Many businesses utilize digital information and data when in the process of their daily operations. Too many of the same businesses go about using tech without worrying about whether or not to protect it sufficiently or know how to. Unfortunately, this can be the downside of many businesses, as cybercrime rates in Canada continue to climb (as of 2020-2022.)

In fact, the CDR (the 2020 Cyberthreat Defense Report) by CyberEdge Group, discovered that over 75% of Canadian organizations have suffered at least one cyberattack in a period of 12 months. That’s no number to be shaking a stick at, and it’s going up as cybercrime and cybercriminals become more sophisticated in their efforts.

Enter Law 25, also known as the Modernization of Personal Information Protection Laws Act, or Bill 64 (which it was called initially when it was first assented to the National Assembly back in September 2021.) This is a proposed reform that makes Quebec the first province in Canada to modernize a personal info protection scheme in accordance with modern data/tech realities.

In the next few years, Law 25 will gradually be phased in. Businesses that do not comply with the new rule could be faced with severe financial penalties. Here’s how it’s all going to go down.

What is law 25 and how will it be phased in?

Law 25 will be comprised of 3 separate phases, all implemented gradually over the course of 3 years.

Phase 1

As of September 22, businesses and organizations in Quebec will have to designate a single authority (a privacy officer) who will be responsible for protecting any personal info at your company’s disposal. They must ensure compliance with Quebec’s Private Sector Act, and their contact information will need to be posted on your company’s website. Any private breaches that occur must be reported to the Commission d’accès à l’information (or the CAI) as well as any affected individuals who may be at risk of serious harm. All businesses are required to keep a record of privacy breach events.

What constitutes as a confidentiality incident? It’s important to know what potential scenarios of loss or theft of personal information could impact your organization. In order to mitigate your risk, it’s important to implement sufficient risk identification and mitigation procedures.

Phase 2

After a year, starting September 22, 2023, begins the most complex phase. Your organization will be required to implement processes to create a governance framework that ensures compliance. Each company must set up a team which communicates and implements policies intended to protect any and all personal information at your company’s disposal. There must be a system in place for handling complaints.

This phase requires numerous obligations to be met. Those include:

• If your company is involved in business with other jurisdictions, it’s important to do research that ensures personal info transferred to the other jurisdiction will receive the same protection as if they were in Quebec and in compliance with the same laws.
• Providing a framework that contains transparency requirements with respect to third-parties who may give your organization personal information, including tracking, profiling, and identification technology.
• Privacy Impact Assessments (PIAs).
• Providing a disclosure of info if you make use of automated decision-making.
• If your company outsources management of its personal info, you should supply a written agreement that outlines your vendor’s obligations and tasks.

Your business could be subject to criminal penalties or administrative sanctions in phase 2. It’s important to be detailed during this process, as punitive damages and claims for deviations during this phase could rack up to $25 million.

Phase 3

Coming into effect as of September 22, 2024 is the final phase. This phase provides rights to individuals whose personal info your organization has collected to receive a copy of the info they provided in a modern tech/structured format.

Businesses need to be proactive when it comes to the threats that data collecting presents. As the chances of experiencing a cybersecurity incident have spiked dramatically in recent years, it’s better to be safe than sorry.

Being proactive for Quebec businesses

The reality is that too many Quebec organizations wait until they’ve suffered a loss due to a cyberattack before they decide to bolster their business’ defenses against these risks. It’s better to be proactive than to suffer the backlash of a potentially devastating cybercrime event. Part of risk management involves the purchasing of cyber insurance, which can protect your organization from legal liability costs that could arise if a data breach occurred. Costs that cyber insurance can cover include: restoration costs, legal defense costs, costs to restore your business’ reputation, potential ransomware costs, and more.

Bottom line? Being proactive is the first and foremost way to ensure longevity for your organization. Contact LMBF for advice pertaining to your business insurance policy and see how we can help enhance your protection for your peace-of-mind.