Day One: Wednesday, November 18, 2020
10:00 EST
15 minWelcome and Opening Remarks from the Chair
10:15 EST
45 minView from the Top: The Commissioners’ Point of View
Future Plans: Where is Ontario Going?
Patricia Kosseim, Information and Privacy Commissioner of Ontario
11:00 EST
60 minGovernance, Audits, Risk Assessments, Compliance, Cyber Risk Quantification
- What are the threats to information assets?
- Where are your vulnerabilities?
- Where are you on the maturity spectrum?
- What are the limitations of assessments?
- Board oversight
- Role of senior management
- In-house or external risk assessment
12:00 EST
45 minBreak
12:45 EST
45 minPIPEDA AND GDPR: Canadian Versus International Privacy and Security Requirements: What’s Happened to Date and What’s Coming Down the Pipes?
Moderator: Imran Ahmad, Partner, Blake, Cassels & Graydon LLP, Toronto
Ian Birdsey, Partner, Clyde & Co, London
Jennifer J. Daniels, Partner Corporate, Blankrome, New York City
This session will highlight important features of PIPEDA, including the impact of provincial COVID privacy amendments and provide important insights into the differences between PIPEDA, California Consumer Privacy Act and GDRP as they impact Canadian businesses.
- What has the impact of the EU’s GDPR been on Canada, one year later?
- One year post-mortem on California Consumer Privacy Act that came into force January 1, 2020?
- How to reconcile Canadian privacy requirements with international requirements.
- How shifts in the international data protection world affect data protection issues in Canada
- Should you worry about the extraterritorial scope of foreign data protection and privacy laws?
- Best practices when navigating global requirements
13:30 EST
50 minAre You Meeting Legal Obligations to Safeguard and Protect Client/ Customer Information? Best Practices: Preparing for and Preventing Data Breaches
Moderator: Suzanne Kennedy, Partner, Harris and Company LLP
Steven Tam, General Counsel & Chief Privacy Officer, Vancouver Coastal Health Authority
Jennifer Brough, Senior Legal Counsel, Vancity Credit Union
Isaac Straley, Chief Information Security Officer, University of Toronto
- What your comprehensive, pre-tested. robust incident readiness and response plan should contain
- Defining roles and responsibilities, who coordinates efforts?
- What are the legal standards?
- Policies and procedures to ensure alignment within your organization
- Best practices and updates for new and emerging threats
- Training on policies and procedures
- How to build staff awareness including detection of malware, signs of data breach
- Putting your Incident Response Plan (IRP) to the test to arm your team with experience
- Table top exercises to test every IRP procedure from detection and containment to remediation and recovery
- What does proactive compliance mean in the context of different organizations?
- How do the obligations change depending on the sensitivity of the information?
- Baseline security requirements
- Self assessment, vulnerability assessments
- What constitutes sufficient steps to meet legal obligations to safeguard and protect client/customer information
- What is best practice in protective and preventive measures?
- Checklist for assessing how well your organization protects and safeguards client and customer information
- Preparing for transfer of information across borders – are Canada’s standards good enough?
- Privacy impact and security assessments – meeting regulatory and business expectations
- Safeguards for open banking
14:20 EST
20 minBreak
14:40 EST
50 minHow Will You Be Judged in the Aftermath of an Attack? Best Practices in Responding to Data Breaches
Moderator: Debra J. Finlay, Partner, McCarthy Tétrault
Susy Mendoza, Sr. Director, Legal, Lululemon USA Inc.
Erica Zarkovich, VP, General Counsel, Chief Privacy Officer, Corporate Secretary, Life Labs
- Activating The Incident Response Plan
- Moving in accordance with policies, protocols, processes and procedures that guide how incidents are detected, reported, assessed, and responded to
- Key regulatory developments and trends
- Determining the source of the breach and whether threshold for notification has been reached
- New breach notification rules
- Examining the breach reporting legal threshold for determining “real risk of significant harm”
- Assessment tools/ the privacy breach tool kit
- How can the test be made more objective and more robust?
- Obligation to report “as soon as feasible” – what does this mean?
- Obligation to maintain accurate, complete and current records of an incident and decisions made with respect to response
- Description of incident containment and investigation re specific risks
- Obligation to keep records of all breaches so the Commission can assess compliance with the law as required – what does it entail?
- Handling multiple jurisdictions
- Determining content of communications to commission and customers/clients – direct versus indirect notice
- Tension between legal and communications about what should be released
- Media and public relations
- Setting out strategies for maintaining legal privilege with respect to communications and documentation relating to the incident
- Court cases, class actions and penalties for data security breaches
- Who’s doing what out there and how do you compare?
- Are you over or under cautious?
- Post-incident analysis
- Engaging with law enforcement
15:30 EST
45 minCyber Challenges Presented by Remote Employees
Criminals are using the current COVID-19 crisis to ramp up their game and take advantage of vulnerabilities. Regardless of industry, every organization is at a higher risk of cyberattack.
- “Remote by default’ organizations
- Why people working at home is a time of opportunity for threat actors
- Why organizations are more vulnerable than ever before
- Threats posed by employees using their private systems including icloud, personal email, personal internet, Wifi routers and zoom
- The need to broaden your defence
- Identity based attacks
- Is openness to use of personal devices and services other than the organization’s responsible?
- Increases in the threat landscape
16:15 EST
End of Day One
Day Two: Thursday, November 19, 2020
10:00 EST
10 minWelcome and Opening Remarks from the Chair
10:10 EST
50 minAI, Big Data and More! Threat Assessment/ Threat Intelligence Update for 2020-2021
Threat intelligence helps organizations better understand the attacker, respond faster to incidents and proactively get ahead of the adversaries next move. Learn about:
- Motives and behaviours of attackers
- Trends in attacker tactics, techniques, procedures
- Proactively tailoring defenses and pre-empting future attacks
- Tactical, operational and strategic intelligence
- The threat intelligence life cycle
- How will employees working remotely impact privacy and cyber security concerns?
- Impact of open banking
- Which current or emerging technology will deliver the greatest benefits to privacy and cyber security/ which will contribute to increased threats?
- Are current innovations undermining freedom and privacy?
- Will one technology or methodology emerge as paramount in the cyber security space?
11:00 EST
45 minThird Party Contracts: Ensuring Vendors and Suppliers Protect Your Data
This invaluable session will strengthen your ability to protect your organization’s data and systems in a manner that:
- Meets or exceeds the standards of your own organization eres to your own policies and procedures and
- Complies with relevant laws, regulations and industry standards
- Managing risk and allocating liability
- Vendor vetting and contract negotiation
- What’s negotiable / what’s not?
- What vendors and suppliers will and will not promise
- Most contentious and most important contract provisions
- Steps to mitigate risk when you can’t get the contractual terms you’re after
- Checklist for evaluating how well you safeguard information in the hands of your third party providers
- Formula for selecting options and services from third parties based on deemed acceptable risk level and sensitivity of information
- Facebook / Cambridge Analytics
11:45 EST
45 minBreak
12:30 EST
45 minCyber Security & Privacy Liability Insurance For Public And Private Organizations
Moderator: Mikel Pearce, Lawyer, Strigberger Brown Armstrong
- Current market for cyber risk
- Underwriting cyber risk
- Convergence of coverage – stand alone policies and traditional property and liability policies
- Insurance coverage options
- Reading the fine print: what’s covered and what’s not?
- Breach preparedness – key factors insurers consider when underwriting cyber insurance
- Responding to and managing cyber insurance claims
- Trends in cyber insurance claims
- The need for a comprehensive, well communicated incident-response plan
13:15 EST
60 minLitigation and Class Action Liability for Negligence or Recklessness
- What should your organization be most worried about
- Scenarios likely to cause problems
- Litigation causes of action
- Negligence
- Breach of contract
- Intrusion upon seclusion
- Nominal damages
- Which way are we headed?
14:15 EST
15 minBreak
14:30 EST
60 minCanadian Banks, Financial Institutions and Fintechs: At the Forefront of Privacy and Cyber Security
David Crane, Partner, McCarthy Tétrault
Cappone D’Angelo, Senior Legal Counsel, Legal Services Department, Vancity
Matt Lonsdale, Legal Counsel, Coast Capital Savings
Alice Davidson, Vice President and General Counsel, Mogo Financial Technology Inc
Conni Gibson, Vice-President and Chief Legal Officer, Technology and Operations, BMO Financial Group
- Actions for prevention, detection and response
- Key challenges
- How the banking sector is working toward solutions
- Regulatory (OSFI) guidance on cyber security
- Collaboration between financial institutions
- Breaking and entering to date – patterns and trends
- Sector specific learning
- Money transfers via email – convenience over security?
15:30 EST
50 minHealth and Public Sector Challenges: What these Sectors are Learning and How It Can Assist Other Sectors
Moderator: Noemi Chanda, Senior Manager, Risk Advisory, Deloitte
Steven Tam, General Counsel & Chief Privacy Officer, Vancouver Coastal Health Authority
Gillian Kafka, General Counsel, Chief Privacy and Information Security Officer, Winterlight Labs
- Key lessons learned the hard way
- What cyber risks are we seeing?
- What we have learned about attacks and prevention
16:20 EST
End of Day Two