Skip to content

The Evolution of Data Breach Response Laws, Methods, & Tech in Canada

Canopy Team August 31, 2022
Canopy logo with

Canopy recently hosted a LinkedIn Live webinar featuring three experts on the Canadian data breach response market: Mikel Pearce, Director of Business Development, Canada & UK at CyberClan; Anne Glover, Partner, Litigation & Dispute Resolution at Blake, Cassels & Graydon; and Ronak Shah, Privacy Counsel at Blake, Cassels & Graydon.

Alongside moderator Adi Elliott, COO at Canopy, the panelists shared how they’ve seen the industry evolve in Canada, how their approach has changed, and their predictions for the near future. Scroll down for a quick recap:

Strengthening the Patchwork of Regulations

We’re seeing a strong emphasis across Canada on privacy law reform, including record-keeping and breach notification regulations. Lawmakers at both the federal and provincial levels are keen to maintain Canada’s adequacy decision with the European Union and are therefore aligning laws with the General Data Protection Regulation (GDPR).

Right now Canada has a patchwork of federal and provincial privacy laws, and it’s important for organizations to familiarize themselves and understand their obligations ahead of a potential breach: 

  • At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires breached organizations to notify the Office of the Privacy Commissioner as well as individuals as soon as feasible.
  • Alberta was the first Canadian province to institute its own breach notification requirements.
  • Beginning September 22, 2022, Quebec will have its own, more stringent breach notification requirements. This law will expand PIPEDA’s and Alberta’s “risk of significant harm” threshold to “risk of serious injury,” which is more GDPR-aligned and holds organizations to a higher standard.
  • There are also separate federal laws for sectors such as healthcare, financial institutions, and — most recently — critical industries, requiring notifications within as few as three days and making the regulatory landscape even more nuanced.

PS: How do you pronounce PIPEDA, anyway? Our pros say don’t worry about it — it looks like it will soon be replaced by the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.

 

Privacy in Canada: The Shift from US to EU

Although Canada’s regulatory landscape has mirrored the US until recently, Canadian citizens typically value privacy more highly than US citizens, which causes corporations to generally be more proactive about notifying regulatory authorities and affected individuals when there’s a breach. And they’re more proactive about privacy compliance in general. For instance, when Canada’s anti-spam legislation was proposed, before it was passed, many companies immediately took action.

Like Canada, EU citizens also view privacy as a basic human right, whereas in the US it is seen more as a marketing message. Given this value on privacy, Canada’s deliberate shift toward stricter GDPR-style regulations is partly cultural, but it’s also driven by Canada’s need to have data transfers with the EU. As a small country, it has to align with the higher standards to ensure broader opportunities.

Further, with the passage of proposed legislation, potential failure-to-report fines in Canada will jump from $100,000 to $10 million — right in line with GDPR. Canadian regulators have been waiting to have more enforcement powers and are eager to use them, so this will also drive more proactive action from companies.

 

How Incident Response Has Evolved

When an incident happens, the first things that clients want to know are “was data exfiltrated?” and “what data was stolen?” To answer these questions, IR teams immediately look for proof of life — how much data does the attacker have, where did it come from, and who is it about? 

Canopy’s software provides these answers faster than any other tool, allowing IR teams to quickly coordinate with three other key players:

  • Legal counsel gets the insights necessary to determine notification requirements.
  • Cyber insurers get an accurate project scope so that they can estimate reserves upfront.
  • Document reviewers get a targeted review plan thanks to better data mining, saving both time and money in the PII review process.

 

Data Breach Response Review ≠ Ediscovery Review

A few years ago when data breach response cases started popping up, they were brought to ediscovery because that was the only comparable field and people didn’t have other options. As breaches became larger, containing more people and more varied personal information, the cobbled-together ediscovery method went from challenging to impossible.

When it comes to review, one of the biggest differences between data breach response and ediscovery is in the handling of Excel files. Ediscovery reviewers tend to leave spreadsheets for the end because they’re difficult to tackle and require a different workflow. But when this happens in data breach review, it can result in uncovering tens of thousands of affected people and drastically changing the notification requirements in the final hour, after the scope has been estimated and budgets have been allotted.

Another big difference in review approach relates to the percentage of documents that are looked at by humans. Ediscovery aims to review the majority (if not all) of the documents, and they have the time to do so. On the other hand, given data breach response’s strict notification deadlines, review managers should employ defensible data mining techniques to identify which documents contain sensitive data and hone their review population accordingly. 

Using ediscovery tools for PII review can cost breached companies — and their cyber insurers — tens of thousands per incident.

Download our white paper: The Inflated Cost of Data Breach Response (And How We Got Here) to learn more.

Breach Notification: The Actual Timeline

Data breach response projects feel a lot like an injunction for the first week. Unlike in ediscovery where everyone is familiar with the process, breached clients have likely not gone through this before, so they are stressed out and want answers right away.

Clients are usually reporting to an executive board along the way that wants to immediately understand the company’s risk, which requires an understanding of notification requirements. This means that in reality, IR teams and legal counsel are expected to provide answers much more quickly than the timelines mandated by breach notification regulations.

It’s all very time-sensitive, both the client expectations and the regulations themselves, so anything that IR teams and legal counsel can do from a technology standpoint to speed things up should be embraced. Canopy’s purpose-built software makes it a lot easier to meet these strict timelines than the now-old, cobbled-together solutions.

 

What’s Next for Data Breach Response in Canada

Anne: I think we’re going to see increasingly more reliance on tech & AI for PII review, and less on humans. Of course there will always be human involvement, but the breaches are getting bigger and we simply can’t afford it without automation. Lesson learned: trust the machines.

Ronak: More reform & more Canada jurisdictions that require breach notification are coming, so the matrix of understanding risk will get more complicated. Business continuity will be challenged, and we’ll have to have some difficult conversations about solicitor/client privilege.

Mikel: The digitization of commerce will continue to accelerate, which will bring more threat actors. I also agree with Ronak that there will be some key decisions made regarding what’s privileged when it comes to data privacy and breach response.


Want more tips, stories, and insights? Watch the full LinkedIn Live webinar (originally aired on August 30, 2022).