AccounTrust (post until Sept. 30/19)
Administrative & Government, Privacy

Federal privacy law means businesses must pay attention: Levine

Businesses must be proactive in not only training their employees but in setting the tone from the board of directors on down about the importance of privacy law compliance, Vancouver privacy and information lawyer Sara Levine tells

Levine says new federal regulations came into effect Nov. 1 requiring businesses to alert individuals of any suspected privacy breaches that create a real risk of significant harm, and report the breach to the Office of the Privacy Commissioner.

Failing to report these suspicions could result in fines of up to $100,000 for each event under amendments to the new Personal Information Protection and Electronic Documents Act (PIPEDA). But Levine says the cost could be much higher.

“If there’s an erosion of trust in the business and the brand, that affects all aspects of the business from stock price and market share to employee morale and recruitment,” she says,” she says.

“Setting the tone at the top, at the board of directors, has to be on the agenda,” Levine says. “We’ve seen it at multinational corporations where if it’s not on the agenda of the senior leaders it tends to drag on for too long, and the risks get bigger. Businesses that ignore privacy are attracting the attention of lawmakers in many countries.”

She says the Act applies to all provinces that do not have substantially similar legislation in place, and to all federally regulated boards, agencies, entities and businesses such as banks, airlines and telecommunications companies. It also covers any data that flows across provincial borders.

“The board has oversight over all aspects of the operation, not just finance,” Levine says. “And that has to include cybersecurity and privacy issues. The right policies and procedures are necessary, and should be approached with the same rigour as financial compliance.”

The message has to be clear that compliance is not a burden. It's an important tool that requires due diligence on the part of all involved to ensure collected data is properly handled, she says. And, in the case of a breach, containment and reporting protocols must be followed.

Policies should be updated regularly to stay current, Levine says, adding that demonstrating the company exercised due diligence to prevent a breach may help mitigate damages.

No business or corporation is immune from an attack, not just to gain personal information, but increasingly, for ransom, as was the case at a small Ontario municipality, and the University of Calgary, or for cyber espionage, Levine says.


To Read More Sara A. Levine, Q.C. Posts Click Here
Lawyer Directory
New Media Forensics (keep up until June 30, 2019)Hexigent Consulting (to remain until August 31/19)DivorcemateFeldstein Family Law (post until May 31/20)Davidson Fraese (post until Sept. 30/19)Morrow Mediation Lawrence ForstnerAchkar Law