Airline hits turbulence from CRTC: pays penalty for violations of anti-spam law

David Elder - 

In the most recently announced settlement under Canada’s Anti-Spam Legislation, the CRTC has announced that Porter Airlines Inc. has agreed to pay $150,000 as part of an undertaking concerning alleged violations of the law.

The CRTC’s summary of the undertaking indicates that Porter sent commercial electronic messages:

  • without an unsubscribe mechanism or with an unsubscribe mechanism that was not set out “clearly and prominently”, as required by the Electronic Commerce Protection Regulations (CRTC) (the Regulations).  In this regard, the CRTC noted that some of the messages contained two unsubscribe links, only one of which was functional.  In the CRTC’s view, the unsubscribe mechanism was not clearly set out, as it was not apparent which mechanism was functional
  • without complete identification information required by the Regulations
  • without proof of consent to send commercial electronic messages to some of the recipients
  • to at least one recipient who had previously indicated they wanted to unsubscribe.  The CRTC found that the unsubscribe request was not given effect within 10 business days, as required by the Act
Continue Reading...

Snoops and gossips beware: Ontario Government to introduce stiffer measures to protect patient privacy

Recently, the Government of Ontario announced its intent to strengthen the rules protecting patient privacy. If passed, these amendments to the Personal Health Information Protection Act (PHIPA) would include:

  • Mandatory reporting of privacy breaches to the Privacy Commissioner and potentially the regulatory colleges;
  • Allow individuals to more easily prosecute offences under PHIPA by removing the 6 month limitation period following an alleged privacy breach;
  • Increasing institutional fines for offences from $250,000 to $500,000;
  • Increasing individual fines for offences from $50,000 to $100,000; and
  • Clarifying how and when healthcare providers may collect, use and disclose personal health information contained in electronic health records.
Continue Reading...

Privacy Commissioner study finds compliance gaps with online behavioural advertising

David Elder - 

New research released by the Office of the Privacy Commissioner of Canada (OPC) suggests that most advertising organizations placing behaviourally targeted online advertising are meeting privacy requirements, although the report also suggests there are a number of areas for improvement.

The study showed that most advertising organizations are providing some form of notification to users, as well as an opt-out mechanism; however, the research also suggests that some opt-out procedures can be confusing or cumbersome, and some of the advertising organizations are continuing to serve ads based on sensitive topics.

Continue Reading...
Tags:

Cybersecurity: What Should a Board of Directors focus on?

In this, the second in our series of posts on the duties of Canadian directors and officers, Vanessa Coiteux and Tania Djerrahian discuss some of the key issues that directors need to focus on in the rapidly developing area of cybersecurity. The article considers some of the cybersecurity concerns expressed by securities regulators and proxy firms as well as some of the considerations that should go into an effective cybersecurity strategy.

Most companies today depend on networks, computers and the Internet to help manage their business. While digital technology has many benefits, it also has the disadvantage of exposing companies to cybersecurity breaches. Historically, many viewed the risks associated with cybersecurity as risks to be entirely managed by a company’s information technology (IT) department. However, given the number of companies in various industries that have experienced cyber-attacks in recent years, and the serious consequences of many of those attacks, boards of directors may, depending on the facts and circumstances surrounding their company,  consider elevating such risks to enterprise-wide risks (as was the case for financial risks following the Enron scandal). As will be discussed below, there are a number of reasons why boards of directors of public companies may want to oversee the management of cyber risks and a number of practical ways of doing so.

Continue Reading...

SEC issues cybersecurity guidance for registered investment advisers and funds

In a recent investment management guidance update, the United States Securities and Exchange Commission (SEC) addressed the need for greater cybersecurity measures to protect confidential and sensitive information held by registered investment companies and registered investment advisers. The SEC identified several measures, in light of recent cyber-attacks on financial services firms, that funds and advisers may wish to consider in addressing cybersecurity risks, including:

Continue Reading...

CRTC shows great interest in US-based robocaller offering low credit card rates - $145,000 fine imposed

David Elder -

For the second time in a month, the CRTC has imposed a penalty against a foreign telemarketer.

In the most recent case, an administrative monetary penalty of $145,000 was issued against Arizona-based Rainmaker Marketing/Maple Accounting for making unsolicited telemarketing calls pitching lower credit card rates.

Continue Reading...

Senate Committee releases final report on prescription pharmaceuticals in Canada

Justine Johnston -

On March 10, 2015, the Standing Senate Committee on Social Affairs, Science and Technology (the Committee) released a final report entitled “Prescription Pharmaceuticals in Canada” (the Report). Nearly three years in the making, the Report summarizes the Committee’s four-phase study, earlier reports and recommendations to improve Canada’s prescription drug regulatory regime.

Background

The Senate authorized the Committee to examine and report on prescription pharmaceuticals in Canada on November 19, 2013. The Committee’s mandate was to examine:

  • the process to approve prescription pharmaceuticals with a particular focus on clinical trials;
     
  • the post-approval monitoring of prescription pharmaceuticals;
     
  • the off-label use of prescription pharmaceuticals; and
     
  • the nature of unintended consequences in the use of prescription pharmaceuticals.
Continue Reading...

CRTC sends shot across the bow to international telemarketers; issues $200,000 fine to US company selling cruise vacations

David Elder

In a precedent-setting ruling, the Canadian Radio-television and Telecommunications Commission (CRTC) has issued its first penalty to a foreign-based telemarketer for violations of the Unsolicited Telecommunications Rules.

The administrative monetary penalty (AMP) was paid by a Florida company as part of a settlement for making unsolicited telemarketing calls via an automatic dialing-announcing device (ADAD) to offer cruises to Canadians, many of whom have their phone number registered on the National Do Not Call List (DNCL). In addition, the company did not possess a valid exemption to the National DNCL

Continue Reading...

First blood: CRTC imposes $1.1 million fine in first ever finding under anti-spam law

David Elder -

Eight months after Canada’s Anti-Spam Law (CASL) came into force, the Canadian Radio-television and Telecommunications Commission (CRTC) has made public its first ever finding of non-compliance with the Act, issuing an administrative monetary penalty of $1.1 million against Compu-Finder, a firm that provides training and consulting services.

Surprisingly, this much anticipated enforcement action was not against a firm targeting consumers, as many had suspected, but rather was directed at a firm sending email messages to businesses to promote various training courses related to topics such as management, social media and professional development.   It is believed by many that the overwhelming majority of the more than 250,000 complaints received by the CRTC since the law came into force have been from consumers.  In the case at hand, the CRTC indicated that over one quarter of all complaints about the training industry sector received by the Spam Reporting Centre related to Compu-Finder, although it is not known how many complaints were received.

Continue Reading...
Tags: ,

Canada-Europe open new Patent Prosecution Highway pilot program

Justine Johnston -

The Canadian Intellectual Property Office (CIPO) has entered into a new Patent Prosecution Highway (PPH) pilot agreement with the European Patent Office (EPO). The PPH has a three year mandate; it began on January 6, 2015, and will operate until January 5, 2018. CIPO has previously entered into PPH agreements with other patent offices around the world and is a part of the Global Patent Prosecution Highway.

The PPH allows applicants with patent claims in one jurisdiction to accelerate processing in the other jurisdiction for no additional fee. PPH requests at the CIPO can be filed based on EPO national work products and EPO Patent Cooperation Treaty work products. PPH requests at EPO can be filed based on a CIPO application that was filed or entered the national phase at CIPO on or after January 6, 2015. Since applicants must file corresponding patent claims, the PPH accelerated processing is only suitable for applicants seeking similar patent protection in both jurisdictions.

Continue Reading...

FTC report on the Internet of Things urges companies to adopt privacy and data security best practices

Michael Decicco

On January 27, 2015, the United States Federal Trade Commission (FTC) released a report discussing privacy and data security in consumer devices connected to the internet. 

The Internet of Things (IoT)

The FTC defined the IoT to include things such as devices or sensors, other than computers, smartphones or tablets, that connect, communicate or transmit information with or between each other through the internet.  For example, smart thermostat systems or washers and dryers that utilize Wi-Fi for remote monitoring.

Data Security and Privacy Risks

While the FTC acknowledged some benefits of the IoT, it cautioned that the IoT presents a variety of data security and privacy risks.  The risks include: (i) the enabling of unauthorized access to and misuse of personally identifiable information (PII), (ii) the facilitation of attacks on other interconnected systems, and (iii) the creation of safety risks.  While the first two risk factors are common in the traditional computing environment, the third represents a new, physical type of risk.  For example, it may be possible to remotely hack into a connected medical device and change its settings, impeding its therapeutic function.

Continue Reading...

Global privacy authorities urge app marketplaces to make links to privacy policies mandatory

The Privacy Commissioner of Canada and 22 other privacy authorities worldwide recently issued an open letter to the operators of seven leading app marketplaces urging them to make links to privacy policies mandatory for apps that collect personally identifiable information (PII).

The letter was issued following the second annual Global Privacy Enforcement Network privacy sweep, which we discussed in a previous post.  While the letter acknowledges that app developers are responsible for communicating their privacy practices to app users, it emphasizes an app marketplace operator’s unique and integral role in users’ interactions with mobile apps. The letter described app marketplaces as important consumer landing spots where individuals can search for new apps, read reviews and access technical information in order for an individual to make an informed decision about apps in the marketplace.

Accordingly, the letter urges that app marketplaces require privacy practice information, such as privacy policy links for apps that collect PII, to be made available to users to ensure that users are meaningfully informed regarding the collection and use of their PII prior to deciding to download an app.

Tags:

ISO 27018: Data protection standards for the cloud

Michael Decicco

In 2014, the International Standards Organization (ISO) added to its family of information security standards when it published ISO/IEC 27018, a code of practice that sets forth standards for the protection of personally identifiable information (PII) in the public cloud.

ISO/IEC 27018 provides best practices for public cloud service providers and establishes a common set of control objectives, controls, and guidelines for implementing measures to protect PII. 

Continue Reading...

Bill 3 - Personal Information Protection Amendment Act in force

Gloria Moore and Gary Clarke -

On December 17, 2014, the Alberta Government’s proposed amendments to the Personal Information Protection Act (PIPA), found in Bill 3, came into force.

The proposed amendments to PIPA and the motivation for the changes are discussed in our previous blog post.

Continue Reading...
Tags:

The Federal Communications Commission asserts its role as a regulator of data security

The Federal Communications Commission (the FCC) recently took action against two United States telecommunications service providers, TerraCom, Inc. and YourTel America, Inc. (the Companies) in the FCC’s first data security case and largest privacy action in the FCC’s history.  The FCC is fining the Companies US$10 million for allegedly willfully and repeatedly violating the Communications Act of 1934.

Continue Reading...
Tags: