Privacy compliance and cyber risks are hot issues for the c-suite and board of directors, and for good reason. Under Canadian law, corporate directors are responsible for their corporation’s business, including risk identification and management activities, and are required to demonstrate a duty of care. And regulators aren’t the only ones watching. Cybersecurity was the second-highest environmental, social and governance (ESG) concern cited by institutional investors and consultants in a 2021 RBC report, and proxy advisors routinely rate companies on their cyber and privacy practices under the governance category of ESG scoring.
If you are a senior leader, what are the new data privacy risks that should be on your radar? And how should you exercise your duty of care when it comes to these risks so you keep both regulators and investors happy? This article shares four privacy risks every director and officer should be aware of, then offers an 11-point checklist with key recommendations for data governance and privacy, with a special focus on Canada.
Privacy risks for Canadian organizations
Evolving legislation. In the U.S., the Security and Exchange Commission recently proposed new rules for publicly traded companies that would significantly increase the reporting requirements following cybersecurity breaches and the duty of directors and officers to mitigate such risks. In both Canada and the U.S., data protection laws are becoming more stringent as both jurisdictions slowly catch up to Europe’s GDPR, which was adopted in 2018 and is considered the global gold standard when it comes to protecting privacy. In Canada, Québec was the first jurisdiction to adopt a data protection law approximately 30 years ago and the first jurisdiction to update its law to align with the new EU privacy framework earlier this year, with other Canadian jurisdictions recently following the lead.
A new type of privacy class action. More than 150 privacy class actions have been filed in Canada in recent years, mostly in Ontario, Québec and B.C. Approximately 70 per cent are filed following a data security breach. The rest are for “privacy intrusive practices,” which are invasions of privacy resulting from:
- A lack of transparency with consumers when collecting or processing their personal information.
- Failing to obtain proper consent.
- Unacceptable practices involving the collection of personal information, including over-collection.
- The use of new technologies involving surveillance or monitoring.
Most privacy class actions alleging intrusive business practices initially targeted tech giants and companies that monetize personal information. Recently, a broad range of companies operating in the retail, telecom, real estate and financial services industries have also been targeted by such lawsuits.
Penalties. New privacy requirements are introducing administrative monetary penalties for non-compliance. Québec was the first in Canada to do this, introducing a new private right of action and administrative monetary regime with potential penalties of up to $10 million or 2 per cent of revenue for non-compliance with the law and penal offenses for certain infractions of up to $25 million or 4 per cent of revenue. In 2022, the Minister of Innovation, Science and Industry introduced Bill C-27, An Act to enact the Consumer Privacy Protection Act and the Artificial Intelligence and Data Act. Both create significant compliance risks for businesses, including penalties of up to $10 million or 3 per cent of revenue. The most egregious violations receive a fine of up to $25 million or 5 per cent of revenue.
Shareholders’ lawsuits: In the U.S., we’re seeing more shareholder derivative lawsuits being filed against corporate boards following data breaches. Some of these lawsuits have been dismissed, with Marriott and Capital One being examples. Plaintiffs’ lawyers are increasingly filing these claims based on allegations of breach of the duty of oversight. For example, a shareholder derivative suit filed against the board of T-Mobile USA in November 2021 refers to the board’s alleged “failure to monitor” and “heed red flags.” In 2022, a plaintiff shareholder filed a securities suit against Okta related to the decline in the company’s share price following a data breach, finding fault with Okta’s actions before and after the breach. While we have not yet seen this trend in Canada, shareholder lawsuits are an emerging risk to watch.
Checklist for data governance and privacy: 11 key recommendations
C-suite and the board need to assume an active role with direct oversight of the privacy and cyber risks affecting their corporation. The following is a checklist of key recommendations to guide actions in a rapidly changing regulatory landscape.
1. Purpose: We understand why we collect and retain personal information.
Under Canadian data protection laws, it is illegal to collect, share or retain personal information not related to business operations. For instance, following the Desjardins 2019 data breach, the Privacy Commissioner of Canada raised its concern that the company had retained old data that was no longer needed.
Canadian data protection laws are consent based. There is a legal distinction between requesting consent from individuals for personal information which is necessary for business operations versus optional uses. Consent for collecting and using personal information for nice-to-have purposes, such as marketing, surveys and, in some cases, analytics, must be optional. Senior leaders must understand why the organization collects personal information so they can ensure the privacy notices provided to customers, investors, applicants, employees, website visitors and others comply with transparency and consent obligations.
2. Strategy: We understand the organization’s data privacy strategy and are part of regular conversations about its effectiveness.
Personal information has tremendous value. It can improve customer attraction, customer experience, brand positioning, trust, loyalty, and relationships with stakeholders — all of which offer a competitive advantage. Business analytics and the use of AI to gain insights from this information accelerate innovation. The board must understand the business strategy that underlies the use of personal information so it can have frequent and informed conversations about whether this strategy is effective as the business evolves.
3. Visibility: We know the type of personal information we have and where it is located.
To manage and mitigate compliance risks, the board should ensure that management is aware of these aspects of the personal information it holds:
- type
- sources
- format
- how it is used
- structure and classification according to sensitivity
- whether it is subject to access, deletion, disclosure or other individual rights and requests
- location
Organizations often conduct a data mapping exercise, where they query all relevant business units to better understand the life cycle of personal information from the time it is collected until it is destroyed. This way, a business can better assess its risks and determine the appropriate security measures to comply with relevant legal requirements in the jurisdictions it does business.
4…
Privacy 2024 Recap – some significant decisions, slow progress for reform
The past year saw a few court decisions of note as well as halting progress toward privacy…