Information & Ethics Committee on May 30th, 2017

I would probably go back to the words of Jennifer Stoddart, who, as you know, is the ex-Privacy Commissioner of Canada. She was on a panel recently at a national privacy conference that I attended. It was pointed out to her that there are no examples of bad situations. She said there is one. It's

Quebec's access to information commission, the CAIQ or Commission d'accès à l'information du Québec,

which has turned into an administrative tribunal. She said that when she looks at the commission in Quebec, she sees that it represents the dangers that the companies are afraid of. She even mentioned.... I'll say this part in French because she was speaking French. She said that

the CAIQ decision-makers sign their decisions as administrative judges.

I'm happy to repeat that.

No worries.

She said that the CAIQ decision-makers sign their decisions as administrative judges. She said in particular that this title is not even in the enabling statute.

So to her, it's a slippery slope of what you could be looking at and be afraid of in the future.

I would just reiterate that in dealing personally with scores of investigations, I have found that there is a benefit to having an ombudsman model that can be unleashed to have even greater benefits, to allow for what I would call a conversation. Unlike other types of statutes in which there are prescriptive requirements, etc., the implementation of a privacy program in a manner that respectfully treats data is a nuanced conversation. It requires a dialogue and it requires that dialogue to be with multiple stakeholders.

An ombudsman model facilitates that. If you're going to change to a scenario in which you start providing the former ombudsman with more enforcement powers, that will change the context of that discussion. It just will. Whether it would come to the extreme, as was just cited, remains to be seen. But it would change.

Going back to the comments that we made, we have had tremendous success with the OPC. It has been tremendously successful in enforcing the act. It's respected all over the world because of this. What we haven't seen, and what I think is really important to consider, is the specific circumstances in which the existing suite of powers has been insufficient. I'm not saying that those don't exist. It's just that those haven't been discussed. There's a very wide range and they work quite well.

The mere fact that there might be another regime that has powers in and of itself didn't strike our committee, at least, as something that's compelling, especially with the benefits that could be afforded by the ombudsman model. I think Canada could lead globally. I think the ombudsman model is a way to do so. We've felt that way for years.

We're working with our members to ensure that they are current. An example of something we're working on is electronic proof of auto insurance. You'd think it would be fairly simple. Rather than having to show your pink card to law enforcement—

—you could perhaps show your cellphone, like a boarding pass when you go to the airport. That has prompted considerable discussion with some of the provincial governments and some of the provincial privacy commissioners. The federal commissioner has not become involved yet.

It looks as though the process could take months, if not years, to come up with a resolution. That is not in anyone's best interest. We appreciate the need for thoughtful consideration of the privacy issues, but the process is moving very slowly. It's one that we would like to move more quickly. The technology is from 10 years ago, but why can't we use it now?

It is a very important issue for members of our industry. As insurers who insure against privacy breaches through cyber liability insurance, they're extremely interested in not only preventing privacy breaches by their own operations but also providing advice to customers to avoid privacy breaches on their front. It's a very new product coming out and a lot of work has to be done to educate users of the systems to make sure the insurance can be sold. As time goes on, new skills, ideas, and perhaps checklists will be developed by insurers to make that product more insurable. That's where we're at.

Unfortunately, we're in a wait-and-see situation.

I want to clarify if the question is whether there are recommendations for helping organizations respond to incidents that would be incorporated into the statutory regime or it is a more general question.

As the committee is aware, we've had these discussions, and PIPEDA has a pending statutory security breach notification requirement, which will come into effect once the regulations are put out for comment and then ultimately implemented.

One of the comments that industry has made about those regulations is that it's incredibly important to keep them not prescriptive but to give some flexibility. But the statutory safeguarding requirement in PIPEDA is simple. In essence, it's a couple of lines. You need to have reasonable security safeguards. There is jurisprudence already that this means it doesn't have to be perfect, but what is reasonable? Reasonable is informed by its standards. There's a wealth of information security governance standards out there that especially entities in the financial services sector, insurance and financial services, will follow. Within those, it's a basic concept of information security governance.

Now, especially in the wake of the global ransomware attack, which was another wake-up call globally about this, it's a matter of vigilance with respect to the establishment of a continuous information security governance program. Within that, you not only have policies and procedures that you continually review, monitor, and independently test, you also have incident response and readiness plans that you implemented. If you treat it like a piece of paper and file it, it's not worth the paper it's written on. It's a living, breathing type of framework to address proactively information security concerns that not only threaten individual companies but are a systemic threat to the entire country.

We've recognized for many years that safeguarding is really an essential principle. In fact, it has to be one of the top two of the 10 principles that make up privacy legislation, so it's always been abided by.

Now, in recent years, we've seen, of course, cyber issues associated with that, and certainly within our industry there's been more work done on the cyber side during the last three to four years. Indeed, we have committees made up of member company folks to be up to date on the most recent developments. We work with our financial services regulators so that they're apprised of what safeguards companies have in place, but it's an ongoing battle.