In the recent decision of Doe v Her Majesty The Queen, 2015 FC 916 (“Doe”), the Federal Court granted conditional certification of a class action brought on behalf of members of the Marihuana Medical Access Program (“MMAP“). This conditional certification is notable as it, alongside the recent case Evans v. Bank of Nova Scotia (“Evans“), is one of the few class actions certified in Canada relating to breaches of privacy. Particularly of interest is the Plaintiffs’ allegation that the Defendant committed the tort of intrusion upon seclusion and of publicity given to private … Continue Reading
A question that I often get from clients is one about cyber-insurance. In light of the recent passing of Bill S-4, better known as the Digital Privacy Act, the Personal Information Protection and Electronic Act (“PIPEDA”) has now been amended to include mandatory breach notification provisions. While these mandatory breach notification provisions are not yet in force, it is a good time to review your cyber-insurance coverage.
As data breach incidents continue to rise, and legislative regimes provide more and more stringent regulation of data breaches, including the proliferation of mandatory breach notification provisions, the expense associated with data … Continue Reading
McCarthy Tétrault has just launched its twelfth blog, CyberLex, at http://www.canadiancybersecuritylaw.com. This blog discusses trends and developments in cybersecurity, privacy and data protection law in Canada and internationally; offers practical suggestions and insights on how these issues affect companies in a wide variety of industries; and provides guidance on how to address various challenges and opportunities created by technology and legislative developments.
Earlier this month, the U.S. Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”) each released reports addressing cybersecurity. FINRA’s report targeted its broker-dealer members, and the SEC’s report targeted broker-dealers and investment advisers, but the twin reports provide a roadmap to cybersecurity for financial market participants generally, both in the US and Canada.
There can be no doubt that cybersecurity is top-of-mind for those regulating the Canadian financial market. For example, the Canadian Securities Administrators recently published CSA Staff Notice 11-326 – Cyber Security in which it stated “[s]trong and tailored cyber security measures are an … Continue Reading
It is rumoured that Bill 12 that amended the Alberta Health Information Act (“HIA”), passed on May 14, 2014, will come into force this year. Bill 12 made 3 significant changes to the HIA:
- adds mandatory breach notification provisions;
- authorizes the Office of the Information and Privacy Commissioner (“OIPC”) to disclose information about a breach in certain situations; and
- creates new offences and penalties.
We will discuss these 3 amendments in turn.
The assessment of a corporation’s cyber risks is part of a board of directors’ general risk oversight responsibilities. Since lawsuits, including class actions, are often commenced soon after a data breach, directors and officers should now consider that the board’s oversight of cyber risks may also be closely and thoroughly scrutinized in future litigation and regulatory investigations.
On October 20, 2014, a New Jersey Court dismissed a shareholder derivative suit that sought damages notably from the directors and officers of Wyndham Worldwide Corp. (“WWC”) for several data breaches. This decision is the first decision issued … Continue Reading
In a few short days it will be Cyber Monday, the kickoff to the financial madness that is the holiday shopping season. For cybercriminals and fraudsters, December represents the mother lode of hackable data.
How big is the risk?
The malevolently-inclined are getting more ambitious (a 2014 study by the Ponemon Institute that evaluated security-breach costs in the retail sector suggests that average size of a breach is about 30,000 records) and more damaging (average loss is now about $105 per stolen record). The same study estimated that the average cost of a cybercrime for the retailer is about $3.15-million. … Continue Reading