A class action suit that sought compensatory and punitive damages against credit-reporting company Equifax Inc. following a massive global data breach that affected more than 143 million people worldwide, including 19,000 Canadians, was refused certification by Quebec Superior Court.
Private sector organizations following federal privacy law will have to provide breach notifications to customers and the privacy commissioner where it is reasonable to believe that the breach creates a “real risk of significant harm,” under long-awaited proposed regulations to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
The draft regulations, if and when they come in force, are expected to provide Canadians with better protection while providing organizations with yet another compelling incentive to adopt better security practices to thwart a phenomenon that is occurring with alarming frequency, according to privacy experts.
Early this month, a security breach at credit-monitoring company Equifax Inc., one of three major credit bureaus in the United States, could affect up to 143 million Americans and an undisclosed number of Canadians. More recently still, the personal information of some one million users from the news and entertainment website Canoe.ca were exposed after some of its databases were hacked.
A month after the parent company of the controversial adult dating website Ashley Madison settled a complaint with the U.S. Federal Trade Commission and state charges over the 2015 data breach that exposed the personal data of more than 36 million users and highlighted the site’s unfair and deceptive practices, the firm is now trying to thwart 20 class actions against it by invoking online arbitration agreements the plaintiffs signed when they subscribed to its matchmaking services.
Just before the Christmas holidays, Toronto-based Avid Life Media Inc. (ALM) agreed to pay US$1.6 million and implement a comprehensive data-security program, including third-party assessments, to settle claims by the FTC who worked in collaboration with 13 U.S. states. According to the FTC complaint, until August 2014, operators of the site “lured” customers, including 19 million Americans, with fake profiles of women designed to convert them into paid members.
Thanks to the alarming surge of breaches and the inconceivable reams of data, clients are increasingly putting pressure – and in many cases demanding – higher standards on how outside counsel secure their data and manage access to it. A growing number of law firms determined to keep pace with the new challenges created by mounting security requirements and the data deluge are tackling the issues through a different prism, and turning their attention towards becoming shepherds of all the information in their hands by embracing a relatively new approach — information governance.
Up until recently known generally within narrow technical circles, the enterprise-wide approach to the management and protection of a law firm’s client and business information assets has gained increasing attention, especially over the past year. It is a business process that covers the management of all facets of information during its lifecycle, from its creation, use, processing, protection, management, all the way to its disposition.
But information governance is much more than electronic records management on steroids.