Zurich registers as lobbyist amid data breach risk concerns

Zurich Insurance Company Ltd. has registered as a lobbyist with the federal government, indicating in a public filing it is lobbying on three recently-passed laws, one of which makes data breach notification mandatory across Canada.

“The nature of cyber security is evolving so quickly it can be difficult for businesses to keep track of the risks, let alone the solutions,” stated Greg Irvine, Zurich Canada’s vice president of specialty products. “For instance, a 2013 survey for the Office of the Privacy Commissioner of Canada found that while two thirds of Canadian businesses use customers’ personal information to help provide services to their customers, the same percentage – two thirds – do not have policies in place to assess privacy risks related to their business.”

In a filing with the Office of the Commissioner of Lobbying of Canada, Zurich Insurance indicated the subjects of its lobbying activity are Bill S-4 (the Digital Privacy Act), Bill C-59 (which implements some provisions of the budget tabled April 21) and Bill C-51 (the Anti-Terrorism Act), with respect to “identifying concerns for information breaches and mitigating such risks.”

Bill C-51 is an omnibus bill that was passed into law June 18. One of its measures is the enactment of the new Security of Canada Information Sharing Act. That law essentially allows federal institutions to share information with other federal institutions (listed in Schedule 3 of the act) when the information they are sharing pertains to “activities that undermine the security of Canada, including in respect of their detection, identification, analysis, prevention, investigation or disruption.”

Federal organizations can only share information “when it is relevant to their national security responsibilities,” the federal government noted in a backgrounder.

The organizations with whom that information can be shared include the Department of National Defence, the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Communications Security Establishment, Canada Border Services Agency, Canada Revenue Agency and the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).

FINTRAC is mandated to detect “unusual patterns of transactions that resemble money laundering or terrorist financing activity.” It was established by the passage, in 2000, of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. That law imposes reporting and record-keeping requirements on several categories of businesses, such as life insurance companies, brokers or independent agents and securities dealers.

Reporting entities, for example, are required to report to FINTRAC the receipt of $10,000 or more in cash in a single transaction or the receipt of multiple cash amounts totaling $10,000 or more, within a 24-hour period, by or on behalf of the same entity.

When FINTRAC has “reasonable grounds to suspect” that designated information would be relevant to investigating or prosecuting a money laundering offence or a terrorist activity financing offence,” that information must be reported to one or more government agencies (such as the police, CRA, CBSA and/or CSE) depending on circumstances.

With the passage June 23 of Bill C-59, the budget implementation bill, FINTRAC must now make such a disclosure to “an agency or body that administers the securities legislation of a province,” if FINTRAC “has reasonable grounds to suspect that the information would be relevant to investigating or prosecuting an offence under that legislation.”

The Digital Privacy Act (Bill S-4), which was passed into law June 18, would require organizations “to tell individuals if their personal information has been lost or stolen,” Industry Minister James Moore told the Standing Senate Committee on Transport and Communications in 2014. “As part of this notification, organizations will also have to tell individuals what steps they can take to protect themselves, such as changing their credit card PIN, their email password, setting up a secondary layer of security, and so on.”

Such notifications are required if “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.”

The new breach notification requirements “can pose a significant financial burden for small and mid-sized companies,” Irvine suggested to Canadian Underwriter. “According to a report published by the Ponemon Institute in May of this year, the average total organizational cost of a data breach is CDN $5.32 million with an average per capita cost of $250.”

Bill S-4 was tabled in April, 2014 by British Columbia Conservative Senator Yonah Martin. It creates new offences for deliberately failing to report data breaches to individuals and the federal privacy commissioner, with fines of up to $100,000 per every individual an organization failed to notify.

“Given the large number of individuals who could potentially be affected by a data breach, this is a very serious penalty indeed,” Conservative MP Phil McColeman said last October in the House of Commons.

Bill S-4 also changes the Personal Information and Protection of Electronic Documents Act (PIPEDA) to permit disclosure of personal information, without a person’s consent, when the disclosure is “made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud.”

Richard Dubin, vice-president of investigative services of Insurance Bureau of Canada, explained last March, before the House was of Commons Standing Committee on industry, science and technology, how that part of Bill S-4 can help adjusters investigate auto claims.

At the time, Dubin used as an example a collision where there is no significant damage, there are no witnesses other than the drivers, police are not called to attend and three “jump-ins” claim to have been passengers when in fact they were not.

“All three occupants were claiming soft tissue injury, but they didn’t report it at the scene of the accident so the police didn’t attend,” Dubin told the committee at the time. In this scenario, under PIPEDA before the passage of Bill the S-4, the insurance company could get a general history and determine that driver and vehicle had a previous collision.

The passage of Bill S-4 “would allow the insurer of this vehicle to contact the other insurer,” Dubin told MPs last March. “They would find out some of the scenarios, that the same scenario existed with the same service suppliers: they used the same rehab facility, the same body shop, everything was virtually the same.”