2016: Cybersecurity, Corporate Ebola and CASL
Take the word “risk”. Four letters, such a small word, but those four letters support entire industries, form the basis of global compliance programs and have as many conflicting interpretations as there are words in the thesaurus.
Ask the average person what “risk” means and the answer will be something like, “the chance that something bad might happen”. That’s as good a definition as any for everyday life, but the Risk Management world uses that word in fundamentally different ways.
This definition of risk from investopedia tells the reader everything and at the same time absolutely nothing. It’s a vague idea, requiring context to be properly understood.
Currency risk, execution risk, technology risk, fraud, change in legislation, failure to execute, regulatory investigations, country risk, interest rates, third party risk, liquidity … just some of the predictable risks to a business.
I was speaking at the Global Mining AntiCorruption conference in early October and this topic came up. My point was that I see two kinds of risk: theoretic and functional. Much of what a compliance department or Risk Manager does is to protect against theoretic visible day-to-day risk. Examples of these are creating process to protect against the Fraud Triangle, buying futures to protect against movement in currencies, having appropriate kinds and levels of insurance, staying current with IFRS to make accurate minimal disclosure, and basic due diligence on third party vendors.
This first level of risk management is absolutely necessary. To a large extent it’s “check the box” risk management, supervised largely by regulators with retrospective vision, the International Standards and Accounting Board, and class action lawyers.
Part of Cybersecurity falls in that area.
Cybersecurity was identified by PWC at its 2015 global conference in Monte Carlo as one of the key risks to businesses in 2016. The cybersecurity insurance market is estimated to be worth USD$7.5B by 2020. IIROC, the self-regulatory body for Canada’s brokerage firms, takes this so seriously that in December, 2015 it issued a standalone Cybersecurity Best Practices Policy aimed at small and medium sized firms.
There will always be hackers trying to breach the company’s castle walls. It’s a constantly evolving arms race between the people who own the data and the people who want it.
Some of those battles might be lost from time to time, but one part of cybersecurity where no company should ever lose is in its CASL compliance.
We have been banging on the CASL drum for about two years and will continue to raise the alarm. A failure to be in compliance has the potential to wipe out your company. It is that serious. See a recent article here that outlines why CASL should be seen as corporate ebola.
A quick recap of CASL’s basic tenet: before you send any electronic message (email, BBM, proximity based marketing) to an account (email, phone, Bluetooth), you MUST have that account holder’s prior consent. You cannot message to ask for consent to send a message – you must already have consent to send the message. The onus is on you as the sender to prove you had that prior consent.
There are other rules, limits and exceptions in this Canada-wide statute, but that’s the key principle to keep in mind.
Currently, the only consequence of a failure to comply with CASL is a prosecution by the Canadian Radio-television Telecommunications Commission (CRTC) and possible fines. The maximum penalty for a violation is $1,000,000 for an individual and $10,000,000 for a corporation, in addition to the legal costs, the cost of distraction and the public relations damage.
I’ve spoken with dozens of companies that have said, “Sure, but the CRTC will never prosecute us. We’re too small / invisible / almost in compliance.” All of that is probably true. With over 99% of companies NOT being in CASL compliance, the odds of a negative consequence to being in breach is minimal.
The problem is, that will change in July of 2017. That’s when the courts begin to share jurisdiction over CASL breaches. You and your company can then be sued for CASL breaches. Yes, in court, and supportable by class action litigation. And the onus will be on you as the sender to prove you were in compliance – the plaintiffs will not have to prove you weren’t in compliance.
That’s as scary as it sounds. And it is the law of Canada.
The law applies to any email received in Canada. So imagine a Florida-based company with a sales subsidiary in Calgary, sending emails that are offside CASL. Even an articling student can see the path is to bring class action litigation against the Calgary sub, and allege the Florida directors were negligent in failing to ensure good Risk Management protocols were in place. Bang! A breach of CASL in Canada comes home to Florida.
Anyone who emails for business reasons into Canada is at risk, regardless of where your home office or servers are located. CASL can follow you extra-jurisdictionally.
This is the new reality, a simple decision to make, based on obvious Risk Management principles. The massive risk clearly exists, so welcome to 2016: get into CASL compliance now and avoid being sued in 2017.
Make sure CASL compliance appears as a line item in this year’s budget. If it’s not there, ask your Risk Management team why not.
Mr. Clausi is an experienced investment banker, executive, director and shareholder activist. A graduate of Osgoode Hall Law School called to Ontario's bar in 1990, ... <Read more about Peter Clausi>