requiring businesses to check, beforehand, that information exported outside Québec would be protected by laws (in the other jurisdiction at issue) that are “adequate”;
  3. Adding an obligation to inform individuals of the actual identity of third-party businesses and partners to which the organization may be disclosing information (as opposed to merely disclosing the types of third parties);
  4. Allowing business to delegate the roles of their Chief Privacy Officer (as required under the bill), to someone outside the company, if they so choose (for example, to allow outsourcing of that function if no one in the company has the requisite expertise);
  5. Forcing businesses that use information that has been depersonalized, to take reasonable precaution against eventual use of such information to “reidentify” the individuals at issue;
  6. Allowing use of personal information, even without consent, for purposes of delivering products or providing services to the individuals at issue;
  7. Allowing use of personal information, even without consent, in the context of purchase-type corporate transactions, but also other commercial operations such as mergers, financings, etc.;
  8. Expressly adding to the Québec statute the possibility of settling claims against businesses that violated the statute, by having them enter into undertakings with authorities, as is allowed under the Federal statute;
  9. Modifying the amount of certain penalties provided by Bill 64, being understood however that the maximum penalty of $25M (or 4% of annual turnover) remains untouched;
  10. Limiting what business must provide to individuals who ask to see “their” own data, by excluding therefrom data that was indirectly produced or induced from the initial data actually provided by each individual.

It is generally agreed Bill 64 is likely to complete the legislative process in 2021, as its formal adoption seems more than likely to follow before the end of the year, with fairly minimal modifications being made to it between now and then.