Category: Cyber-security and Data Privacy

You’ve Activated Your Business Continuity Plan. What’s Next?

In light of the COVID-19 outbreak, many registered firms are implementing their business continuity plans (BCPs) and having their employees work from home, except where certain individuals need to access office facilities to ensure continued service to clients. In this article, we’ll address some issues for registered firms to consider in the short and medium term while operating in such conditions. We emphasize that firms and regulators are facing an unprecedented and constantly changing situation, and so our initial views on the issues below may change as circumstances evolve and regulators issue new or updated guidance or rules.

If my firm is covered by an “essential service” exemption from a government order to close businesses, why not carry on as usual from our office? Workplaces can contribute to the spread of the virus that causes COVID-19, and so a firm needs to evaluate the occupational health and safety, public health and litigation risks of having employees work from its offices or meet physically with clients, etc. The Government of Canada has published Risk-Informed Decision-Making Guidelines for workplaces and businesses during the pandemic. If you need legal advice on employment or occupational health and safety matters, AUM Law can source, evaluate and help you retain appropriate counsel and then manage the provision of that advice so that you can focus on running your business. From a securities regulatory compliance perspective, we think that a registered firm that requires all or most of its employees to work onsite instead of working from home could attract scrutiny from securities regulators due to concerns that the firm’s BCP is not functioning effectively.

Should my firm contact the securities regulator because we have activated our BCP? Activating your BCP does not, in itself, trigger an obligation to notify the Ontario Securities Commission (OSC). If, however, your firm finds that it might not be able to meet one or more of its regulatory obligations on a timely basis because of the pandemic, then that might trigger a filing obligation and we encourage you to speak to your usual lawyer at AUM Law as soon as possible. (See also our article in this bulletin on the blanket orders issued by members of the Canadian Securities Administrators (CSA) extending certain filing deadlines for registrants, investment funds and others.) We can advise you on your options and liaise with regulators on your behalf.

Do the home offices of registered individuals need to be approved as branch offices? Technically, having registered employees work from a location other than the address indicated on their Form 33-109F4 (Form F4), could be viewed as requiring an updated filing and/or approval of new “branch offices”. However, in light of the recent government orders and recommendations requiring or asking people to stay at home as much as practicable, we believe that at least in the short term, it is unlikely that OSC staff will expect registered firms to update Form F4s or seek approval for branch offices, provided that registered individuals are not meeting with clients in their homes or bringing home physical files that contain sensitive client information.

Cross-training: Are there functions at your firm that only one or two employees know how to perform? If you haven’t done so lately, we encourage you to review and update your list of key tasks and deadlines and the individuals responsible for performing those tasks. Identify a back-up person for each task and deadline (or group of related tasks and deadlines) and, if necessary, train that back-up person.

BCP considerations for “one-registrant” firms: If a registered firm has only one registered individual (One-Registrant Firm) to serve clients, we encourage the firm to have a plan to address a scenario where that individual is absent or incapacitated for weeks or months. We recommend that One-Registrant Firms, at a minimum, prepare standing instructions for the firm’s administrative staff and legal representatives to follow if the registered individual is absent or incapacitated for more than a brief period. Such firms also might wish to explore the feasibility of negotiating, in advance, a formal agreement with another registered firm (Temporary Successor). Such an arrangement could be a reciprocal one between two One-Registrant Firms seeking to address the same business continuity issue. Under such an agreement, the Temporary Successor would step into the shoes of the registered individual, for certain purposes, if that individual was unable to perform their duties for more than a brief period. The purpose of the agreement would only be to communicate with service providers and clients as the clients decide how best to address their account assets.

Technology risks including cyber-security and privacy risks: The rapid shift to remote work arrangements has resulted in some issues arising with respect to technology slowdowns, disruptions and hacking. Some firms are deploying new software or devices (including virtual meeting systems) that employees are having to become familiar with quickly, and many employees are dealing with the challenge of handling matters discreetly with family members or roommates present. There also are reports of some public, virtual meetings and conferences conducted over Zoom and similar systems being hacked. Finally, some employees are experiencing anxiety and confusion because of the pandemic. All these circumstances increase the risks of inadvertent cyber-security failures and opportunities for hacking. Maintaining robust cyber-security policies and procedures, adapting them as needed to address emerging or changing risks, reminding employees of the need to take precautions, and monitoring employees’ compliance with such policies and procedures are essential actions at this time both from a regulatory compliance and litigation risk perspective.

Communications with clients: Pandemic conditions and their knock-on effects in financial markets may result in a significant increase in customer call volumes or online account usage. Registered firms should review their BCPs and assess the effectiveness of their systems and processes to handle this level of increased activity. If your firm is experiencing difficulty serving customers in a timely way, please contact us to discuss measures you should undertake (including communication strategies) to address the situation. (On a related subject, please see our FAQ in this bulletin focused on ensuring that you’ve got current know-your-client (KYC) information for clients whose life situations may be changing dramatically.)

Supervision, compliance and internal controls during the new “work from home” normal: As we all adjust over the next month or so to the “new normal” of working remotely as much as practicable for an unknown period of time, we think that regulators will begin expecting to see registered firms consider whether they need to adapt their policies, procedures and controls to address any new or magnified regulatory compliance risks. AUM Law can help you assess whether  your existing supervisory system, compliance manual, procedures and internal controls should be revised to ensure compliance while many employees are operating from remote locations.

We can help: At AUM Law, we are experienced in reviewing BCPs from a regulatory compliance perspective. We can draft or update your BCP to ensure that it addresses a scenario like this one. Please don’t hesitate to contact us.

March 31, 2020

OPC Consults on Regulation of Artificial Intelligence

On January 28, the Office of the Privacy Commission (OPC) published its Proposals for Ensuring Appropriate Regulation of Artificial Intelligence (Consultation Paper). This work is a subset of a larger reform project focused on federal privacy laws. According to the Consultation Paper, the OPC believes that artificial intelligence (AI) presents fundamental challenges to all of the “foundational privacy principles” formulated in the Personal Information Protection and Electronic Documents Act (PIPEDA). The Consultation Paper outlines eleven proposals and related discussion questions for consideration, and requests feedback by March 13, 2020.

These AI-related potential reforms to privacy laws are at an early stage of development, but if adopted they likely will have a significant impact on how registered firms use AI in their development and delivery of products and services as well as their compliance systems and other internal controls. For example, reforms to PIPEDA might introduce provisions similar to those in the European Union’s General Data Protection Regulation (GDPR) that grant individuals the rights:

  • Not to be subject to automated decision-making, including profiling, except when an automated decision is necessary for a contract, authorized by law, or explicit consent is obtained; and
  • To object to having their personal information processed for direct marketing purposes.

Another proposal, if implemented, might require entities to inform individuals about the use of automated decision-making, the factors involved in the decision and, where the decision is “impactful”, information about the logic upon which the decision is based.

AUM Law will continue monitoring developments in this area and update you on the status of significant proposals. In the meantime, if you have any questions about the Consultation Paper and its potential impact on your operations, please contact us.

February 28, 2020