As not a day passes without the occurrence of a cyber incident, Mr. Jean-François De Rico did us the honor of speaking once again at the 2020 Forensik Conference. In 2019, the roles and responsibilities of leaders in the area of ??incident management and response were highlighted. For the second edition, De Rico wanted to demystify the term “serious harm” when an organization is the victim of a security breach and it violates personal information. What does this really mean? What are the legal consequences when personal information has been compromised or its confidentiality compromised during an incident? This is what we tried to find out by inviting Me De Rico to the microphone of the INTRASEC podcast, the cybersecurity channel of In Fidem.

During the 1st edition of the conference, you focused on the obligations of organizations during the event of cybersecurity incidents. This year you have gone deeper. The title of your presentation was: “Qualifying Real Risks of Serious Damage due to an Incident”. Once an incident has happened, you have certain obligations, but depending on the severity of this incident, there are also other things that must be considered.

Yes, there is definitely a relationship between the two. In 2019, we were speaking generally. This year, we tried to demystify the terminology that is used in the provisions of the Federal Personal Information Protection and Electronic Documents Act.

The obligation of an organization to report an incident or a breach of the confidentiality of personal information is imposed under the provisions of the law by the observation that this compromise due to an incident generates a real risk of serious harm.

But there are criteria behind this notion. We must therefore use use cases to validate how we are able, in a real case, not to simply say that there is a risk of serious harm all the time; that was the purpose of the conference.

So how do you know if you are facing high risk, low risk, and then what to do next?

There are not any legal precedents. But in the law, there is a list of types of risk that are likely to materialize as a result of a security incident, a breach of confidentiality.

The list includes:

  • the humiliation
  • the damage to reputation
  • he financial losses
  • the identity theft…

Thus we are also in the process of identifying the categories of harm likely to result.

We are also working on assessment criteria such as the degree of sensitivity of the information as well as the implications of what we are aiming for is not only the degree of sensitivity itself. But the correlation is based on the importance of the risk that arises from its compromise.

Therefore, the more sensitive the information, the greater the chance that its manipulation by someone with malicious intent will cause significant harm.

On the other hand, there is the possibility that the information will be mistreated or misused; there are two parts to this.

That’s okay in theory, but how is it applied?

I still want to point out that last year on the same date there were only provisions emanating from the federal system and therefore the law on the protection of personal information and electronic documents, which does not generally apply in Quebec. In fact, it only applies in Quebec to companies under federal jurisdiction.

Today, there is Bill 64, which proposes a series of amendments to the main laws governing the protection of personal information in Quebec. And the legislator is proposing provisions with slightly different terminology.

We are talking about serious prejudice and without necessarily stating a different list, which will refer to the sensitivity of the information and the apprehended consequences of its use.

From a lawyer’s perspective, who analyzes every word, we can see that the federal government incorporates the notion of consequence implicitly in the degree of sensitivity, whereas in Quebec we take the trouble to name it distinctly.

To sum up, before applying it, we must determine what the concept of infringement is. Breach is anything that results in unauthorized access or disclosure or loss of personal information that results from a lack of security. And there is the notion of serious prejudice, which we have just discussed, and the assessment factors.

There are three big variables to consider in order to be sure that you are doing things right.

At the federal level, the commissioner’s office is also committed to assessment factors. So, what are the circumstantial elements that can enlighten the parties in the context of the risk assessment?

They are:

  • the length of time between the time when the incident occurs and the time when it is first observed
  • and are we able to identify the key-actors and determine if there is malicious intent behind them?

After, there is the nature and type. It is a bit redundant because the type of personal information is needed to assess its sensitivity.

Clearly we must consider the possibility that personal information, taken on its own, may not have a significant impact on risk. But it can be crossed with other types of data to arrive at a more global picture.

Lastly, is it information or documents that at the time of the breach were encrypted.

It is the anonymization of information that was initially personal information that can eliminate the nature of personal information.

But if this information is encrypted, theoretically, we can no longer associate it with someone, but on the other hand, we can no longer necessarily access it. So, would it be made invalid or does the law consider that this is not the case because it can be deciphered?

Excellent point, it becomes a factor to consider because if we have an encryption protocol up to date, we will be able to consider that the risk is moderate or low because the encryption is adequate.

We know today that quantum computing resources are not within the reach of the first comer, then normally the encryption of a certain type still holds.

So, to answer your question, we will consider that there is nevertheless an incident that affects personal information. But in most cases, depending on the parameters we are discussing now, depending on the risk of malicious use, the risk is so small that there is no serious harm.

So the real consequence for the organization, if I refer to the notification obligations, is that in one case, it would have related notification obligations as soon as its network was penetrated or because of the configuration of its systems. But she wouldn’t necessarily need to notify the general public because people couldn’t use that data.

Yes that’s it. The nuance you refer to in your point is important because depending on the type of industry in which the organization operates, there may be the presence of a risk of serious harm. Indeed, some organizations have an obligation, whether contractual or regulatory or normative, to notify, for example, the financial market authority if they are subject to it.

But there are other sources of obligations that may come into play.

For example, an organization that does business with technology service providers must be notified of any incident, especially if it entrusts them with personal information. If that third party is the subject of an incident or attack that results in a compromise or breach of confidentiality, you should know. It is therefore decisive in our time to be able to continuously validate that a supplier will maintain a security posture that will be adequate throughout the duration of the contract.

What is the hope of the legislator in Quebec with this Bill 64?

There is a strong pressure to harmonize in general with the overall data protection regulation, and also with federal law.

The federal law introduced this obligation in the fall of 2018. Since 2011, the Comission d’accès à l’information (CAI) has told the Quebec Parliament “you should change the law to introduce such an obligation, it already exists in many US states”. Today 48 US states have such notification provisions, so there is a comparison effect that drives this change. That’s to say, “other people are doing it, so why don’t we?” ”

And then there is a more pragmatic effect. For example, the legal reason is if one sets aside the constitutional debate, the federal law provides for application in all Canadian provinces except those which have adopted a law of general application which deals with the protection of personal information which is similar or equivalent.

However, the European regulation on the protection of personal information now wants to ensure that there is an adequacy between the regime put forward by the general data protection regulation and the applicable law in a jurisdiction where data is transferred.

Therefore, if we want to maintain the capacity of organizations to transfer data from jurisdiction to jurisdiction, we must be able to show this adequacy and we must harmonize our provisions. For example, we think of multinational companies or IT service providers who want to serve a clientele that is not limited to their jurisdiction,

Does this mean that there were no serious measures in place before? Do we legislate because we have no choice because of what is happening in other countries?

The obligation to minimize harm, which is imposed on any person (legal or natural), is considered to be an obligation that applies at all times.

When we contribute to the damage, through our fault or through the fault of a third party, we have an obligation to ensure that the loss, damage, prejudice resulting therefrom is minimized, if we has a way to do it.

So today, when an organization in Quebec is the victim of an attack, which involves a breach of confidentiality and which generates a risk of harm, according to the coming into force of the law, has the obligation under these principles to ensure that she can and does take action that mitigates the risk. Because she could face a court sanction.

And the risk of reputational damage should never be overlooked if the organization is found to know about it and not to advise.

Even if an organization has security measures in place, recognizing the value of the information it holds, it is never immune from an attack that can be successful.

So, a company that does nothing, that is negligent, the consequences are more serious.

The bill provides for significant penalties, including for failure to notify.

In summary, back to the first conference of 2019, the law aims to hold organizations accountable for the use, handling and protection of this information. 

Exactly. You can always mitigate a risk by doing what is necessary.

Do people generally do not understand the nature of the sensitivity of the information they are dealing with?

I think the understanding of how information can be used maliciously is not a skill quite mastered.

There is also the ‘this won’t happen to me’ thought framework. We think we are not important enough to be hacked.

But be aware that there is a large proportion of the millions of daily attacks that are automated, robotic and that are launched at access points without knowing what to catch.

For example, Emotet when he is walking around looking for banking information, it is not intended for a specific address.

With this upcoming clarification of standards, what should an organization do to ensure that it complies with the new rules?

In the obligations, there will first be a specific obligation to be able to demonstrate that an analysis of the impacts on the protection of personal information has been carried out as part of any development or system integration project that affects information management. For example, any transformation of a paper process by an electronic process.

We will have to assess in any digital transformation project how we are going to ensure that data confidentiality is maintained.

Unfortunately, there are many organizations that do not pay attention to how their suppliers or subcontractors handle the information or intelligence that they are likely to entrust to them; under the guise of saying that they think their partners are responsible and will take good care of the information that is given to them.

In other words, in law, it is always the person who collects who is responsible. Regardless of the ability to transfer that risk. Often people will think that when they do business with a third party, they are going to transfer the risk, but the legal risk is not transferred; the risk is still on the shoulders of the one who collected.

So, to manage it, you have to make sure that the supplier has measures in place, has certifications, etc. I’m not saying these are things that don’t exist, but there is clearly work to be done in this area.

So to summarize, if there are two things that organizations should do: first, it is to ensure data security and privacy management because it will be necessary to demonstrate that we have robust processes in place. If there are any problems. Second, do not just limit this assessment to our systems, but also those of our partners because companies remain responsible for data protection.

Well stated. Yes, absolutely.

If you had to wish something for the next year, in terms of cybersecurity, especially with remote working which has become democratized, what would it be?

I have two thoughts on this.

The first is that in the wake of Bill 64, one of the components is that all organizations have personal information. In some cases, this is their business logic, in others, it is only those of their employees. In my opinion, we will have to collectively raise awareness among SMBs. It will be necessary to help them to be in conformity.

We will have to make sure that we will be able to support companies in this transformation.

And so if I have one wish, it is to give the means to actors playing an important role in this field, to be able to adequately carry out their missions.

Examples being,  publishing guides, checklists,etc.

The other idea, which is an ongoing process, is to continue to invest in improving cybersecurity postures and raising awareness. It must continue. For the rest, we must continue to educate ourselves collectively. Essentially, we must continue our efforts.

So in other words, we need more clarity and more support, especially when you are an SME and do not have the backbone of large organizations.Thank you very much for taking the time to discuss these upcoming legislative changes and the resulting new obligations for our Quebec SMEs.

Thank you for having. It is always a pleasure to be here again.

If you need support to strengthen your data protection and personal information strategy, contact us!

Discover our entire episode with Mr. De Rico (in French) on Ausha, Spotify, Apple Podcasts, Google Podcasts and Podcast Addict.