Just when you think there can’t be more regulation heaped on the financial advisory community, along comes the federal Digital Privacy Act (DPA), which creates new obligations for advisors and their firms when it comes to protecting sensitive client data.
Following client relationship model reforms and anti-spam legislation, the DPA amends the Personal Information Protection and Electronic Document Act (PIPEDA), and requires financial advisors to create security logs to document breaches and report any breaches to their clients and the federal privacy commissioner.
Financial advisors and their firms collect and store some of the most sensitive information about clients, everything from social insurance numbers to personal financial information. That means advisors and their firms must put new procedures in place to deal with the rising risk of privacy breaches, including cyberattacks.
“[Advisors and their firms] need to put in place really robust controls to protect that information,” advises Christine Carron, senior partner and privacy lawyer at Norton Rose OR LLP in Montreal. Threats can range from cyberattacks to everyday mishaps with big consequences. For example, Carron adds, an advisor may be taking a big safety risk by doing something that in the past was routine – taking information out of the office on a laptop computer for a client meeting.”There is very little reason or necessity to download something onto a hard disk. You can usually access it remotely.”
The protection of digital information is moving quickly to the top of the agenda for legislators, regulators and industry associations, as companies increasingly rely on digital records to conduct their business and hackers get increasingly sophisticated in their effort to steal that data.
The changes are part of the Digital Canada 150 plan, Ottawa’s plan for enhancing the nation’s digital economy, which includes building a digital economy and protecting data.
The latter goal is proving elusive. Barry Sookman, a privacy lawyer with McCarthy Tétrault LLP in Toronto, cites statistics that suggest upwards of 80% of companies have been hacked at least once. “Many financial institutions and investment advisors have been infiltrated, many of whom may not know it yet,” he says. “This is a pressing and urgent problem.”
The DPA, most elements of which came into effect in June 2015, hammers home the need to be attentive in protecting data. Failure to keep records of breaches or failure to report them now is a criminal offence. Fines can range between $10,000 and $100,000 per infraction. These amounts can add up quickly if an advisor’s entire database of clients is accessed.
The DPA makes a number of changes that cover four key areas: consent, business transactions, tracking breaches and notification of breaches.
Advisors must obtain the consent of their clients to transact digitally, known as “informed consent.”
“That’s the one that’s probably going to be overlooked the most,” warns Tim Banks, a privacy lawyer with Dentons LLP in Toronto. “The Digital Privacy Act made a small change to [PIPEDA] to state that consent really requires the person to have free and informed consent.”
The person giving the consent must understand the “nature, purposes and consequences” of why personal information is being collected, used or disclosed.
“Make sure [clients’ information] is used only for the purposes for which it was collected,” notes Carron.
That means clients have to understand fully why you are collecting their information and what you plan to do with it. If you tell a client that you need his or her information to send the client monthly reports, then use it to try to sell the client other products -that won’t cut it.
– Business transactions
Fortunately, the federal government has carved out some exceptions to the requirement that companies obtain a person’s consent to use, store or disclose personal information. There is an exemption from consent for the collection of business contact information, which includes things such as electronic addresses, phone numbers and titles involving people with whom you are communicating for matters relating to their job, profession or business.
Certain business transactions, such as the purchase, sale or merger of a business, also are exempt from the consent requirements, which Carron says “is a very welcome modification” and will help with information sharing during the due-diligence process.
A business also can collect, use and disclose personal information without the consent of an individual if the disclosure is necessary to establish, manage or terminate an employment relationship.
There are other exemptions related to disclosing personal information in suspected cases of fraud or elder abuse. (These will be covered later in the series.)
– Tracking breaches
One of the more significant measures in the DPA is the requirement that companies create a record of every “breach of security safeguards involving personal information under their control.”
A breach of security safeguards includes the loss of personal information, as well as unauthorized access or disclosure.
Sookman expects this provision to be one of the more labour-intensive requirements: “The legislation requires organizations to keep records of every breach in the company, whether or not it results in harm to an individual. That is a very low threshold.”
He says most organizations normally won’t keep records of things that don’t actually cause harm. He adds that it’s critical for companies to create and document their data safeguarding policies and convey them to staff.
Circumstances leading to breaches that must be logged could be as innocuous as someone forgetting to turn off his or her computer at night, thus leaving information exposed. Or the breach could involve intentionally intrusive behaviour, such as employees snooping on clients.
Other matters that are ripe for violations are passwords that aren’t routinely changed and employee negligence, such as sending out the information to the wrong person. Notes Banks: “The logs will need to contain details, such as when [the breach] occurred, how it was detected, how it was stopped, if it was an ongoing data breach and how many people were affected.”
Failure to maintain such logs is a statutory offence.
Banks suspects the logs will be called for by regulators if a company suffers a breach. He says a pattern of “lax safeguards” will be damaging in the event of any lawsuit, class action or regulatory action a firm may have to defend itself against.
– Breach notification
The DPA also calls on organizations to notify their clients, the federal privacy commissioner and, in some cases, counterparties if the organization believes that a breach “creates a real risk of significant harm to an individual.”
Banks says that this definition, which also appears in Alberta privacy legislation, has “proven to be problematic. No one really agrees as to what the harm should be [that triggers a notification]. Is it merely financial harm or also public embarrassment? I think the net is very broad as to what will qualify,” Banks says.
While most of the DPA legislation is in force, the breach notification requirements will come into force at a future date.
The first in a three-part series reviewing the impact of the new privacy rules on your firm, from procedures to penalties
In the next issue: more changes affecting advisors, including fraud.
© 2015 Investment Executive. All rights reserved.