Articles

The legal sector must learn to manage Cyber-Risk effectively by utilizing various forms of insurance and risk mitigation strategies. The principles of Information Technology strategy formulation and project risk planning can provide inspiration in understanding and managing the overall legal ramifications of cyber-security attacks and data breaches, including mandatory breach reporting.

Since the decision in The Brick Warehouse LP v. Chubb Insurance Company of Canada was released in July 2017, several pundits have hailed it as ground-breaking in terms of cyber risks in Canada. However, there are at least three reasons why it is not all that significant to the Canadian cyber insurance market.

PIPEDA was amended in 2015 to introduce mandatory reporting of breaches of security safeguards. On September 2, 2017, the Government of Canada released its proposed regulations regarding the mandatory reporting and notification requirements for organizations that suffer a breach of security safeguards.

On June 23, 2017, the Supreme Court of Canada took a step toward repairing the inequality of bargaining power between parties in the online consumer context. In Douez v Facebook, the Supreme Court ruled that Facebook’s forum selection clause in its “terms of use” was unenforceable because (1) it supported unequal bargaining power between consumers and companies and (2) there was a need to protect the privacy rights of social media users.

Molly Reynolds was one of several members of the OBA Privacy and Access to Information Law Section who made submissions in their personal capacities to the House of Commons’ Standing Committee on Access to Information, Privacy and Ethics in respect of its study of PIPEDA. Read on for a summary of her proposals for authorizing the OPC to give advance compliance rulings and providing regulatory guidance on the standard for anonymizing personal information.

With the rise in the collection, use and disclosure of personal information and personal health information across organizations, the prevalence of privacy breaches, and the recognition of common law privacy torts in Ontario, organizations increasingly face legal, financial and reputational consequences from personal information handling practices. This article considers how this evolving area of law may inform an organization’s internal risk management program.

David Young summarizes his testimony before the the House of Commons Standing Committee on Access to Information, Privacy and Ethics on its study of PIPEDA. Read on for David's submissions on consent, the PIPEDA enforcement framework, and how PIPEDA aligns with the forthcoming European General Data Protection Regulation.

Canadian Securities Administrators recently published the results of their review of cyber security disclosure and guidance on appropriate disclosure.