Category Archives: Security

It’s February: Time to Implement a Security Freeze on Your Credit?

Posted on by

The province of Québec adopted the Credit Assessment Agents Act a while back, so as to better protect consumers against the practices of credit agencies such a Equifax. When that particular law came into effect, however, the legislator opted to wait before implementing one particular section dealing with what is generally referred to as a “security freeze”.

Good news on that front: since February 1st 2023, Section 8 of the act is now in force, thereby providing Quebecers who wish to do so with the possibility of effecting a credit freeze. As described in the act, a  security freeze prohibits any credit agency (you know, those which hold your credit report and give you a credit score) from communicating your personal information and your credit report when the information was requested by a business claiming that it needs it to provide you with credit.

When such a freeze is in place, for example, a bank will simply be told by the credit bureau it can’t disclose your credit report as you have previously elected to implement a security freeze. In the normal course of things, the bank will then have to have a talk with you or whoever is impersonating you) about this, thereby stopping the attempt to open credit facilities in your name.

Of course, if you’re shopping around of a new credit card, this may prove an inconvenience for you but if you’re not in the process of hoping to secure more credit in the foreseeable future, this is definitely something you may want to think about doing.

Contrary to some subscription services offered by credit agencies, a security freeze must be available to Quebecers FREE OF CHARGE. Though I’m sure implementing one requires jumping through hoops, it may be worthwhile to avoid the eventual headache of having to deal with identity theft! By the way, so far, the act at issue applies to Equifax and Trans-Union, so you will have to contact both these entities to see about implementing a freeze for yourself.

Your Typical Canadian Employees May Not Care All that Much About Cybersecurity or Privacy at Work, it Seems

Posted on by

The media reported recently disconcerting results from a recent survey of Canadian employees about the protection of personal information and cybersecurity.

The report at issue indicates about 1/3 of Canadian employees do not think data theft is really in an issue they should be concerned with, or that they are likely to be targeted by cybercriminals when at work. Even with everything happening in the past couple of years, including almost daily announcements of computer intrusions and ransomware attacks (including in Canada), your typical employee does not seem all that worried.

In Québec, 3/4 of employees who answered the survey indicated they did not think the protection of personal information had anything to do with them, rather thinking this is an issue that IT is responsible for. Heck, the same proportion of respondents even admitted they had received NO training whatsoever at work about cybersecurity. None. Yikes.

Yeah, it seems, even today, with everything being published and privacy laws being adopted, your typical Canadian business may not be all that concerned about protecting data, whether it be personal or otherwise. Given that even some SME officers and business owners often still basically choose to ignore the issue, it is not all that surprising that a lot of employees do too. The Vietnamese have a good saying that may apply here: A house leaks from the roof on down.

Our job educating businesses and employees about this may not be quite done, it seems.

Businesses within the Province of Quebec Have Homework to Do as to their Employees and their Data

Posted on by

As you may already know, Quebec’s Bill 64 was passed into law a couple of months back, setting in motion a substantial revamp of the province’s main privacy statute. Much like what’s been going on in Europe and, more recently, at Federal level, the province finally decided it was time to update its antiquated statute governing the protection of personal information within Quebec.

The law’s coming into force of an Act to modernize legislative provisions as regards the protection of personal information (the “Act”) will stretch until 2024. In the meantime, the first provisions of the new law came into force last week, including numerous new obligations for Quebec businesses and organizations about their employees.

In practice, until now, little attention was generally paid in Quebec as to rules that may govern and apply to the personal information of employees, an issue that was often swept under the rug. Well, now that the Act is here things have to change -fast.

Indeed, the Act provides for a whole slew of obligations that apply to employers within the province of Quebec. For example, as is the case elsewhere, Quebec organizations should draft and make generally available their data handling policy, including as to how you handle employee information. This is but an example of what the new regime requires.

The first thing quite a few Quebec businesses and organization should do, including relatively small ones, is come to terms with the fact that the world has indeed changed and that Quebec business may no longer look at privacy as this theoretical issue that no SMB really bothers with. With the advent of the Act, all businesses and organization should (quickly) make the transition, from apathy as to privacy, to being highly involved. If you need motivation to do so, the staggering amount of potential penalties provided by the Act should help: 25 MILLION dollars or, and here’s the kicker, 4% of annual revenues. Yup, that’s right, just like Europe did a while back, we’re now realizing that dollar amounts may not be enough, but percentage of revenues, now THAT scares the bejesus out of ANY business.

As to employees, without going into details, to start, you should probably simply understand that personal information is now treated as such, whether it relates to a customer or an employee. Both are individuals, right? So, from now on, the Act basically assumes that organizations should have processes, policies and protocols in place to deal with personal information, wherever it comes in or from -employee-related information including. One should also note as to these, that the Act now requires making these policies generally available, including to employees, so that individuals can know how you are handling their information. Though this may seem a no brainer, in actuality, quite a few Quebec organizations still do not comply with this.

The Act also provides constraints as to how an organization may use automated processing of data to make or reach decisions as to individuals. If your company has AI sorting CVs, for example, individual may have to be made aware of this fact, etc.

One should also make note of the fact that, no only must employees be made aware what information of theirs is collected and used (and how), but employees can now lodge complaints with the Quebec privacy watchdog called the Commission d’accès à l’information (the “CAI”), should they want to question the employer’s data-handling practices, for example, if they suspect their employer’s practices are not in-line with the Act.

As is the case in numerous other jurisdictions, the Act also now provides for a mandatory notification in case of hacking incidents (and similar incidents where personal information may have been compromised), including when it comes to employee information.

Another change mandates that employers (and all organizations in fact) appoint a privacy officer, who will handle personal information-related matters on behalf of the entity, moving forward. This will have to include issues relating to employee information. Such a person may, for example, be a an officer of the company and should, generally, be selected based on his/her ability to deal with eventual issues relating to the types of data that the organization at issue normally handles. In other words, though the Act presumes the president of the company may be the person in charge, he/she may or may not be the best person for the job. All in all, if you are located in the province of Quebec and have employees, you may very well now be subject to the new Act. The time to educate yourself, seek advice and act is… now.