Agenda

Day One: Tuesday, November 19, 2019

08:00

60 min

Registration and Continental Breakfast

09:15

60 min
Ann Cavoukian David Goodis Constantine Karbaliotis

Armchair Chat with David Goodis and Ann Cavoukian: Are We Moving in the Right Direction?

Ann Cavoukian, Executive Director , Global Privacy & Security by Design Centre

David Goodis, Assistant Commissioner, Information and Privacy Commissioner of Ontario

Constantine Karbaliotis, Director, PWC Canada

  • Impact of current changes on your privacy and cyber security strategy
  • Is the Digital Charter a step in the right direction?
  • Impact of the Charter on Canadian organizations
  • Post election analysis
  • Strategies for planning ahead

10:15

15 min

Break

10:30

60 min
Elspeth Hagan
Panel Discussion

Are You Meeting Legal Obligations to Safeguard and Protect Client / Customer Information?
Best Practices Preparing for / Preventing Data Breaches

Panel Moderator: Elspeth Hagan, Global Compliance, McCain Foods Limited

Rafael Eskenazi, FIPP Director, University of Toronto

Isaac Straley, Chief Information Security Officer, University of Toronto

  • What your comprehensive, pre-tested. robust incident readiness and response plan should contain
  • Defining roles and responsibilities and who coordinates efforts?
  • What are the legal standards?
  • Policies and procedures to ensure alignment with your organization, best practices and updates for new and emerging threats
  • Training on policies and procedures
  • How to build staff awareness including detection of malware, signs of data breach
  • Putting your Incident Response Plan (IRP) to the test to arm your team with experience
  • Table top exercises to test every IPR procedure from detection and containment to remediation and recovery
  • What does proactive compliance mean in the context of these different organizations?
  • How do the obligations change depending on the sensitivity of the information?
  • Baseline security requirements
  • Self assessment, vulnerability assessments
  • What constitutes sufficient steps to meet legal obligations to safeguard and protect client/customer information
  • What is best practice in protective and preventive measures?
  • Checklist for assessing how well your organization protects and safeguards client and customer information
  • Preparing for transfer of information across borders – are Canada’s standards good enough?
  • Privacy impact and security assessments – meeting regulatory and business expectations

11:30

45 min
Mark Hayes David Goodis
Panel Discussion

How Will You Be Judged in the Aftermath of an Attack?
Best Practices in Responding to Data Breaches

Moderator: Mark Hayes, Hayes eLaw LLP

Sara Azargive, Sr. Privacy Officer, Office of the General Counsel and Corporate Secretary, Metrolinx

David Goodis, Assistant Commissioner, Information and Privacy Commissioner of Ontario

  • Activating The Incident Response Plan
  • Moving in accordance with policies, protocols, processes and procedures that guide how incidents are detected, reported, assessed, and responded to
  • Key regulatory developments and trends
  • Determining the source of the breach and whether threshold for notification has been reached
  • New breach notification rules
  • Examining the breach reporting legal threshold for determining “real risk of significant harm”
  • Assessment tools/ the privacy breach tool kit
  • How can the test be made more objective and more robust?
  • Obligation to report “as soon as feasible” – what does this mean?
  • Obligation to maintain accurate, complete and current records of an incident and decisions made with respect to response
  • Description of incident containment and investigation re specific risks
  • Obligation to keep records of all breaches so the Commission can assess compliance with the law as required – what does it entail?
  • Handling multiple jurisdictions
  • Determining content of communications to commission and customers/clients – direct versus indirect notice
  • Tension between legal and communications about what should be released
  • Media and public relations
  • Setting out strategies for maintaining legal privilege with respect to communications and documentation relating to the incident
  • Court cases, class actions and penalties for data security breaches
  • Who’s doing what out there and how do you compare?
  • Are you over or under cautious?
  • Post-incident analysis
  • Engaging with law enforcement

12:15

76 min

Luncheon

13:30

60 min
Sylvia Kingsmill

Cyber Audits: A Check-List Approach to Determining Where Your Organization Is Most Vulnerable and Where You Stand on the Preparedness Spectrum

Sylvia Kingsmill, Partner, National Lead, Privacy, Regulatory & Information Management, KPMG

John Heaton, Partner, Cyber Security Advisory, KPMG

  • Establishing your threat base line
  • Evaluating your readiness posture
  • Review of all systems, firewalls, anti-virus etc.
  • The need for regular cyber audit check-ups
  • What should be on the cyber audit check-list?
  • What haven’t you done?
  • Where do you stand on the readiness spectrum in each area?
  • Updating your cyber security policy to mitigate risk if and when disaster strikes
  • Training and testing – what training sticks and what needs work
  • Desktop exercises
  • Intersection of privacy and security in breach reporting as a preparedness exercise

14:30

15 min

Break

14:45

45 min

Third Party Contracts: How Well Are You Protecting Client / Confidential Information in the Hands of Your Third Party Providers Inside and Outside Canada?

Richard Austin, Partner, Deeth Williams Wall

  • Managing risk and allocating liability
  • Vendor vetting and contract negotiation
  • What’s negotiable/what’s not?
  • What vendors and suppliers will and will not promise
  • Most contentious and most important contract provisions
  • Steps to mitigate risk when you can’t get the contractual terms you’re after
  • Checklist for evaluating how well you safeguard information in the hands of your third party providers
  • Formula for selecting options and services from third parties based on deemed acceptable risk level and sensitivity of information
  • Facebook/Cambridge Analytics

15:30

60 min
Constantine Karbaliotis

Mergers & Acquisitions: Privacy and Cyber Security Due Diligence

Constantine Karbaliotis, Director, PWC Canada

  • Are you sufficiently quantifying and analyzing cyber security as part of due diligence?
  • Differentiating the cyber security challenge from the risks of mergers and acquisitions
  • Risks and liabilities surrounding the original and new organizations
  • What are appropriate cyber activities before, during and after a merger or acquisition
  • Practical solutions on how to identify, understand and mitigate cyber risk  during the M & A due diligence process

16:30

End of Day One

Day Two: Wednesday, November 20, 2019

08:00

60 min

Registration and Continental Breakfast

09:15

60 min
Laura Davison Erica Zarcovich Sandeep Deol
Panel Discussion

Health Care Challenges: What the Sector is Learning and How It Can Assist Other Sectors

Moderator: Laura Davison, Vice President, Chief Privacy Officer, General Counsel & Corporate Secretary, eHealth Ontario

Gillian Kafka, Legal Counsel and Chief Privacy Officer, Hamilton Health Sciences

Erica Zarcovich, General Counsel and Chief Privacy Officer, Cancer Care Ontario

Sandeep Deol, Legal Counsel - Information Management (Privacy) and Technology, Corporate/Commercial, University Health Network

  • Key lessons learned the hard way
  • What cyber risks are we seeing?
  • What we have learned about attacks and prevention
  • The need for long term strategic plans and collective action
  • How is critical infrastructure being safeguarded?
  • Need to raise awareness, define roles and responsibilities, develop policies and standards, establish cyber security plans and budgets

10:15

15 min

Break

10:30

60 min
Charles Docherty Holly Shonaman Claude Baksh Ferris Adi

Canadian Banks and Financial Institutions: At the Forefront of Privacy and Cyber Security

Moderator: Charles Docherty, Assistant General Counsel, Canadian Bankers Association

Holly Shonaman, Chief Privacy Officer, RBC

Claude Baksh, Chief Compliance Officer, Chief Risk Officer, Chief Privacy Officer and Chief AML Officer, Computershare Canada

Ferris Adi, Instructor, Cyber Security Management Program/ University of Toronto School of Continuing Studies, Former Risk Manager, TD Bank

  • Actions for prevention, detection and response
  • Key challenges
  • How the banking sector is working toward solutions
  • Breaking and entering to date – patterns and trends
  • Sector specific learning
  • Money transfers via email – convenience over security?
  • Other typical problems and solutions

12:30

60 min

Luncheon

13:30

60 min
Vanessa Henri

Assessing Privacy and Cyber Security Team Beach Strength: Can the Team Do the Job?

Vanessa Henri, Privacy and Cybersecurity Group, Fasken

  • Roles and responsibilities of the Privacy Office
    • Legal, functional and operational differences (CPO, DPO, GC, etc.)
    • Tools and reporting functionality to prevent and respond to PII risks
  • Roles and responsibilities of the CIO/CISO Office
    • Distinguishing IT and security
  • Responding to an incident; who does what, and according to what documents?
    • IRP – What does it look like? How long should it be, and how should it be coordinated? (Based on NIST)
    • Incident classification against roles and responsibilities
      • IT incident
      • Security Incident
      • Privacy Incident
    • Timely involvement of contractors and third party expertise
    • Communicating effectively with stakeholders and data subjects on an incident
  • Assessing effectiveness of roles and responsibilities

14:30

15 min

Break

14:45

60 min
Imran Ahmad

How Shifts in the International Data Protection World Affect Data Protection Issues in Canada

Imran Ahmad, Partner, Blake, Cassels & Graydon LLP

Over the past 12 – 18 months, several jurisdictions have adopted prescriptive data protection and privacy laws which impact Canadian businesses. This session will cover:

  • What has the impact of the EU’s GDPR been on Canada, one year later?
  • What can be expected with the California Consumer Privacy Act coming into force January 1, 2020?
  • How to reconcile Canadian privacy requirements with international requirements.
  • Should you worry about the extraterritorial scope of foreign data protection and privacy laws?
  • Best practices when navigating global requirements.

15:45

45 min

Cyber Security And Privacy Liability Insurance For Public And Private Organizations

Ruby Rai, Cyber Practice Leader, Canada, Marsh & McLennan Companies

  • State of the cyber risk market
  • Underwriting cyber risk
  • Convergence of coverage
  • What are your insurance coverage options?
  • Reading the fine print – What’s covered, what’s not?
  • Quantitative foundations for managing cyber risk
  • Cyber aggregate risk, silent cyber exposure, risk selection, reinsurance, catastrophic events
  • Prioritizing execution plans, enabling risk management and quantification as variables for decision making
  • Balancing compliance programs with day-to-day activity
  • Role and insurance for privacy officers, Chief Information and Security Officers
  • Trends in cyber insurance claims
  • Breach preparedness – key factors insurers consider when underwriting cyber insurance
  • The need for a comprehensive, well communicated incident-response plan

16:30

End of Day Two