Written by Ruth Promislow, Hugo Alves and David Cassin
Cybersecurity is a significant business risk for any organization that collects personal data. The greater the amount of personal data collected by an organization, the greater the risk that it will be targeted by cybercriminals. It is now widely accepted that it is not a matter of if there will be an attack but rather when an attack will occur. Cyberattacks are occurring more frequently, and loss or exposure of sensitive information is on the rise. Licensed producers of cannabis and other cannabis related businesses (collectively, CRBs) face increased risks associated with data breaches given the highly confidential nature and large volume of data collected from their customers.
Data typically stored by organizations in the medical cannabis industry includes:
- Personal data: full name; credit card number, expiry date and security code; personal email; home address; age; gender; date of birth; social insurance number; provincial health insurance number; and, in some instances, occupation.
- Private health information: health assessments; current and historical medical conditions and diagnoses; prescriptions and order history; and names of doctors and designated caregivers.
In the last year, there have been data leaks involving organizations in the medical cannabis industry, including dispensaries in Ottawa and Vancouver. There has yet to be any high-profile attack in this industry but the absence of one should not lull anyone into a false sense of comfort.
Reliance on Third-party Service Providers
As the sophistication and proliferation of cyberattacks grow, many businesses have increased their reliance on specialized third-party providers to manage confidential data, rather than managing the data in-house. CRBs are cautioned that contracting with third-party providers will not absolve their business from liability should a data breach against the third-party service provider occur. The CRB may be ultimately responsible for ensuring that its third-party provider employs adequate security measures in handling customer information. Accordingly, when retaining third-party service providers cybersecurity counsel should be engaged to help the CRB structure and implement risk mitigation strategies relating to a potential cyber-attack on the third-party provider.
A data breach against a CRB could give rise to significant exposure. Aside from the reputational harm and immediate business consequences, including negative publicity and loss of customers, there is also a significant risk of litigation from victims of a data breach.
Victims whose data has been compromised or misappropriated are likely litigants against companies and their directors. In seeking damages against a company or directors, a victim need not prove specific damages arising from the data breach. The Ontario Court of Appeal has held that intrusion upon seclusion is a tort for which damages may be awarded up to $20,000.1 Given the potential number of customers whose data could be compromised from a cyberattack, this exposure can be significant. Other potential claims include breach of contract, negligence and breach of Charter rights. Further, there are additional damages which may be claimed against the organization that was responsible for storing the personal information, such as costs associated with identity theft, reputational harm, and mental anguish.
Given that cyberattacks generally involve a large number of victims, cybersecurity class actions have become increasingly prevalent and may pose major litigation exposure to CRBs who suffer a data breach. As an example of the scope of a potential class action claim, Yahoo! Inc. is facing a proposed $50-million class action in Canada arising from recently discovered cyberattacks on its network which occurred in 2014 and 2013.2
A data breach against a CRB also gives rise to regulatory scrutiny. Given that some CRBs, such as licensed producers, generally hold both personal and private health information of their clients, and such clients may be located across the country, there are several regulatory requirements to which they may be subject. For instance, CRBs may be covered by (among other things) requirements under the federal Personal Information Protection and Electronic Documents Act,3 Alberta’s Personal Information Protection Act,4 and various provincial acts covering health information specifically.5
PIPEDA functions to regulate “commercial organizations” that collect, use, or disclose “personal information”.6 PIPEDA was recently amended by the Digital Privacy Act.7 Under the Digital Privacy Act, certain new provisions (which are not yet in force) will require organizations to notify individuals and other organizations of breaches that create a “real risk of significant harm”, and report such breaches to the Privacy Commissioner. Under these new provisions, organizations that fail to report a breach to the Privacy Commissioner, or fail to notify individuals as required, could face fines of up to $100,000 per breach. It is not clear whether the new regulations will impose fines of $100,000 per incident, or per individual whose information has been compromised. The mandatory breach notification requirements are expected to be in force shortly.
Currently, Alberta is the only province that has mandatory reporting obligations in the wake of a data breach. Alberta’s PIPA requires an organization whose clients' personal information is breached to notify the Privacy Commissioner without unreasonable delay. The threshold to notify the Privacy Commissioner of a breach is where a "reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure."8
Costs of Data Breach
From a corporate perspective, the costs associated with lawsuits and liability as a result of a data breach can be material. For example, the average cost of a data breach is approximately $6 million according to a June 2016 Report sponsored by IBM. Target has estimated that its recent data breach will cost approximately US$252 million. Of note, IBM’s report found that businesses operating in the healthcare sector “have the most costly data breaches”.
Steps to Take
Implementing a Cyber Plan
CRBs must have a plan in place designed to prevent cyberattacks. While it is not possible to entirely prevent a cyberattack, organizations are expected to take all reasonable steps to do so. A cyber plan can help mitigate the potential harm of a data breach, and lessen the risk of liability should the organization be targeted. In addition to exposure for the CRB, failure to have an appropriate strategy in place may give rise to director liability.
Recent decisions in the United States in In Re The Home Depot, Inc., Wyndham v Holmes and Davis v Target Corporation, as well as a Joint Report from the Canadian and Australian Privacy Commissioners on the Ashley Madison data breach are instructive to boards of directors in establishing the standards they must follow to mitigate or avoid personal liability due to a data breach. Given the principles gleaned from prior decisions, boards are advised to:
- Be actively engaged in cybersecurity issues (including prior to a cyberattack) at a board level, which includes attending regular meetings and seminars on cybersecurity developments;
- Develop internal cybersecurity policies and reporting obligations, including a documented risk management framework with specific measures to take when faced with a cyberattack;
- Ensure there are sufficient cybersecurity safeguards in place;
- Undertake regular assessments of potential cybersecurity threats via internal or external audits and evaluations; and
- Ensure all staff (including directors and officers) are regularly trained on general privacy and security issues.
Responding to an Attack
Where a CRB has suffered a cyberattack, it is imperative to retain experienced advisors in order to develop an immediate strategy to mitigate damages, advise necessary regulatory authorities, report to affected individuals, and control and contain the data breach. Legal counsel is especially important in this process and should be engaged to oversee the process so that privilege can be asserted over the investigation.
The above update provides a brief overview of some of the issues relating to data protection and cyberattacks in the cannabis industry. It is important to remember that cannabis law is both complex and rapidly evolving. At Bennett Jones LLP, we have a team of industry-leading professional advisors that can provide legal and strategic guidance to all industry participants as the Canadian cannabis industry continues to advance.
For further information on how to manage your cybersecurity risk exposure, the Bennett Jones Cybersecurity team can assist you.
With thanks to Katherine Rusk, Articling Student
- Jones v Tsige, 2012 ONCA 32.
- Karasik v Yahoo! Inc. and Yahoo! Canada Co., Court File No. CV-16-566248-00CP.
- Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA).
- Personal Information Protection Act, SA 2003, c P-6.5, s 34.1 (PIPA).
- Personal Health Information Protection Act, 2004, SO 2004, c 3 (PHIPA); See also New Brunswick’s Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05, s 49(c) and Newfoundland and Labrador’s Personal Health Information Act, SNL 2008, c P-7.01, s 15(3).
- PIPEDA at s 2(a), under which “personal information” is defined as “information about an identifiable individual”.
- Digital Privacy Act, SC 2015, c 32.
- PIPA at s 34.1.