Cybersecurity breaches are on the rise in Canada. They threaten the private information of businesses and consumers alike. They entail significant business, financial, and reputational consequences. They are occurring at a speed that outpaces cybersecurity measures and privacy legislation. Canadian courts are beginning to address privacy through tort law, but the area is relatively new and still in development.
Fogler Rubinoff LLP litigators Ron Davis, Alexander Evangelista and Tea Obradovic address the legal context and potential civil remedies regarding cybersecurity breaches extensively in their article “The Litigation Consequences of Cybersecurity” that has been published in volume 53 of The Advocates’ Quarterly. The lengthy article is divided into two parts: Part 1 – Current Statutory Canadian Framework for Data Security and Privacy, and Part 2 – Current Common Law Remedies and Liability Avoidance Strategies.
This bulletin will highlight key aspects of the article and suggest some best practices for preventing, detecting and responding to cybersecurity risks.
“Hey Google, what is Cybersecurity?”
Innovation, Science and Economic Development Canada defines “cybersecurity” as:
the protection of data, information, computers, devices, and networks from cyber threats and attacks. […] A cyber threat is an activity intended to compromise the security of your cyber threat environment by changing the availability, integrity, or confidentiality of your systems or the information they contain. […] A cyber threat environment is the online space where malicious cyber threat activity can occur.
The Office of the Privacy Commissioner of Canada received 782 breach reports affecting at least 9 million Canadian accounts for the year ending March 31, 2021. These breaches were mainly in the financial, telecommunications, retail, insurance, and services sectors.
Current Data Protection and Privacy Law Framework
Cybersecurity laws in Canada are in a nascent state. Many of the issues that arise are dealt with through the privacy law frameworks that the provincial and federal governments have established.
At the federal level, PIPEDA, and CASL provide privacy protections relating to the collection, use, and disclosure of personal information by organizations and commercial electronic messages in the private sector. Other sector-specific legislation — such as the Bank Act, the Insurance Companies Act, and the Trust and Loan Companies Act — subject federally regulated institutions to personal information cybersecurity requirements.
The collection, use, and disclosure of personal information by federal institutions are governed by the Privacy Act. Private sector authorities such as the Office of the Superintendent of Financial Institutions also provide guidance on cybersecurity risks for organizations under their mandate. In the telecommunications and securities sectors, the CRTC, IIROC, and MFDA have addressed cybersecurity concerns through regulations and directives.
Public Safety Canada has directions regarding public bodies’ accountability for privacy and cybersecurity breaches. The Criminal Code also imposes some accountability. While it has no cybercrime provisions, offences such as theft, extortion, mischief, and identity fraud, amongst others, encompass some cybersecurity breaches.
In an effort to modernize federal private sector cybersecurity law, Parliament has introduced Bill C-26. If enacted, the Critical Cyber Systems Protection Act will oblige “vital services” organizations to have cybersecurity programs to identify risks, protect systems and minimize the impact of cybersecurity incidents.
At the provincial level, only Alberta, BC, and Quebec have implemented general private-sector privacy statutes similar to PIPEDA. New, and likely more robust, legislation may be on the horizon for Ontario.
Common Law Remedies
Canadian common law has no stand-alone tort of invasion or breach of privacy.
In Ontario, remedies for breach of privacy rights must fit into an existing common law cause of action. There are four specific privacy torts, all of limited scope and all still in development:
- Intrusion upon seclusion;
- Appropriation of a person’s name or likeness;
- Public disclosure of private facts; and
- Publicity placing person in false light.
Less limited in scope, traditional causes of action may be available in some cases, although they are not specifically adapted to privacy or cybersecurity breaches. Most notably, these include negligence, breach of contract and breach of fiduciary duty.
Where a cybersecurity breach affects a large number of people, class action proceedings invoking one or more of these torts may be appropriate.
Canadian courts have not yet identified the cybersecurity prevention or mitigation factors that would allow defendants to avoid liability or plaintiffs to satisfy their duty to mitigate. However, cybersecurity protocols and practices do exist to prevent and mitigate damage.
Adopting best practices has litigation consequences. Beyond a plaintiff’s general duty to take reasonable steps to mitigate their damages, the implementation of such practices can inoculate parties affected by cybersecurity breaches through damage mitigation and avoidance, and meeting the standard of care.
As a starting point for cybersecurity resilience, organizations and individuals need to assume that (i) prevention practices do not suffice to mitigate cybersecurity risks, and that (ii) their systems and information are compromised.
Best practices fall into three broad categories (1) Prevention (2) Detection and (3) Response.
- Prevention: identify applicable cybersecurity laws and develop a compliant, robust plan for planning and managing the safeguarding of IT systems through assessment protocols, sufficient budgeting and staffing.
- Detection: maintain ongoing control of the cybersecurity measures in place.
- Response: have a clear and thorough incident response plan that identifies a response team, authority, and other protocols to mitigate and resolve the risk. The response plan should also involve issuing notices to affected parties, as required by statute or otherwise, and considering legal avenues for emergency redress, such as injunctions.
When properly implemented, such practicescan help reduce detection and resolution time for breaches. The quicker a breach can be identified and neutralized, the more likely that any harm, and damage, may be avoided or at least mitigated.
Well-designed and executed practices and protocols may also suffice by themselves to meet the requisite standard of care that the various causes of action impose. A defendant with strong cybersecurity measures is more likely to avoid liability than one with lax measures.
As governments modernize cybersecurity and privacy legislative frameworks, we can expect Canadian common law to respond similarly to technology’s rapid advances and the harms it has ushered in, with new remedies that will expand litigation principles and practices far beyond today’s norms.
This publication is intended for general information purposes only and should not be relied upon as legal advice.