11. Technology and the Law
The internet and technology are changing the world at an incredibly fast pace. With those changes come the challenges to individuals and businesses to maintain privacy and protect personal information. Regardless of the type of industry, businesses need to have adequate cybersecurity policies and practices in place to protect confidential business, employee, and customer information. Workplace privacy and information security is a fast-growing area of the law that has important implications across industries.
As our society becomes more and more dependent on technology, we are seeing privacy issues explode in personal and professional contexts. Businesses would do well to consult with cybersecurity and privacy experts to ensure that they are complying with the law and protecting their networks and confidential information as much as possible. Bringing in experts after you have a security breach or lawsuit filed is too late.
What is confidential information in Canada?
There is a growing realization that the trend among nations is to require internet service providers to obtain consent from consumers before sharing any of their personal information.
Under the Privacy Act of Canada, personal information is defined as any information that can identify an individual that is recorded in any form including, but not limited to:
- The race, national or ethnic origin, colour, religion, age or marital status of the individual
- The education or the medical, criminal or employment history of the individual
- Information relating to financial transactions in which the individual has been involved
- Any identifying number, symbol or other particulars assigned to the individual,
- The address, fingerprints, or blood type of the individual
- The personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award, or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations,
- The name of the individual where it appears with other personal information relating to the individual.
Sometimes individuals and businesses voluntarily give up their privacy rights, without considering the consequences. All individuals should be cautious about providing personal information to any organization. While businesses are required to maintain that information securely and are acting largely as a custodian of that information, no business is perfect. Businesses that collect this information are often targeted by hackers who seek to steal this information (https://dataprot.net/articles/biggest-data-breaches/)
Right to Privacy
While it is changing rapidly, historical common law is clear that confidential information is not to be shared or used. Privacy is the right of a person or person’s property to be free from unwarranted public scrutiny or exposure. In other words, it is the right to personal autonomy and to express oneself selectively. Privacy includes both bodily integrity and the protection of confidential information, including medical and financial records.
When analyzing privacy cases, courts ask whether an individual has a reasonable expectation of privacy. If an individual does not expect their actions to be private, then no right to privacy exists. Similarly, if society as a whole does has no expectation of privacy, it does not matter what the individual may personally believe, no right of privacy exists. For example, when speaking directly with a physician concerning medical test results, there is an expectation of privacy. However, if the conversation occurs in a public space where others may overhear the conversation, it is not reasonable to have an expectation of privacy.
Privacy cases also focus on whether a person has given either express or implied consent to disclose or use personal information. Express consent is often given in the form of contracts, including end user agreements. Implied consent is usually based on the person’s actions, such as a history of business transactions. In essence, implied consent means that a business has reason to believe that a person would give consent if the business asked for it. For example, customers who sign up for a loyalty program may give implied consent to receive marketing emails from that particular business.
While consent and the expectation of privacy are interrelated concepts, they are legally different concepts.
According to the Made in CA website (https://madeinca.ca/online-shopping-canada-statistics/), eighty-two percent of people in Canada shop online (2020 data). Most retailers collect customer’s personal and financial data so if a customer uses a form of payment other than cash, the customer’s personal and financial information will be shared with the business. Rather than target an individual consumer in person, thieves today are targeting businesses to collect personal and financial information of entire consumer sets. Data breaches affect all industries, such as retail, credit bureaus, hospitals, and government agencies. The average cost of a data breach in Canada reached an all-time high in 2021 according to IBM Security research report (https://calgary.ctvnews.ca/cost-of-data-breaches-in-canada-hit-new-record-in-2021-ibm-1.5526127)
Cybersecurity experts advise that cyber criminals run automated online scripts looking for unsecured databases. While some larger businesses are particularly targeted, cyber criminals are the most successful when targeting small to medium-sized businesses that are unaware of the threat or do not want to spend adequate resources on cybersecurity.
Businesses should be aware that according to recent research, approximately eighty percent of data breaches are the result of human error (https://www.itworldcanada.com/article/human-error-tops-causes-of-data-breaches-says-verizon-report/485343) rather than outdated or insufficient technology. Therefore, by adequately training employees, many data breaches may be avoided. For example, breaches often result from sending emails to the wrong person, responding to phishing attacks, sharing passwords, and leaving computer screens open. Another avoidable risk is when people use the same password for multiple accounts, such as email accounts, bank accounts, and social media. If the password is obtained by cyber criminals and added to the database of passwords, all the accounts could be compromised.
In addition to financial data, businesses collect personal information about consumers and their habits. This is called big data. Consumer information is very valuable because businesses can search the data to identify spending habits to target marketing to likely customers. This reduces costs and increases profit for businesses, especially as e-commerce increases the number of competitors across industries.
Another benefit to mining the data available about consumers is businesses can make more profitable decisions. For example, health insurance companies are heavily invested in big data because they want information about the lifestyle habits of the people they insure and potentially insure. If they know someone is a smoker, eats a lot of sugary foods, or has a sedentary lifestyle, then they can adjust premiums accordingly to minimize their risk. Insurance companies look for trends not just for individuals but also regions, types of occupations (including those with the highest risk of addiction or obesity), and socio-economic status.
Internet of Things
The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. In other words, the IoT includes everyday devices connected to the internet, including medical devices, appliances, vehicles, and buildings.
Why is this important? The location and manner of data collection involves different expectations of privacy. For example, businesses argue that by purchasing and installing “smart home” appliances and products, consumers have consented to surveillance and data collection. Consumer advocacy groups argue that purchasing goods for a particular use does not give consent to businesses to invade consumer privacy in their homes. These issues will be heavily litigated in the years to come.
Security Incident Preparation and Response
Businesses are not able to prevent all data security breaches. However, businesses need to take steps to protect against known and reasonably anticipated threats to confidential information. Businesses wanting information about implementing cybersecurity programs that are appropriate for their industry should consider the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The mission of NIST is to help organizations understand and improve their management of cybersecurity risks. It is an excellent place to start when analyzing cybersecurity issues. The Canadian Centre for Cyber Security is another useful resource: https://cyber.gc.ca/en .