Seasoned privacy and cybersecurity lawyer Alex Cameron on compliance and client advice.
2018 was a crucial turning point for privacy legislation, from the EU’s GDPR to the passing of the California Consumer Privacy Act. As well as this, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) saw major new requirements added.
Alex Cameron is leader of law firm Fasken’s privacy and cybersecurity group, representing clients including a variety of Fortune 100 and 500 companies.
Siliconrepublic.com spoke to Cameron about the implementation of the new PIPEDA requirements, the changing perception of privacy and the most common cybersecurity worries his clients are concerned about.
What is PIPEDA?
PIPEDA, which has been in force in some form since 2000, only applies to the private sector. Last November new federal data breaches, record-keeping of breaches and compromise notification requirements went into effect.
Cameron said: “PIPEDA rules are that where an organisation has a breach affecting personal information, it must notify individuals and report the matter to the privacy commissioner if the breach gives risk to what is called a ‘real risk of significant harm.’” This risk threshold is, according to Cameron, “quite low in many people’s opinion”.
Many of the provinces in Canada have similar requirements, but the federal nature of the additional rules means that PIPEDA will likely become the “relevant statute to consider”.
For businesses across Canada, the record-keeping element of the new rules can seem daunting. “Every breach of personal information, no matter how benign or insignificant it may seem, must result in a record being kept of the breach for a period of two years.”
A growing interest in privacy
Looking at the general interest in privacy, Cameron said: “Without question there is a marked increase in both employee and customer interest in these issues.
“People have knowledge of the issues and willingness to utilise the rights that they have to ask a lot more questions about how their information is being collected and used, and how to make access requests to gain access to all of the personal information that an organisation has collected about them.”
This increased level of interest and growth in individual knowledge can present some risks to businesses, with “a more robust and onerous privacy regime to adhere to”.
Cameron added that there is a “tremendous increase in class-action activity”. He has also noticed more clients are concerned about what a privacy gaffe will do to their public image, noting the “real reputational dimensions” organisations must keep in mind with compliance issues. His clients ask him for advice about the cybersecurity threats to prepare for. “The two most common scenarios we see are ransomware attacks and email compromise cases in terms of frequency and largest impact.”
A strong advocate for multifactor authentication, Cameron added that consistent security auditing and effective employee education and training are vital. In the world of ransomware, examining your organisation’s remote desktop protocol permissions is a must, he stressed.