Header graphic for print

Osler Insights: A Blog on Technology, Innovation and Outsourcing

ISO/IEC 27018 – New Code of Practice Promotes Privacy Protection in the Cloud

Posted in Cloud Computing, Privacy

The Privacy Commissioner of Canada has made it clear that, while privacy is not a barrier to businesses using cloud computing, it must be taken into consideration.   Related guidance has been issued in which businesses are reminded that the Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules “with respect to obtaining consent for the collection, use and disclosure of personal information, securing the data, and ensuring accountability for the information and transparency in terms of practices.”

Organizations are expected to assess the benefits, risks, and implications for privacy when considering a cloud computing service.  What this means in practice, however, often creates operational challenges – particularly for those businesses who do not have the internal expertise or resources to undertake this analysis.  For context, guidance for small and medium-sized enterprises prepared jointly by the federal Commissioner and the information and privacy commissioners in Alberta and British Columbia includes a “non-exhaustive” list of more than forty questions that need to be considered.

To facilitate contracting for cloud services, the International Standards Organization (ISO), has issued a code of practice for protection of personally identifiable information in public clouds (ISO/IEC 27018).  The new code will help businesses evaluate the privacy practices of those cloud service providers who achieve certification.

ISO/IEC 27018 augments security and operational controls founds in ISO/IEC 27002.  It establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information in a public cloud in accordance with many of the key privacy standards reflected in privacy laws around the world.

Key privacy safeguards reflected in ISO/IEC 27018 (some of which are to be addressed in the services agreement between the cloud provider and the customer) include the following: Continue Reading

OECD Releases Discussion Draft on Tax Challenges of the Digital Economy

Posted in e-Commerce, Tax

In July 2013, the Organisation for Economic Co-operation and Development (OECD) released its Action Plan on Base Erosion and Profit Shifting (the BEPS Action Plan). The BEPS Action Plan identified the spread of the digital economy as a source of multiple challenges for international taxation (Action 1). (For further details, see our see our Update on the BEPS Action Plan, “OECD/G20 International Tax Reform: Potential Impact on Canadian Companies,” July 19, 2013; our Update on Action 6, “OECD Proposes Revisions to Tax Treaties to Prevent ‘Treaty Abuse,’” March 17, 2014; and our Update on Action 2, “OECD Releases Discussion Drafts on Hybrid Mismatch Arrangements,” March 20, 2014.)

On March 24, 2014, the OECD released a discussion draft identifying the major tax challenges raised by the rapidly developing digital economy and summarizing several possible options to address these challenges. Comments on the discussion draft are being accepted by the OECD until April 14, 2014. A final report is expected in September 2014.


The OECD recognized in the BEPS Action Plan that rapid developments in information and communication technology (ICT) are creating new ways of doing business, leading governments to consider whether new rules of taxation may be required or whether the old rules need to be modernized to better address evolving business models. The BEPS Action Plan noted that the digital economy is characterized by a high degree of reliance on intangible assets, the use of personal and other data, the development of new business models to create value from “free” information and content, and the difficulty of determining the jurisdictions in which value is created.

The OECD notes that these characteristics threaten conventional thinking on how digital businesses add value and make profits, how digitally derived income should be characterized for tax purposes, and how the concepts of source and residence taxation should be understood in the context of virtual businesses. Action 1 of the BEPS Action Plan is aimed at addressing some of these challenges by examining how and where the value created from the sale and use of digital products and services should be taxed and how new rules should be enforced to ensure such taxes are collected.

The OECD established a Task Force on the Digital Economy in September 2013 and charged it with identifying issues raised by the digital economy and possible actions to address them. The discussion draft released on March 24, 2014 reflects the work of the Task Force as well as input from stakeholders.

The Information and Communication Economy

The discussion draft contains an overview of the way ICT has evolved and also identifies emerging and future developments in the digital sector. Technological advances and falling prices for hardware and many digital services, combined with pressure for constant innovation, have contributed to the growth of the digital economy. Emerging developments in mobile computing, cloud-based processes, virtual currencies, 3D printing and decentralized data collection through the “Internet of Things” are also indications that digital commodities and sources of value will continue to expand.

New business models identified by the discussion draft include the explosion of e-commerce and digital advertising, the development of app stores for digital distribution of software and content and the expansion of cloud-based services. Diverse business models in the digital economy have created a number of revenue models, such as subscriptions for digital delivery of news, music and video-streaming; sales of user data and customized market research; and sales of digitally delivered services such as e-trading, payment processing and content hosting. These new business models and sources of revenue challenge conventional tax models and policy.

Tax Challenges in the Digital Economy

Key features of the digital economy identified by the discussion draft include volatility as a result of rapidly evolving technology, reliance on “big data” and the increasing mobility of suppliers, business functions and consumers. The discussion draft notes some of the key characteristics of the digital economy that may exacerbate the risks of base erosion and profit-shifting in both direct and indirect taxation:

Taxation in the “market” country (where customers are located) may be minimized by avoiding a taxable presence or by shifting profits through structures that, for example, maximize deductions in higher-tax jurisdictions;

Withholding tax at source may be minimized or reduced;

Using exempt businesses (i.e., in jurisdictions that do not require the recipient of a service acquired from abroad to self-assess value-added tax [VAT] on the service) to purchase and then re-sell digital supplies to minimize VAT.

Additional challenges for international tax measures arise from the importance of intangibles and mobility to the digital economy. Intangibles themselves are increasingly mobile, making direct taxation difficult, while the mobility of users and customers creates substantial challenges and risks for VAT. These circumstances expand opportunities for base erosion, which the BEPS Action Plan is expected to address.

In general terms, the discussion draft identifies four main categories of tax policy challenges raised by the digital economy:

  1. Nexus: Are the current rules appropriate, given the reduced need for an enterprise to have a physical presence in order to carry on business?
  2. Data: How should value created from creating, collecting or manipulating data be characterized and attributed for tax purposes?
  3. Characterization: How should payments for new services such as cloud-computing or software-as-a service be taxed? Do these payments represent sales income or royalties or something else?
  4. VAT: How should VAT be reported and collected when goods and services are acquired from suppliers in distant jurisdictions, particularly when the value of each transaction (such as a download of a music track) is minimal or the supplier is a small enterprise?

In addition to these policy challenges, administrative issues may also arise from the borderless nature of the digital economy. Tax administrations may have difficulty identifying the suppliers who are providing digital goods and services in their own jurisdictions as well as the extent and nature of the activities conducted by offshore sellers. Requiring customers or payment intermediaries to provide this information to tax authorities may also engage privacy and financial regulation laws. Similarly, the tax administration in the supplier’s jurisdiction may have difficulty identifying the residence of customers in different jurisdictions, which may differ from the place in which consumption occurs.

Potential Options

The final report in September 2014 is expected to analyze a number of possible options to address some of the tax challenges of the digital economy, including the five options set out in the discussion draft (discussed below) and those proposed by stakeholders in response to the discussion draft.

Potential options will be evaluated with reference to the fundamental principles of electronic commerce taxation first formulated by the OECD in 1998. The discussion draft emphasizes that equity between the taxation of electronic and conventional forms of commerce is an important governing principle, as is the need to minimize the administrative burden on taxpayers and tax administrations. Flexibility will also be needed to ensure that new tax systems are able to keep pace with ever-advancing new technologies.

The Task Force seeks input from the public on the following five preliminary options to address the tax challenges outlined above:

  1. Modify the exemptions from permanent establishment (PE) status: Paragraph 4 of Article 5 of the OECD Model Tax Convention currently provides a series of exemptions that may cause an enterprise’s facilities or a fixed place of business in a jurisdiction not to be a PE under certain circumstances. The exemptions listed cover preparatory or auxiliary activities, such as maintaining a fixed place of business solely for the purpose of collecting information for the enterprise. The discussion draft proposes to eliminate the listed exemptions or make them subject to the overall condition that the character of the activity conducted be preparatory or auxiliary in nature rather than one of the enterprise’s core business activities.
  2. Establish a new nexus rule for digital business: An enterprise engaged in “fully dematerialized digital activities” could be considered have a PE in another jurisdiction if it maintains a significant digital presence there. Factors indicating a significant digital presence would include sales of digital goods and services that are widely used or consumed in that jurisdiction or the presence of a branch offering marketing, consulting or other secondary services. The discussion draft recognizes that a new nexus rule would also require parallel consideration of the manner in which profits may appropriately be attributed to such PEs and whether profit attribution provisions in existing treaties should be modified.
  3. Create a new rule for “virtual PEs: A virtual PE might be established where an enterprise maintains a website on the server of another business located in that jurisdiction and carries on business through that website. Alternatively, the existing dependent agent PE concept could be extended to apply when contracts are habitually completed through technological means in another jurisdiction, rather than through a person.
  4. Create a withholding tax on digital transactions: Payments made by a resident of one country for digital goods or services provided by a foreign e-commerce provider could be subject to withholding tax. This measure might be enforced by requiring the purchaser’s financial institution to withhold tax on credit card payments or electronic transfers.
  5. Require non-resident vendors to collect VAT: Technological advancements could also assist tax administrations to simplify the registration and compliance mechanisms for VAT collection, making it more feasible to require a non-resident supplier of low-value goods or other cross-border transaction to charge, collect and remit VAT. Enforcing compliance from non-resident suppliers will be challenging for tax administrations, but may be improved through expanded mutual assistance and exchange of information agreements between taxing jurisdictions.


The discussion draft provides an overview of the way BEPS strategies will relate to the digital economy and summarizes the potential options initially discussed by the Task Force to address some of the broader tax challenges raised by the digital economy. It also provides an overview of the many concerns raised by member states and tax authorities with respect to capturing cross-border e-commerce and cloud-based service transactions that presently go untaxed.

Although its work is at a preliminary stage, the Task Force is proceeding quickly toward its final report in September 2014 and it appears that it intends its recommendations to be sufficiently flexible and adaptable to the ever-evolving flow of new digital goods and services between businesses and users in different jurisdictions. While flexibility is desirable, however, care will need to be taken to ensure that new measures or treaty revisions do not widen the tax net excessively or create disincentives for innovation or uncertainty with respect to reporting and collection mechanisms. Given the ubiquity of electronic commerce, the OECD’s ultimate proposals will have a serious impact on enterprises across a wide range of sectors. In addition, it will ultimately be up to each country individually to decide whether and to what extent the OECD’s recommendations may be adopted into its domestic law and bilateral tax treaties.


NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1.0

Posted in Online Businesses, OSFI, Privacy, Technology

On February 12th, the U.S. National Institute of Standards and Technology (NIST) unveiled version 1.0 of its voluntary Framework for Improving Critical Infrastructure Cybersecurity (Framework).  The Framework was developed at the direction of President Obama’s Executive Order 13636 and designed to assist critical infrastructure (e.g. financial, energy, and health care sectors) guard against cyber threats.

Framework 1.0 Update

The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers – combined, the parts provide a foundational structure for managing cybersecurity risk.  The Framework incorporates public feedback on the earlier NIST Preliminary Cybersecurity Framework (Preliminary Framework) published last year.

One significant change to the Framework was the removal of Appendix B titled, “Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program”.  Commentators in industry and academia criticized Appendix B for being, “too prescriptive and costly and thus a deterrence to adoption of the Framework”.  Appendix B has now been replaced with Section 3.5 of the Framework that succinctly describes a general set of considerations and processes.  Section 3.5 recognizes that organizations may approach privacy and civil liberty considerations through a multiplicity of technical solutions rather than those prescribed in the former Appendix B.  Apart from this amendment, the Framework has not materially changed.  A more detailed overview of the Framework can be found in our earlier post on the Preliminary Framework.

NIST Roadmap for Improving Cybersecurity

As a companion to the Framework, NIST published a roadmap (Roadmap) that provides insight into its future plans for the Framework.  The Roadmap reveals that NIST intends to transition the governance of the Framework to a non-governmental organization, but expects to remain the “convener and coordinator” of the Framework until at least version 2.0. The Roadmap also cites areas for improvement such as: the development of better authentication solutions, the alignment of the existing Federal Information Processing Standards with the Framework, and the advancement of technical privacy standards and best practices.

Cyber Community C3 Voluntary Program

In addition to the release of the Framework, NIST announced the launch of the Critical Infrastructure Cyber Community C3 Voluntary Program (C3 Program), a partnership between the Department of Homeland Security and the critical infrastructure community.  The objective of the C3 Program is to encourage and support the use of the Framework. In the coming year, the C3 Program will be focused on discourse with Specific-Sector Agencies that include, among a list of 16 sectors, financial services, healthcare and public health, information technology, and communications sectors.


While the Framework is voluntary, NIST is highly influential.  The Framework has the potential to become a de facto cybersecurity standard. With the U.S. Federal Government’s increasing emphasis on cyber risk preparedness, the Framework may well become a requirement for conducting business with U.S. federal agencies.  If so, many private U.S and multi-national providers will face a strong impetus to adopt the Framework. NIST plans to engage foreign governments and entities to advocate for the broad international adoption of the Framework.  As such, Canadian firms will benefit from familiarizing themselves with the Framework.

At the very least it will likely provide a common set of terms and language for discussing cybersecurity within industry and government. For example, the Framework could serve as a useful complement for financial institutions and suppliers addressing the OSFI Cyber Security Self-Assessment Guidance (OSFI Guidance) released on October 28, 2013.  While the OSFI Guidance is high-level and descriptive, the Framework is significantly more detailed and prescriptive and includes many globally accepted standards and best practices.

Prepared with assistance from Sam Ip

Cinar Corporation v Robinson, 2013 SCC 73

Posted in Copyright, Technology

On December 23, 2013, a unanimous Supreme Court of Canada issued its decision in the copyright infringement action involving the children’s cartoon television show “The Adventures of Robinson Curiosity” (“Curiosity”) and the impugned copy “Robinson Sucroë” (“Sucroë”). The appeal required the Court to assess a key area of copyright law: whether a substantial part of a work had been reproduced.  This was a significant issue since there had been no literal copying and it is a well establsihed principle of copyright law that there is no copyright protection for ideas.  Rather, it is the original expression in a work that is protected.  The decision also addressed the role of expert evidence in infringement actions, the vicarious liability of officers and directors, and the assessment of damages.

The Court’s consideration of whether a substantial part of the work had been reproduced is of considerable interest since the Court made it clear that there could be infringement even if the defendant did not engage in any literal copying.  On the issue of a substantial part, the Court noted it is a “flexible notion” that is a “matter of fact and degree”, concluding that “[a]s a general proposition, a substantial part of a work is a part of the work that represents a substantial portion of the author’s skill and judgment expressed therein”. The Court reiterated that a part is substantial based on its quality rather than its quantity. Perhaps most importantly, the Court acknowledged that the “Act protects authors against both literal and non-literal copying, so long as the copied material forms a substantial part of the infringed work” and cited the House of Lords in Designers Guild Ltd. v. Russell Williams (Textiles) Ltd., [2001] 1 All E.R. 700 (H.L.) at 706, for the proposition that “… the “part” which is regarded as substantial can be a feature or combination of features of the work, abstracted from it rather than forming a discrete part. … [T]he original elements in the plot of a play or novel may be a substantial part, so that copyright may be infringed by a work which does not reproduce a single sentence of the original”.

In applying this methodology, the Court reiterated that a substantiality analysis cannot be conducted by dealing with the copied features piecemeal, but rather the cumulative effect of the features copied from the work must be considered, to determine whether those features amount to a substantial part of the creator’s skill and judgment expressed in his or her work as a whole. The Court also emphasized that “the question of whether there has been substantial copying focuses on whether copied features constitute a substantial part of the plaintiff’s work – not whether they amount to a substantial part of the defendant’s work”. As such, “[t]he alteration of copied features or their integration into a work that is notably different from the plaintiff’s work does not necessarily preclude a claim that a substantial part of a work has been copied”. However, “[i]f the differences are so great that the work, viewed as a whole, is not an imitation but rather a new and original work, then there is no infringement”. Consequently, notwithstanding certain clear distinctions between Curiosity and Sucroë, the Court upheld the trial judge’s qualitative and holistic assessment that Sucroë reproduced a substantial part of Curiosity.

Also of interest in the IT context is the discussion regarding the “abstraction-filtration-comparison” methodology which is commonly applied in computer program infringement cases in the U.S. and which the Ontario Court of Appeal had commented favourably on in the Delrina Corporations v. Triolet Systems Inc. (2002), 17 C.P.R. (4th) 289.  Although the Supreme Court adopted a “qualitative and holistic” approach to assessing substantiality, they did not rule out that abstraction-filtration-comparison methodology could be applied in a different type of case, such as a computer program infringement case.

Given the Court’s emphatic dissuasion from a literal piecemeal substantiality analysis and its reiteration from the Court below that “[e]verything is therefore a matter of nuance, degree, and context”, it will be interesting to see how the Court’s guidance, which was based on a work over 25 years old, will be applied in today’s modern era full of remixes and mash-ups, and our ever growing access to more information and inspiration.

By John Cotter with assistance from Martin Brandsma



Can you carry out Bitcoins activities in Canada without legal risks?

Posted in e-Commerce, Technology

Bitcoins are a digital currency and have become widespread on the Internet and some companies have begun to accept these items as payment for real goods and services.  At the time of writing, Bitcoins are not explicitly and specifically governed by any laws or litigation and to our knowledge, no Canadian regulator has publicly taken a position as to whether or not Bitcoins should be regulated and if so, how.

However, while there is no certainty at this stage, the sale (or exchange) of Bitcoins may fall under the scope of “Money Services Businesses” because they may be considered:

  • money; or
  • currency

If so, Bitcoins may trigger the application of the laws regulating money services businesses including anti-money-laundering laws and rules governing foreign exchange.  Regulators in charge of implementing those laws, especially securities regulators and the Financial Transactions and Reports Analysis Centre of Canada (FTRAC), have significant powers that allow them to interpret broadly to include Bitcoins in their fields of application.

In Québec, money-services businesses are subject to several obligations such as:

  • holding a license;
  • paying annual fees;
  • being of good moral character;
  • verifying the identity of its customers;
  • maintaining records and registers; and
  • filing of prescribed reports, documents and statements

Under federal legislation, money services businesses must register with the FTRAC.  In addition, they have several obligations such as: taking specific measures to ascertain the identity of individuals and entities with which they are dealing; as well as reporting and record keeping requirements.  In addition, if the money services businesses are subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations, they must report:

  • suspicious transactions;
  • possession or control of property that is owned or controlled by or on behalf of a terrorist or terrorist group;
  • large cash transactions involving amounts of $10,000 or more received in cash; and
  • international electronic funds transfers of $10,000 or more, including the transmission of instructions for a transfer of funds made at the request of a client through any electronic, magnetic or optical device, telephone instrument or computer

In addition, although not obvious, Bitcoins could be considered a “security” or a “derivative” under applicable securities legislation.  As a consequence of that interpretation, in order to move forward with the Bitcoins activities, you would have to comply with all obligations of securities issuers or distributors, which may entail dealer registration, prospectus delivery and other requirements, unless exceptions are available.

Finally, if you perform Bitcoins activities, you may also have to comply with consumer protection legislation in each of the provinces in which your clients are located.  For instance, the Consumer Protection Act (Québec) (CPA) governs all contracts entered into with consumers via the Internet (i.e., without being in the consumer’s presence).  The CPA provides that a merchant must disclose specific information in a certain format before entering into such a contract.

Given the high degree of uncertainty in Canada with respect to carrying out Bitcoins activities and given the resulting high degree of legal risks associated with Bitcoins, in our view the most appropriate way to mitigate these risks is to consult with the relevant regulators in order to obtain prior approval or guidelines before carrying out Bitcoins activities.

Canada’s Anti-Spam Law: Final Regulations Mark Countdown to Coming into Force

Posted in Anti-Spam, CASL

The guessing game is over.  Three years after it was enacted, we now know that Canada’s anti-spam law (CASL) will come into force in stages over the next four years, beginning on July 1, 2014.

The Department of Industry announced the following key dates when it published long-awaited Governor in Council regulations on December 4, 2013:

  • July 1, 2014 – Most of CASL and the final Regulations come into force
  • January 15, 2015 – Provisions of CASL related to the installation of computer programs come into force
  • July 1, 2017 – Provisions of CASL related to a Private Right of Action will come into force

Those who have been following the progress of the legislation will be relieved to learn that Industry Canada has made a number of important changes that address some of the concerns raised by industry since the draft regulations published last January.  Examples include expanding the exemption for business-to-business communications and adding new exemptions for certain categories of messaging platforms.

However, most industry participants will likely view the changes as not going far enough to overcome what some commentators have described as “red tape” impediments on doing business.

CASL regulates more activities and is more prescriptive about what businesses need to do, compared to spam or spyware laws in other jurisdictions.  Critics have pointed out that it will impose significant costs on small and large businesses, harm innovation and productivity and place Canadian businesses at a competitive disadvantage.

More pressing for businesses, however, is to get compliance planning into high gear.  With less than seven months until most of the law comes into force, virtually all businesses will need to make changes to their operational practices.  For a practical summary of where to begin, refer to our Top 10 Compliance Planning Activities.

Further commentary on the regulations and updated summaries of what CASL means for businesses will be added to our CASL Compliance webpage over the coming days.

2014 AODA Requirements for Websites in Ontario

Posted in e-Commerce, Employment, Technology

Effective January 1, 2014, private sector organizations with 50 or more employees in Ontario may be required to comply with certain website requirements if they launch a new public website or undertake a significant refresh of their existing website.

For Osler’s recent Update on upcoming 2014 AODA requirements, please see Preparing for the 2014 AODA Requirements – Does Your Organization Have a Compliance Strategy?

OSFI Releases Cyber Security Self-Assessment Guidance

Posted in OSFI, Technology

By Simon Hodgett and Sony Gokhale

On October 28, OSFI released its Cyber Security Self-Assessment Guidance (the “Guidance”) to aid Federally Regulated Financial Institutions (“FRFI”) in assessing its level of preparedness against cyber risks. The Guidance was drafted in response to OSFI’s Plans and Priorities for 2013-2016, a plan that emphasizes vigilance against the increasing frequency and sophistication of cyber threats.

Cyber Security Self-Assessment Template

The Guidance directs FRFIs to conduct self-assessments against a number of criteria in the following six categories:

  1. Organizational Resources. e.g. Whether the FRFI has assigned specific roles and responsibility for the management of cyber security.
  2. Cyber Risk and Control Assessment. e.g.  Whether the FRFI assesses and takes steps to mitigate potential cyber risk arising from its outsourcing arrangements deemed material under OSFI’s Guidelines B-10.
  3. Situational Awareness. e.g. Whether the FRFI maintains current enterprise-wide knowledge base of its users, devices, applications, and their relationships.
  4. Threat and Vulnerability Risk Assessment.  e.g. Whether the FRFI has implemented tools to prevent unauthorized data leaving the enterprise.
  5. Cyber Security Incident Management. e.g. Whether the FRFI’s change management process has been designed to allow for rapid response and mitigation to material cyber security incidents.
  6. Cyber Security Governance. e.g. Whether a Senior Management committee has been established that is dedicated to the issue of cyber risk.

Interestingly, unlike the recently released U.S. NIST Preliminary Cybersecurity Framework, the Guidance is broad and does not reference external standards (e.g. ISO Standards). As a consequence, there is a large degree of subjectivity involved in the self-assessment. While OSFI has stated that they do not have current plans to establish a more specific guidance, OSFI also confirmed that they may request FRFIs to complete this template during future supervisory assessments.

Prepared with Assistance from Sam Ip

The NIST Preliminary Cybersecurity Framework

Posted in Technology

In late October, the U.S. National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework.  Although a U.S. standards-setting body, NIST is influential and is looked to as a trendsetter in security, cloud computing and other IT standards.

This Framework is voluntary and provides guidance on managing cybersecurity risk for operators of critical infrastructure (e.g., power generation, transportation and telecommunications). President Obama directed that the Framework be developed to encourage these operators to manage cybersecurity risks with as much rigour as they manage financial, safety and operational risks.  This is a recurrent theme in recent thinking about cybersecurity.

Overview of the Preliminary Cybersecurity Framework

The Framework leverages many existing industry standards and is designed to complement, rather than replace, an organization’s existing practices.  It is a risk-based approach that comprises three essential components:

1)      The Framework Core consists of five functions (identify, protect, detect, respond and recover), which are then subdivided into categories and subcategories.  Each subcategory refers to industry standards, guidelines and best practices that organizations can adhere to.

2)      The Framework Profile is a tool used to help organizations reduce cybersecurity risk. An organization is expected to create a “Current Profile” of its cybersecurity risk, which is compared against its desired “Target Profile”.  The gaps between the two profiles indicate areas for improvement.

3)      The Framework Implementation Tiers describe the sophistication of an organization’s risk-management practices. The classification regime ranges from Tier 1(Partial) to Tier 4 (Adaptive) – the higher the tier number, the more mature an organization’s cybersecurity risk-management practices are.

The Framework in Practice

 Applying the essential components mentioned above, the Framework recommends the following steps for creating or improving a cybersecurity program:

Step 1: Identify the organization’s objectives, assets, regulatory requirements and overall risk approach.

Step 2: Create a Current Profile of the organization’s cybersecurity risk using the Framework Core.

Step 3: Conduct a risk assessment of the organization’s cybersecurity risks.

Step 4: Create a Target Profile of the organization’s cybersecurity risk.

Step 5: Determine, analyze and prioritize the gaps that exist between the Current Profile and the Target Profile.

Step 6: Implement an action plan to minimize or eliminate the gaps between the Current Profile and the desired Target Profile.

What’s Next?

On October 29, NIST commenced the start of a 45-day public comment period on its Framework. After the collection and analysis of public feedback, NIST plans to release the official Framework in February 2014. The Framework is part of, and should be considered in the context of, a heightened and broad response to cybersecurity for businesses, industry and regulatory bodies. This topic should be on every enterprise’s radar.

Prepared with assistance from Sam Ip

Manitoba’s Private Sector Privacy Law – Similar to Alberta’s Law, but Important Differences Exist

Posted in Uncategorized

On September 13, 2013, Manitoba joined Quebec, British Columbia and Alberta by enacting provincial private sector privacy legislation.

Once it comes into force, Manitoba’s Personal Information Protection and Identity Theft Prevention Act (PIPITPA) will govern the collection, use and disclosure of personal information, including that of employees, by organizations in the private sector.

The Manitoba legislation has been modelled closely after  the Personal Information Protection Act (“PIPA”) in Alberta; however, meaningful differences exist.  The most significant differences are summarized below.

  • Breach notification – PIPITPA includes a broad breach notification obligation that requires an organization to notify an individual if personal information about the individual in its custody or under its control is stolen, lost or accessed in an authorized manner, unless it is not reasonably possible for the personal information to be used unlawfully.  Unlike in Alberta, there is no “real risk of significant harm” test or a requirement to notify the privacy commissioner (who then makes a decision on whether notice to individuals needs to be given).
  • Private right of action for privacy breaches – PIPITPA creates a broad private right of action that will enable an individual to claim damages arising from an organization’s failure to protect personal information in its custody or under its control or provide a required notice of a data breach.  Unlike under PIPA, the private right of action is not conditional upon a finding by a privacy commissioner (or ombudsman) that the organization failed to comply with the legislation.  This, together with the broad and ambiguous legal language that can trigger a claim, is likely to encourage the commencement of privacy breach class actions in Manitoba.
  • No complaint process – There remains uncertainty as to how PIPITPA will be enforced as there is no formal complaint or review process, nor does PIPITPA provide for the regulation making authority to implement one.  The legislation does, however, include offences for (among other things) wilfully collecting, using or disclosing personal information in contravention of the legislation.  As in PIPA, the offences are subject to fines of up to $100,000.
  • Security requirements – PIPITPA authorizes the Lieutenant Governor in Council to prescribe security arrangements that organizations will need to follow in respect of personal information in their possession or under their control. As PIPITPA does not contain the specific requirements regarding destruction of personal information that PIPA does, it is possible that such requirements could form part of prescribed security arrangements.
  • Information about former employees – PIPITPA does not include an exception to consent, similar to the one found in PIPA, for the collection, use or disclosure of personal information about former employees.
  • Transfers to service providers outside Canada – PIPITPA does not include the prescriptive rules found in PIPA regarding an organization’s use of a service provider outside Canada to collect or process personal information on its behalf.  However, there remains the possibility that such rules could be prescribed as part of a security arrangement.
  • Name of person responsible for privacy – Whereas both PIPA and PIPITPA require that an organization notify individuals prior to collection of personal information of the person designated to answer questions regarding collections on behalf of the organization, PIPITPA requires that the name of such person (as opposed to the name or title of such person under PIPA) be provided. Therefore, organizations subject to PIPITPA will need to update their privacy policies and notices every time their designated privacy officer changes. 

How It Affects Your Business

Organizations who already have processes in place to comply with Canada’s existing privacy laws will largely find that PIPITPA does not create new compliance obligations for them.  Notable exceptions are the data breach notification requirements, the increased likelihood of related class actions, the potential for regulations to be used to prescribe minimum security requirements and the requirement to disclose the name of the organization’s privacy officer.