Imtiaz Karamat Archives - IPOsgoode /osgoode/iposgoode/tag/imtiaz-karamat/ An Authoritive Leader in IP Wed, 08 Mar 2023 17:00:00 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 Legal Tug-Of-War: Protecting Privilege in Privacy Breach Disputes /osgoode/iposgoode/2023/03/08/legal-tug-of-war-protecting-privilege-in-privacy-breach-disputes/ Wed, 08 Mar 2023 17:00:00 +0000 https://www.iposgoode.ca/?p=40655 The post Legal Tug-Of-War: Protecting Privilege in Privacy Breach Disputes appeared first on IPOsgoode.

]]>

Sally Yoon is an IPilogue Writer and a 3L JD Candidate at Osgoode Hall Law School. M. Imtiaz Karamat is an IP Osgoode Alumnus and an Associate at Deeth Williams Wall LLP. This article was on the OBA’s Information Technology and Intellectual Property Law Section’s.


Privacy breaches are becoming commonplace in today’s business landscape and cybersecurity is top of mind for many organizations— and for good reason. Thefound that the number of breaches involving customer and employee information nearly doubled after the pandemic, and more businesses are reporting loss of customers from cyberattacks. This situation is exacerbated by the risk of litigation, as lawsuits are a legitimate consequence of a privacy breach. Ongoing activity in the privacy breach litigation space calls for organizations to re-examine their privilege strategies and prepare for potential scrutiny that may occur in the event of a dispute.

The Ongoing Litigation Risk

In 2022, Canadian courts continued to see litigation resulting from privacy breaches, with class actions being certified on the basis of a broad range of claims, includingԻ. There have also been significant developments in the jurisprudence for privacy breaches, such as the landmark release of three Ontario Court of Appeal decisions (Owsianik v Equifax Co.,;Obodo v Trans Union of Canada, Inc.,; andWinder v Marriot International, Inc.,) in late 2022 that clarified the scope of liability in data breach class actions for the tort of intrusion upon seclusion.

The continued litigation reminds organizations and lawyers to ensure their privacy breach response plans conform with best practices. This is not only limited to having a robust IT framework, but includes adopting legal procedures to provide adequate protection and support. Privilege is an essential component of privacy breach litigation and should be a priority in a response strategy. In a privacy breach, legal privilege permits an organization to obtain legal advice about the incident without having to worry that such communications and related documents will be disclosed to others. This is crucial for breach response efforts, when the fast-paced environment requires candid conversations between counsel and client. Privilege is also an essential aspect for litigation preparation, by allowing lawyers to create necessary resources without fear that these materials may be disclosed and potentially used against their clients.

A Brief Review of Legal Privilege

Solicitor-client privilege and litigation privilege are two types of privilege that are involved in privacy breach litigation.

  • Solicitor-client privilegecommunications between the lawyer and client; entails the seeking or giving of legal advice; and is intended to be confidential. It does not depend on on-going or anticipated litigation, and it isonce applied, unless waived by the client.
  • Litigation privilegeprotects documents and communications that were created or collected for the of litigation that is on-going or reasonably anticipated. The privilege terminates once the respective litigation ends.

Recent Canadian Privilege Disputes

Although not as extensive as other jurisdictions, Canada has seen privilege disputes in the context of privacy breaches. The outcome of these disputes are important teaching points for organizations intending to develop their own privilege strategy.

Kaplan v Casino Rama Services Inc.

InKaplan v Casino Rama Services Inc.,,a class action lawsuit was brought against the owners and operators of Casino Rama Resort (Casino Rama) following Casino Rama’s announcement of a large-scale cyberattack. During the certification stage of the lawsuit, Casino Rama relied on an affidavit that included information from reports of a cybersecurity company hired to investigate the incident. The plaintiffs requested production of the company’s reports, but Casino Rama declined on the basis of legal privilege.

The Ontario Superior Court of Justice (ONSC) found that if privilege was present, it would have been waived when the defendants disclosed and relied on information from the reports as evidence towards the size and scope of the class of persons affected by the breach. In its reasons, the ONSC said that “a party cannot disclose and rely on certain information obtained from a privileged source and then seek to prevent disclosure of the privileged information relevant to that issue...” Therefore, the ONSC ordered production of the parts of the reports that related to the size and scope of the class of affected individuals.

LifeLabs Dispute

More recently, the privilege debate is being examined in the context of information provided to provincial privacy commissioners. In November of 2019, LifeLabs LP (LifeLabs) notified the Information and Privacy Commissioner of Ontario (IPC) and the British Columbia Office of the Information and Privacy Commissioner (OIPC) that it fell victim to a cyberattack, which resulted in personal health data of approximately 15 million customers being extracted from their systems. The IPC and OIPC commenced a coordinated investigation into the incident and demanded that LifeLabs produce certain documents relevant to the investigation. LifeLabs provided some of the documents but asserted litigation or solicitor-client privilege over others.

On March 30, 2020, in, the IPC rejected LifeLabs’ claim of litigation privilege over the documents on the basis that the dominant purpose for the creation of the documents was not litigation. The IPC also disagreed with LifeLabs’ claim for solicitor-client privilege because LifeLabs failed to provide adequate support that it met the requirements for solicitor-client privilege (i.e., that the information in issue was communicated in confidence between lawyer and client; for the purpose of seeking legal advice; and the parties intended it to be confidential). The IPC stated that the mere fact of communication between a lawyer and their client or the transfer of reports to in-house or external counsel does not support a claim of solicitor-client privilege. The IPC further noted that “…while underlying facts given to counsel could be part of the ‘continuum of communication’ protected by solicitor-client privilege…unless disclosure of the underlying facts would reveal or allow for inference of confidential solicitor-client communications, the underlying facts themselves do not attract the privilege”.

Following PHIPA Decision 114, LifeLabs provided the documents in issue to the IPC and OIPC, but maintained that it did not waive privilege by doing so. In May 2020, the Commissioners advised LifeLabs of the information from the documents that they were contemplating using in their final report, which led LifeLabs to submit additional evidence and arguments to the IPC and OIPC in support of its privilege claim over the documents. However, in June 2020, the IPC and OIPC issued a joint decision (the Privilege Decision) that rejected LifeLabs’ claims.

In response, LifeLabs commenced applications for judicial review of the Privilege Decision in both Ontario and British Columbia. In the application, LifeLabs argues that the Privilege Decision was wrong in law in rejecting its privilege claims and challenges the IPC’s power to compel production of privileged documents. This matter is still ongoing in the courts, with relatedbeing heard as recently as late January 2023.

Developing a Privilege Strategy

With the above disputes in mind, it is important for organizations to develop a privilege strategy for responding to privacy breaches and preparing for potential litigation. These are some general best practices to keep in mind:

  1. Preparation:Prior to a privacy breach, businesses can ensure that they have a comprehensive breach response strategy, which addresses retaining legal counsel and considerations for protecting legal privilege. This strategy should be regularly updated to remain current.
  2. Consulting Legal Counsel:Contacting external legal counsel is a top priority upon learning of a potential breach. This allows the organization to begin obtaining the necessary legal advice to immediately respond to the matter; and reinforces claims of privilege from the start. If the organization already has internal legal counsel that has been notified of the incident, it may still be prudent to retain external counsel. This is due to in-house counsel often providing both business and legal advice, which may result in heavywhen claiming privilege in a dispute. Retaining external counsel in a breach response would reinforce that the advice being given is legal, as opposed to business-related.
  3. Control Communication Flow:In addition to ensuring that counsel is included in privileged communications, the distribution of such communications can be controlled and limited to only the necessary parties (including the necessary members of the organization), with the intention to limit distribution and preserve confidentiality. As part of the organization’s preparation, it can work with counsel to establish how information is to be communicated, the recipients of such information, and proper labeling practices (e.g., marking documents as “Privileged and Confidential”).
  4. Consider Privilege with Third-Party Service Providers:Communications with third party service providers may be considered privileged when made for the purpose of helping counsel provide legal advice to the affected organization. This includes the use of cyber forensic experts to investigate a privacy incident and generate reports at the request of legal counsel. Where possible, third parties may be jointly retained by external counsel and the organization; and the terms of the retainer and supporting documents should reflect the legal nature of the engagement. The third party can also seek instructions and report to external counsel.
  5. Caution When Divulging Privileged Information:Organizations intending to maintain privilege should be cautious when disclosing privileged information to external parties. This includes being on the alert for inadvertent disclosure of privileged information in legal proceedings. It may also include stating that the organization does not intend to waive privilege by responding to disclosure demands from regulators.

Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.

The post Legal Tug-Of-War: Protecting Privilege in Privacy Breach Disputes appeared first on IPOsgoode.

]]>
Ontario Government To Eliminate Fax Machines Within The Next Five Years To Promote Patient Privacy And Access To Health Care /osgoode/iposgoode/2023/02/27/ontario-government-to-eliminate-fax-machines-within-the-next-five-years-to-promote-patient-privacy-and-access-to-health-care/ Mon, 27 Feb 2023 17:00:00 +0000 https://www.iposgoode.ca/?p=40621 The post Ontario Government To Eliminate Fax Machines Within The Next Five Years To Promote Patient Privacy And Access To Health Care appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on Feb 23, 2023.


On February 2, 2023, Ontario’s Ministry of Health (the Ministry) released its new health care plan, entitled(the Plan). As part of the Plan, the Ministry intends to replace fax machines with digital communication alternatives at all Ontario health care providers within the next five years.

The first pillar of the Plan is called “The Right Care in the Right Place” and focuses on making health care more available and convenient for those seeking to access health resources. The Ministry’s mission to “axe the fax” falls under this pillar by eliminating the use of fax machines to reduce health care delays, promote safer patient care, and allow health data to easily follow the patient wherever they may access care.

The Plan also recognizes that eliminating the use of fax machines would promote patient privacy, which aligns with the Information and Privacy Commissioner of Ontario’s (IPC’s) initiative to modernize Ontario’s health communication infrastructure. As previously reported by the E-TIPS® Newsletter, the IPC joined fellow Canadian privacy regulators in September 2022 to acknowledge the link between certain data breaches and the use of fax machines, and call for the phasing out of faxes.

This was recently reinforced by the IPC’s(the News Release) following its review of a large number of privacy breaches at St. Joseph’s Healthcare Hamilton caused by misdirected faxes. In the News Release, the IPC stated that “misdirected faxes are the leading cause of unauthorized disclosure of personal health information in Ontario” and there is an “enormous potential” for stakeholders to work with the government to replace this outdated communication system. The IPC’s full review can be found.

The post Ontario Government To Eliminate Fax Machines Within The Next Five Years To Promote Patient Privacy And Access To Health Care appeared first on IPOsgoode.

]]>
OSFI, FCAC, And CDIC Release Joint Statement Reinforcing Expectations For Crypto-Asset Activities And Crypto-Related Services /osgoode/iposgoode/2022/12/07/osfi-fcac-and-cdic-release-joint-statement-reinforcing-expectations-for-crypto-asset-activities-and-crypto-related-services/ Wed, 07 Dec 2022 17:00:00 +0000 https://www.iposgoode.ca/?p=40335 The post OSFI, FCAC, And CDIC Release Joint Statement Reinforcing Expectations For Crypto-Asset Activities And Crypto-Related Services appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on November 30, 2022.


On November 16, 2022, the Office of the Superintendent of Financial Institutions (OSFI), the Financial Consumer Agency of Canada (FCAC), and the Canada Deposit Insurance Corporation (CDIC) (collectively, the Federal Agencies) released a(the Statement) addressed to federally regulated entities involved in crypto-asset activities or crypto-related services. The Statement reinforces the Federal Agencies’ expectations that regulated entities should adhere to applicable regulatory requirements and guidance when engaging in the crypto space.

The Statement set out how the Federal Agencies are monitoring the management of risks associated with crypto-asset activities by entities. The Federal Agencies believe that such risks should be clearly understood and addressed for any planned activity, and direct regulated entities to ensure that any crypto-asset activity complies with existing federal financial laws and issued regulations or guidance. In accordance with this position, the Statement describes the key competencies and guidance of each of the Federal Agencies as they relate to the subject matter:

  • Prudential Regulation.When dealing in the crypto space, regulated entities should consult with OSFI’s Digital Innovation Roadmap and recently published advisory on crypto-asset exposures, entitled.
  • Consumer Protection.FCAC expects regulated entities to notify them when developing or offering crypto-assets and provide any further information requested by FCAC. This notification allows FCAC to assess the applicability of market conduct obligations as outlined in relevant legislation and associated regulations. A definition of “crypto-assets” is included in the Statement for further guidance.
  • Deposit Insurance.Crypto-assets are not eligible for deposit insurance under the currentCDIC Act. With this in mind, CDIC expects its member institutions to prioritize transparency when disclosing information on deposit insurance protection to consumers as such information is critical for them to make informed financial decisions. This aligns with the, which requires CDIC members to take steps to ensure that themselves and their business partners do not provide misleading or deceptive information regarding deposit insurance protection.

The post OSFI, FCAC, And CDIC Release Joint Statement Reinforcing Expectations For Crypto-Asset Activities And Crypto-Related Services appeared first on IPOsgoode.

]]>
44th Global Privacy Assembly Leads To Resolutions On Facial Recognition Technology And Cybersecurity /osgoode/iposgoode/2022/11/21/44th-global-privacy-assembly-leads-to-resolutions-on-facial-recognition-technology-and-cybersecurity/ Mon, 21 Nov 2022 17:00:35 +0000 https://www.iposgoode.ca/?p=40273 The post 44th Global Privacy Assembly Leads To Resolutions On Facial Recognition Technology And Cybersecurity appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on November 16, 2022.


On October 28, 2022, the Office of the Privacy Commissioner of Canada (the OPC)that data protection authorities around the world endorsed resolutions on facial recognition technology (FRT) and cybersecurity at the 44th Global Privacy Assembly (GPA) in Istanbul, Türkiye.

The GPA is an international forum where data protection and privacy authorities from more than 130 countries meet to discuss privacy matters of interest and coordinate efforts on an international scale. The theme of the public portion of the event was, “A matter of balance – Privacy in the era of rapid technological advancement”.

During the conference, the GPA members adopted a resolution on the use of, which outlined a series of principles and expectations that they would promote to external stakeholders, assess the real-world application therein, and report back on. These principles require an organization to do the following:

  1. Lawful basis: have a lawful basis for collecting and using biometrics;
  2. Reasonableness, necessity and proportionality:demonstrate the reasonableness, necessity, and proportionality of their use of FRT;
  3. Protection of human rights:assess and protect against unlawful interference with privacy and other human rights;
  4. Transparency:ensure that the use of FRT is transparent to affected individuals and groups;
  5. Accountability:include clear and effective accountability mechanisms for the use of FRT; and
  6. Data protection principles:ensure that FRT is used in a way that respects all data protection principles.

The GPA also saw the adoption of afor international cooperation in improving cybersecurity regulation and understanding the harms that results from cyber incidents. As part of this resolution, the endorsing GPA members would take steps to understand the responsibilities of data protection authorities regarding cybersecurity, and explore possibilities for international cooperation amongst members to avoid duplication in investigations and other regulatory activities.

The post 44th Global Privacy Assembly Leads To Resolutions On Facial Recognition Technology And Cybersecurity appeared first on IPOsgoode.

]]>
Office Of The Privacy Commissioner Of Canada Publishes Results Of Investigation Into Marriott Data Breach Of 2018 /osgoode/iposgoode/2022/10/27/office-of-the-privacy-commissioner-of-canada-publishes-results-of-investigation-into-marriott-data-breach-of-2018/ Thu, 27 Oct 2022 16:00:39 +0000 https://www.iposgoode.ca/?p=40152 The post Office Of The Privacy Commissioner Of Canada Publishes Results Of Investigation Into Marriott Data Breach Of 2018 appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on October 19, 2022.


On September 29, 2022, the Office of the Privacy Commissioner of Canada (the OPC) published the results of itsinto the 2018 data breach involving Marriott International, Inc. (Marriott), finding many of the hotel giant’s privacy controls inadequate and recommending remedial steps to prevent future breaches.

Marriott announced that it experienced a data breach involving the unauthorized access of a Starwood Hotels (Starwood) database on November 30, 2018, as previously reported by the E-TIPS® Newsletter. Starwood is a separate hospitality company that was acquired by Marriott in 2016, with the unauthorized access reportedly starting before the acquisition (i.e., spanning from 2014 to 2018). The threat actor reportedly obtained access to personal information contained in up to 12.8 million records where the country-of-residence information was listed as Canada. These records included information on guest profiles and contact details, guest reservations, passport details, and encrypted payment card information.

The incident prompted the OPC to launch an investigation into Marriott’s primary operating company for Canadian hotels, Luxury Hotels International of Canada, ULC. During the investigation, the OPC considered the following key issues:

  1. Safeguards.The OPC reviewed whether there were proper information security safeguards in place to protect personal information. It found several deficiencies in its investigation, including with respect to access controls, anti-virus software, logging and monitoring, and information storage. The OPC found that these deficiencies represented a failure to implement proper protection measures and were a contravention of Principle 4.7 of thePersonal Information Protection and Electronic Documents Act(PIPEDA).
  2. Accountability.Following the acquisition of Starwood, Marriott was accountable for implementing policies to properly protect personal information. The OPC found that despite undergoing a post-acquisition assessment of Starwood’s systems and making certain improvements, Marriott failed to adequately perform ongoing security assessments in contravention of Principle 4.1.4 of PIPEDA.
  3. Information Retention.The OPC determined whether the compromised information was held for an appropriate period of time and found that certain personal information was retained for longer periods than necessary in violation of Principle 4.5 of PIPEDA.
  4. Notification and Mitigation.Given that the OPC considered the compromised information as presenting an ongoing risk of harm for those affected, it reviewed whether appropriate notification and mitigation measures were used in response to the breach. Marriott conducted both direct notification for those individuals in which it had a valid email address and indirect notification for the remaining individuals (e.g. issuing press releases and providing breach information on a dedicated website). Additionally, Marriott implemented various mitigation measures, such as offering one year of free web monitoring to affected individuals, establishing a dedicated call centre, implementing a process for individuals to verify whether a passport number was involved in the breach, and notifying credit card networks of the incident. Although the OPC would have preferred the web monitoring protection to be for a longer time period, it ultimately found the above notification and mitigation measures to be adequate.

In concluding its report, the OPC acknowledged the remedial steps carried out by Marriott, such as the decommissioning of the Starwood database in December 2018. It also recommended implementing further action to ensure compliance, including having Marriott (i) retain an independent assessor to review any enhancements it has made to its systems; and (ii) review its organizational and governance measures as it relates to selected privacy practices. With both recommendations, the OPC requested that Marriott submit reports detailing their findings and proposed timelines for addressing any action items arising from the reviews.

The post Office Of The Privacy Commissioner Of Canada Publishes Results Of Investigation Into Marriott Data Breach Of 2018 appeared first on IPOsgoode.

]]>
Minister Of Innovation, Science And Industry Issues Statement On Canada’s Telecommunications Reliability Agenda Following Rogers’ Outage Of July 8, 2022 /osgoode/iposgoode/2022/09/29/minister-of-innovation-science-and-industry-issues-statement-on-canadas-telecommunications-reliability-agenda-following-rogers-outage-of-july-8-2022/ Thu, 29 Sep 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=40040 The post Minister Of Innovation, Science And Industry Issues Statement On Canada’s Telecommunications Reliability Agenda Following Rogers’ Outage Of July 8, 2022 appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on September 21, 2022.


On September 7, 2022, Canada’s Minister of Innovation, Science and Industry (the Minister), issued aon Canada’s Telecommunications Reliability Agenda following the nation-wide Rogers network outage that took place on July 8, 2022. As part of the statement, the Minister provided details on a formal agreement between Canada’s major telecommunications service providers to lend support in the event of another major network outage.

The Rogers network outage had a massive impact across Canada, affecting the wireline and wireless services of millions of Canadians, emergency service providers and small businesses for over 15 hours. This event prompted the Minister to act, giving Rogers and other major telecommunications companies 60 days to enter into an agreement that would guarantee emergency roaming, mutual assistance, and a communications protocol for advising the public and government in the event of future major outages and other emergencies.

In response, the companies agreed to athat is effective as of September 9, 2022 (the Agreement). Under the Agreement, the companies commit to assisting in the event of a major network outage that affects one of the other signatories. This includes providing support for Canadians to remain connected to their contacts, access 911 services, and conduct business transactions. The companies have also committed to providing timely communications during outages to keep the public and government authorities informed about response and restoration efforts.

The Minister announced that the Agreement marks the first of several steps in Canada’s Telecommunications Reliability Agenda, which will include:

  1. the Canadian Radio-television and Telecommunications Commission (CRTC) investigating the Rogers outage and any new measures the company has implemented following the event;
  2. the Canadian Security Telecommunications Advisory Committee (CSTAC) creating further measures within the next six months to bolster the reliability of Canada’s telecommunications networks; and
  3. a review of all regulatory measures to be implemented that is aimed at strengthening the reliability and safety of Canada’s networks.

The post Minister Of Innovation, Science And Industry Issues Statement On Canada’s Telecommunications Reliability Agenda Following Rogers’ Outage Of July 8, 2022 appeared first on IPOsgoode.

]]>
The Office Of The Privacy Commissioner Publishes Survey Report Of Canadian Businesses On Privacy Matters /osgoode/iposgoode/2022/08/30/the-office-of-the-privacy-commissioner-publishes-survey-report-of-canadian-businesses-on-privacy-matters/ Tue, 30 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39959 The post The Office Of The Privacy Commissioner Publishes Survey Report Of Canadian Businesses On Privacy Matters appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on August 24, 2022.


On August 11, 2022, the Office of the Privacy Commissioner of Canada (OPC) published aon its survey of Canadian businesses regarding privacy related-issues (the Survey). This is the first survey of businesses published by the OPC since the beginning of the COVID-19 global pandemic – allowing for comparisons to be made with the pre-pandemic landscape.

The OPC commissions a survey every two years with the last survey conducted in 2019. The Survey findings are used by the OPC to provide privacy guidance to the public and improve outreach efforts with businesses. The Survey was conducted over telephone between January 12 – February 18, 2022 and involved representatives from 751 companies across Canada.

The Survey highlights several key findings on how Canadian businesses currently view privacy compliance. For example, the Survey found that businesses are well aware of their responsibilities under privacy laws with 86% of survey respondents indicating that their company is at least moderately aware of their privacy-related responsibilities, and 74% stating that their company has taken steps to ensure compliance with Canada’s privacy laws. The remaining key findings compared the privacy practices of companies in 2022 with their pre-pandemic counterparts:

  1. Privacy Policy: Although the Survey found that 59% of companies have a privacy policy in place, this is less than in 2019 when 65% of surveyed companies reported having such a policy.
  2. Privacy Practices: A large portion of surveyed businesses have implemented key privacy practices, such as designating a privacy officer (57%), developing internal privacy policies (51%), and having procedures in place for responding to customer requests for access to their personal information (51%). However, more businesses reported having implemented these measures before the pandemic with 62% having privacy officers, 55% having internal polices, and 60% having procedures for customer access requests in 2019.
  3. Data Breaches: The Survey found that 28% of businesses are concerned with potential data breaches, which is a drop in response from 37% in 2019.

In interpreting the results, it is noted that the context of the business landscape during the data collection process may have affected the findings. The Survey was conducted at the height of the fifth wave of the pandemic after almost two years of pandemic-related restrictions. Businesses’ preoccupation with pandemic-related issues may have meant that “privacy responsibilities might not be top-of-mind” for those surveyed, who may have had a limited recall of their businesses’ privacy practices or not prioritized privacy as high amidst sweeping pandemic-related operational changes. This may have explained the reported decline in compliance between the years.

The post The Office Of The Privacy Commissioner Publishes Survey Report Of Canadian Businesses On Privacy Matters appeared first on IPOsgoode.

]]>
Office Of The Privacy Commissioner Of Canada Responds To Proposed Regulations For Examining Personal Digital Devices At Canadian Borders /osgoode/iposgoode/2022/08/22/office-of-the-privacy-commissioner-of-canada-responds-to-proposed-regulations-for-examining-personal-digital-devices-at-canadian-borders/ Mon, 22 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39906 The post Office Of The Privacy Commissioner Of Canada Responds To Proposed Regulations For Examining Personal Digital Devices At Canadian Borders appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on August 10, 2022.


On July 14, 2022, the Office of the Privacy Commissioner of Canada (OPC) provided itsin response to a consultation launched by the Canada Border Services Agency (CBSA) on proposedRegulations for the Examination of Documents Stored on Personal Digital Devices(the Regulations).

The Regulations relate toAn Act to amend the Customs Act and the Preclearance Act,2016, which strengthens safeguards around the examination of personal digital devices by CBSA officers and other border officials. The Regulations are meant to come into force as soon as possible following Royal Assent of Bill S-7 and would prescribe legally-binding controls for CBSA officers’ examination of personal digital devices. The CBSA opened the Regulations forin early April, with submissions due by July 15, 2022.

In its submission, the OPC notes that the Regulations, as currently drafted, address some of its concerns for border officers examining personal devices, such as (i) specifying the types of information that must be recorded by examining officers; and (ii) requiring officers to take “necessary steps” to ensure only documents stored on the device are accessible during examination. The OPC recommends that the Regulations be further enhanced to build on these elements and add other features that are not addressed in the current proposal, including the following:

  1. Note-Taking Requirements: The Regulations already require examining officers to record certain information when examining personal digital devices and the OPC proposes to build on this by requiring officers to note (A) if the officer changes their rationale for examining the device during the investigation; (B) the reason(s) why a particular document was examined; (C) any relevant communication between the officer and traveler; and (D) whether the search was resultant or not, and further steps taken after making this determination.
  2. Disabling Network Connectivity: The OPC proposes that the Regulations should expressly impose technical limitations to ensure the scope of the examination is limited to locally stored documents, such as requiring the activation of “airplane mode”, deactivating any WiFi connection, and ensuring the device is not sharing a connection with another device through Bluetooth or otherwise.
  3. Password Collection and Retention: The OPC considers passwords to be sensitive personal information when paired with other identifiers or matched with the device it unlocks. Therefore, it recommends that the Regulations add express controls around password collection, such as not retaining passwords when an examination is non-resultant.
  4. Solicitor-Client Privilege. The OPC recommends that the Regulations be amended toinclude the CBSA’s current policy requirements for dealing with solicitor-client privilege and other types of sensitive information of this nature.

The post Office Of The Privacy Commissioner Of Canada Responds To Proposed Regulations For Examining Personal Digital Devices At Canadian Borders appeared first on IPOsgoode.

]]>
OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management /osgoode/iposgoode/2022/08/15/osfi-releases-final-version-of-guideline-b-13-technology-and-cyber-risk-management/ Mon, 15 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39894 The post OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on July 27, 2022.


On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI)its final Guideline B-13: Technology and Cyber Risk Management (Guideline B-13), which describes OSFI’s expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks.

OSFI views the large increase of cyber incidents in Canada as an urgent call for FRFIs to bolster their technology and cyber risk management practices. Guideline B-13 is OSFI’s answer to this call and provides a flexible, principle-based regulatory framework for FRFIs to strengthen their cybersecurity posture with strategies that account for their size, nature, scope, and complexity.

Guideline B-13 is the final result of an extensive consultation process that started in September 2020 and included an initial draft Guideline B-13 in November 2021, as previously reported by the E-TIPS® NewsletterԻ. The final Guideline B-13 takes a more streamlined approach than the previous iteration and is organized around three “domains” as opposed to the first draft’s five-domain structure. Each domain sets out specific outcomes for FRFIs to achieve in order to align with OSFI’s expectations:

  1. Governance and Risk Management: Technology and cyber risks should be governed by clear accountabilities and structures, and comprehensive strategies and framework.
  2. Technology Operations and Resilience: The FRFI has a technology environment that is stable, scalable, and resilient. The environment should remain current and supported by technology operating and recovery processes that are “robust and sustainable”.
  3. Cyber Security: Guideline B-13 requires the FRFI to implement a technology posture that maintains the confidentiality, integrity, and availability of its technology assets.

Guideline B-13 is set to come into effect on January 1, 2024, which gives FRFIs time to review the framework and ensure that they meet compliance.

The post OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management appeared first on IPOsgoode.

]]>
International Data Protection And Privacy Regulators Release Guidance On Credential Stuffing Attacks /osgoode/iposgoode/2022/08/08/international-data-protection-and-privacy-regulators-release-guidance-on-credential-stuffing-attacks/ Mon, 08 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39875 The post International Data Protection And Privacy Regulators Release Guidance On Credential Stuffing Attacks appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on July 13, 2022.


On June 27, 2022, the Office of the Privacy Commissioner of Canada, along with fellow members of the Global Privacy Assembly’s International Enforcement Cooperation Working Group (IEWG), released guidance documents to helpԻprotect against credential stuffing attacks.

Credential stuffing attacks exploit the tendency of users to reuse their usernames and passwords across multiple platforms. Threat actors use username and password information that was leaked in past data breaches to access other online accounts belonging to the users. These attacks may result in financial or reputational harm for individuals, and cyberbreaches for organizations despite a robust cyber security infrastructure. In its guidance, the IEWG states that hundreds of millions of credential stuffing attacks occur each day and credential stuffing has become a global threat to personal data.

To assist individuals in defending against credential stuffing attacks, the IEWG advises, among other things, that users should:

  • not reuse their passwords across multiple accounts;
  • consider implementing multi-factor authentication (MFA) where possible;
  • immediately change the passwords for any compromised accounts and for any other accounts protected by the same or similar passwords; and
  • routinely check account information for unusual activity or unauthorized transactions.

For organizations, the IEWG discusses (i) implementing password systems and policies that fortify the creation and management process for account passwords; (ii) making MFA an essential security measure in one’s organization; and (iii) using alternatives to traditional accounts setups, such as guest accounts, single sign-on systems, and secondary passwords.

Although these guidelines may not represent legal obligations across all IEWG member jurisdictions, the IEWG intends to raise awareness of the threat of credential stuffing and assist the general public, along with private organizations, in fortifying their personal information practices.

The post International Data Protection And Privacy Regulators Release Guidance On Credential Stuffing Attacks appeared first on IPOsgoode.

]]>