Key privacy and cybersecurity issues financial institutions should be thinking about

The ongoing digital transformation of the financial industry spurred on by the competitive pressures of fintechs and consumer demand was supercharged by the current pandemic.

This accelerated digitization of the financial industry coupled with upcoming regulatory changes means privacy and cybersecurity issues will continue to be forefront issues that financial institutions will grapple with. Outlined below are five key privacy and cybersecurity issues organizations within the financial sector should be focusing on.

1. Canadian private sector privacy law reform: shifting sands

Canadian governments at the federal and provincial levels have announced their intentions to enhance the Canadian privacy law framework by moving private sector privacy laws towards an EU General Data Protection Regulation model, a model that empowers individuals by providing more control over their personal information.

Given the patchwork of federal and provincial private sector laws in place and on the horizon, financial institutions operating across Canada will need to anticipate the extent to which these updated and new privacy laws apply to them. Much of this will be driven by a constitutional division of powers analysis, the outcome of which may have significant operational and regulatory consequences on the financial sector. While there are common themes, such as enhanced control and regulatory oversight across the proposed reforms, there will be regional differences. For instance, Québec’s Bill 64 proposes to impose significant data residency and consent disclosure requirements that are not contemplated under PIPEDA. Similarly, PIPEDA proposes to allow businesses to rely on a “standard business practices” consent exemption, which is analogous to GDPR’s legitimate interests basis for processing personal information. There is no such exemption contemplated under the Québec and B.C. law reform proposals.

Traditionally, financial institutions have relied on their status as ‘federal work, undertaking or businesses’ (FWUB) to advance a position in privacy and data protection matters where PIPEDA is the governing statute. The Supreme Court of Canada decision in Bank of Montreal v. Marcotte, 2014 SCC 55 (Marcotte), and, more recently, the Québec Commission d’accès à l’information (CAI) decision in D’Allaire v. Transport Robert (Québec), 1973 ltée, 2020 QCCAI 152 (Transport Robert), foreshadow that financial institutions may need to develop a robust advocacy position on how and why PIPEDA continues to be the only applicable privacy law statute.

Malicious insider risk is enhanced when insiders with significant access to confidential or personal information are now routinely required to work remotely, without traditional supervision or communication channels.

Marcotte established a demanding threshold to exempt FWUBs from the provisions of provincial consumer protection laws. However, it did not necessarily close the door on future arguments challenging the application of a given provincial law’s provisions (including provincial privacy legislation) to a core banking activity. In Transport Robert, the CAI rejected a federally regulated transportation company’s PIPEDA paramountcy argument on the basis that there was no operational conflict between PIPEDA and the Québec private sector privacy act, and no frustration of purpose because both statutes pursue the same objectives. The CAI found that the Québec act does not target an essential and vital element of the FWUB to the point of impairing the core competence of interprovincial transport or labour relations and that the company did not provide evidence demonstrating a serious interference on Parliament’s jurisdiction in those areas. The OPC has also taken the view that both PIPEDA and provincial privacy legislation can, in some circumstances, apply to the same transaction.

2. Regulatory focus on transborder data flows

Given the global nature of data supply chains, including in the financial sector, and ease with which personal information can be transferred across borders, privacy regulators and lawmakers have been focusing on the issue of transborder data flows.

In Canada, since the OPC’s Equifax decision, the OPC has focused on the issue of transborder data flows. While the OPC has maintained its 2009 “Guidelines for processing personal data across borders”, it has begun imposing a “demonstrable accountability” standard on organizations that transfer personal information across borders. Recently, in the OPC’s 2019-2020 Annual Report to Parliament¹ (Annual Report), the OPC noted its concern “that the current law may not adequately protect the personal information of Canadians when it travels outside our borders”. The Annual Report called for the federal government to update existing transborder standards in PIPEDA on the basis that PIPEDA’s “comparable level of protection” standard seems to provide a lower level of protection than standards found in modern statutes such as the EU’s “essentially equivalent” protections. Québec’s Bill 64 also proposes to impose adequacy and accountability requirements on organizations transferring personal information outside the province, including requiring organizations to conduct an “adequacy” assessment of privacy-related factors prior to transferring or disclosing any personal information outside Québec.

Traditional financial institutions’ adoption of digital technologies and increasing focus on harnessing the vast and rich data they hold to provide innovative, combined with their significant sector profiles, means they are likely to be part of the next wave of a convergent regulatory approach.

The focus on data flows is not unique to Canada. Recently, the Court of Justice of the European Union released the long-anticipated Schrems II decision, which effective immediately invalidated the EU-U.S. Privacy Shield mechanism that over 5,000 U.S. businesses, from major tech companies to large financial institutions, have relied on for purposes of transferring and processing data from the EU to the U.S (for more, review our bulletin on the Schrems II decision).

3. Privacy, competition and consumer protection law convergence

Earlier this year, Canada’s Competition Bureau announced that Facebook had agreed to pay a $9 million penalty for making misleading privacy claims about the access, use, and sharing of Canadian users’ personal information. The Bureau’s Facebook settlement signals that it will assume an active role in reviewing businesses’ privacy practices to ensure Canadians have a competitive and vibrant digital economy, because privacy has come to represent an important component of a product offering and its quality. The Bureau’s Facebook enforcement action follows a larger international trend of regulators and courts examining companies’ data practices through the lens of their competition, privacy and consumer protection rules. While the regulators have focused their convergent regulatory lens on the big technology companies, it is only a matter of time before the regulators widen their focus to other industries. Traditional financial institutions’ adoption of digital technologies and increasing focus on harnessing the vast and rich data they hold to provide innovative and personalized services, combined with their significant profiles within their sector, means they are likely to be part of the next wave of such a convergent regulatory approach.

4. Cybersecurity in the M&A context

With the significant economic impact COVID-19 is having both on the financial sector, and more broadly, it is inevitable that there will be a wave of market consolidation within the financial sector and the industries they support or invest in. As a result of the ever-increasing regulatory landscape and widespread rise in cybersecurity incidents (e.g., data breaches, ransomware attacks etc.), it is vital that acquiring organizations (and their investors) fully comprehend the privacy and cybersecurity risks associated with their targets.

The proposed US$124 million fine the UK Information Commissioner’s Office (ICO) announced in July 2019 against Marriott sheds light on the importance of undertaking cybersecurity due diligence in the M&A context. The ICO’s fine against Marriot was a result of a 2018 data breach arising from a 2014 vulnerability in Starwood’s systems. Marriott only discovered the breach and the underlying vulnerability in 2018—two years after it acquired Starwood. In finding that Marriott remained liable for the violations of GDPR even though the underlying vulnerability originated under Starwood, the ICO noted that: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected”². In August 2020, a class action was launched against Marriott representing an estimated seven million former guests of the hotel giant from England and Wales whose personal data was compromised because of the 2018 incident that originated at Starwood.

5. Insider risk

There is no doubt that external threat actor-perpetuated cybercrimes (e.g., ransomware, social engineering etc.) have been on the rise this year and continue to represent a significant privacy and cybersecurity risk against the financial sector, but the issue of ‘malicious insider’-led breaches, which represents an equally significant data security risk to the financial institutions, gets much less attention. The recently released OPC’s Annual Report found that the financial sector accounted for 19% of breach reports it received in the past year and roughly half of reported breaches involved unauthorized access by malicious actors or insider threats, often as a result of employee snooping or social engineering hacks³.

The malicious insider risk is enhanced when insiders with significant access to confidential or personal information are now routinely required to work remotely, without traditional supervision or communication channels. Malicious insiders can go undetected for long periods of time, which can compound the scale and severity of the incident and harm to the organization and its customers. Malicious insiders can be difficult to detect: a) if their misuse of company data develops gradually; b) if their access to information appears relevant to their roles; and c) because they can be motivated by significantly different factors (e.g., self-interest, profit, activism, sudden personal challenges and blackmail). With remote work and altered schedules now being entrenched due to the pandemic it will be even harder to detect unusual data use activities.

Because insiders have an institutional understanding of what and where the “crown jewels” or confidential sensitive customer information is stored, they can inflict significant financial and reputational damage to an organization. Once detected, such malicious insider-rooted breaches can also have a long-term impact on the business, including by diverting internal resources, affecting employee morale, compromising customer trust in the organization, and triggering litigation and regulatory investigations.

With work from home now being considered the “new normal”, financial institutions should consider reviewing their current work from home policies, technologies and safeguards, which were most likely put in place as temporary measures, to ensure that they can adequately safeguard sensitive information as well as have the appropriate technologies and protocols to effectively detect malicious insider activity.

_________________________

¹ 2019-2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act (October 2020).

² ICO Intention to fine Marriott International, Inc. more than £99 million under GDPR for data breach (July 2019).

³ OPC Annual Report: Breaches of security safeguards.