1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

12/7/2020

0 Comments

Canada’s Proposed Privacy Law Aims to Impose Stronger Fine of Up to 5% of Global Revenue or $25 Million

 
canada proposed privacy law fines

Canada’s Proposed Privacy Law Aims to Impose Stronger Fine of Up to 5% of Global Revenue or $25 Million

The federal government of Canada, through the Office of the Minister of Innovation, Science and Industry, has proposed a new privacy law for the private sector that aims to impose a stronger fine on organizations that remiss in protecting the privacy of Canadians.

The new proposed privacy law called the “Consumer Privacy Protection Act (CPPA),” also known as the Digital Charter Implementation Act, 2020, aims to impose administrative fines of up to 3% of global revenue or $10 million, whichever is higher, for non-compliant organizations. This new proposed privacy law also aims to impose fines for certain serious violations of the proposed law of up to 5% of global revenue or $25 million, whichever is higher.

Section 57, paragraph 3 of the Digital Charter Implementation Act, 2020 states that “security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use and modification.”

"The COVID-19 pandemic has accelerated the digital transformation, which is changing how Canadians work, access information, access services, and connect with their loved ones,” said Navdeep Bains, Minister of Innovation, Science, and Industry. “This transformation is making concerns about privacy, and how companies handle Canadians’ data, more important than ever. As Canadians increasingly rely on technology, we need a system where they know how their data is used and where they have control over how it is handled.”

Right to be Forgotten

The new proposed privacy law has its own version of the principle of "Right to be Forgotten." This right, also known as the right to erasure, gives individuals the right to ask organizations to delete their personal data.

The Digital Charter Implementation Act, 2020 gives Canadians the ability to demand that their personal information on platforms, including social media platforms, be permanently deleted in case when consent is withdrawn or when information is no longer necessary.

Canada’s Major Data Breach

In November 2019, LifeLabs, Canada’s largest provider of general diagnostic and specialty laboratory testing services, informed the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) that cybercriminals gained entry into the company’s systems, extracted data and demanded a ransom. LifeLabs informed the IPC and OIPC that the data breach affected systems that contained information of approximately 15 million LifeLabs customers (nearly half of Canada’s total population), including names, physical addresses, email addresses, customer usernames and passwords, health card numbers, and lab tests. The vast majority of these affected customers are from British Columbia and Ontario.

A joint investigation conducted by IPC and OIPC found that LifeLabs failed to protect the personal information of millions of Canadians resulting in a significant data breach in 2019. According to the two offices, LifeLabs failed to take the following reasonable steps:

  • Protect the personal health information in its electronic systems;
  • Adequate information technology security policies in place; and
  • Collected more personal health information than was reasonably necessary.

The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia both ordered LifeLabs to implement a number of cybersecurity measures to address the company’s shortcomings. Despite their findings, however, the two offices didn’t impose financial penalties on LifeLabs as there’s no law that allows them to.

“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” said Michael McEvoy, Information and Privacy Commissioner of British Columbia. “This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”

In a separate statement, LifeLabs said that as a result of the cyberattack, it took several measures, including retrieving the data by “making a payment.” The company, however, didn’t mention how much it paid to the attackers.

The company also didn’t mention ransomware. While the LifeLabs cyberattack has the markings of a ransomware attack, it isn’t confirmed whether the attack was a ransomware attack. 

Traditionally, ransomware attacks encrypt victims’ files, locking out victims from these files. Ransomware attackers then demand ransom from victims in exchange for the decryption keys that would unlock the locked files. Majority of today’s ransomware attackers also demand an additional ransom payment in exchange for the non-publication of the stolen data gathered during the ransomware attack.

Personal Health Information Protection Act (PHIPA)

On March 25, 2020, the Ontario government amended the Personal Health Information Protection Act (PHIPA), Ontario’s health privacy law. Once implemented, Ontario will be the first Canadian province to levy monetary penalties against individuals and companies that contravene the province’s health privacy law.

The amendment to PHIPA doubles the maximum fines for an offense to $200,000 for individuals and $1,000,000 for corporations. The amendment also mandates that an individual be imprisoned up to a year for an offense.

“Perhaps most significantly, once regulations are in place, my office [Information and Privacy Commissioner of Ontario] will be given the power to levy monetary penalties against those who contravene our health privacy law, including for breaches, such as those resulting from abandoned records,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “Privacy commissioners across the country have been calling for the power to impose administrative penalties, and Ontario will be the first to enshrine it into legislation.”

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit