Tech firms must follow Canadian anti-spam laws
By Rob Lamberti, AdvocateDaily.com Contributor
Tech firms should review their business practices with a lawyer to ensure they're following Canadian laws after two companies were recently fined a total of $250,000 for the installation of malicious software through online ads, says London, Ont., privacy lawyer Peter Dillon.
The Canadian Radio-Television and Telecommunications Commission (CRTC) issued notices of violations under Canada's Anti-Spam Legislation (CASL) in July to two companies that had a business relationship. One was fined $100,000 and the second firm was fined $150,000, says Dillon, a partner with Siskinds LLP.
The case is the first where firms were fined by the CRTC for breaching CASL, Dillon tells AdvocateDaily.com. More importantly, the case sends the message that the federal agency is checking on tech firms to determine if they are in compliance with the country's anti-spam laws and, if they are caught, they will be fined.
Steven Harroun, the CRTC's chief compliance and enforcement officer, said businesses must ensure their commercial activities don't jeopardize Canadians' online safety.
"Our enforcement actions send a clear message to companies whose business models may enable these types of activities," Harroun said.
The CRTC found the two firms disseminated malicious computer programs through ads they distributed using their proprietary infrastructure.
The malicious programs exploited a vulnerability in Adobe Flash, the CRTC found. The malware was designed to install "second-stage malware, which can lock the user’s system unless a ransom is paid, steal users’ sensitive data, such as account login information and banking credentials (banking Trojans), and/or use the victim’s computer resources for illicit monetization (click fraud Trojans)," the CRTC investigation found.
The CRTC also said the companies did not have written contracts in place with their clients ensuring they are complying with Canadian law, nor did they have written policies or procedures in place to ensure they are complying with the country's legislation.
The Canadian Cyber-Incident Response Centre (CCIRC) also alerted the two firms in 2015 that their services were used to disseminate malware, the CRTC found.
"This legislation has been in place since July 1, 2014, and the new rules about installing computer programs came into force on Jan. 15, 2015, but this is the first time the legislation has been enforced," Dillon says.
"This is an industry where clients need to be vetted to ensure their practices don't fall outside of Canadian legislation," Dillon says. "These two firms are American companies and their legislation may be different, but if they operate in Canada they are liable to Canadian legislation if they are using apps to target Canadians."
He notes several types of malware were used, including one called Angler. "It has a few different functions, one of them is to lock a user's computer until a ransom is paid, often with crypto-currency," he says.
"In this circumstance, you would know your computer was infected, but in some circumstances, it's a little more secretive and it will stay in your computer grabbing login information, banking credentials and it will use that information without the user knowing where their data was getting stolen from," Dillon says.
He says that emphasizes the importance of anti-malware software on computers. People should also constantly check their personal data, including banking information, to determine if there is any suspicious activity.
Dillon says it is crucial for tech firms to know their clients and to ensure the proper anti-malware safeguards are in place in their software to prevent a third-party from trying to expose the firm's software and use it illegally.
Not safeguarding software could leave tech firms vulnerable to legal action, Dillon says. "If there are issues that arise because a firm was not compliant, it could expose them to damages," he says.
"It's important for internet companies to ensure their clients, even if they are not Canadian, that they are complying with Canadian law," Dillon says. "They also should know they would be liable in certain circumstances, especially in tech, for what third-party companies are using their software for."
He suggests tech firms analyze where their data goes and how they are using other firms' data, as much as how other companies are using their software. They should also have a lawyer specializing in technology and privacy review the findings.
"If they are worried they may not be compliant with this legislation, please contact a lawyer or contact me, especially at this point, so we can review it," Dillon says. "And a lawyer can determine whether you are vetting your clients properly to Canadian standards, which could remove your liability in these circumstances."
Legal advice would provide an outline of the legal obligations for a tech firm, both in compliance and building safeguards to prevent malicious use of the firm's software by third parties.
If needed, a law firm would craft the contracts to bind third-party users to Canadian legislation, he says.
"It would be good to get legal advice, even for companies with existing contracts with third parties, to ensure compliance and whether proper safeguards are in place," Dillon says. "Have the policies and procedures reviewed to make sure the company is not violating anti-spam legislation."
A lawyer would also be up to date regarding legislative changes in other jurisdictions and ensure Canadian tech firms are in compliance with those prohibitions overseas, he says.
"This CRTC finding is a warning for tech companies to ensure their safeguards are compliant with Canadian legislation, in particular, the anti-spam legislation," he says.
A tech firm could also suffer a hit to its reputation if it hasn't complied and protected its platform from malware, he says.
"A company's reputation is worth more than any fine imposed," Dillon says. "Regardless of the size of the fine, the biggest harm would be from the damage to its reputation, which will affect their future business, and that would add up to costing more than any fines levied."