Privacy and cybersecurity have evolved to take on major socio-political implications in recent years. Cybersecurity is currently one of the most serious enterprise risks facing Canadian businesses. It is also one of the greatest threats to national security and global stability. Just recently at the 2023 Global Summit in Davos, the Secretary General of INTERPOL called cyber-attacks a “global threat” that requires “a global response and coordinated action.” We have seen that cyber criminals are willing to attack organizations for political or ideological reasons, as made clear by recent attacks in Europe involving the airline and broadcasting industry.
At the same time, privacy has been recognized as a fundamental right in Europe and is on its way to being similarly recognized in Canada. Federal Privacy Commissioner Dufresne noted in a recent keynote address:
Treating privacy as a fundamental and quasi-constitutional right means treating it as we do other human rights. As a priority.
It means that privacy must be legally protected and promoted with a strong, fair and enforceable legal and rights-based regime. A regime that must offer meaningful remedies that prevent and address violations and that will act as an incentive for institutions to create a culture of privacy. Let me repeat that. A culture of privacy. Privacy by design where it is considered, valued, and prioritized. Privacy that is included and embedded at the outset of innovation, not as an afterthought or regulatory irritant.
It means that the collection, use, retention and disclosure of personal information must be limited to what is demonstrably necessary and proportional.
It is no wonder that privacy and cybersecurity are now key to an organization meeting its environmental, social, and governance (ESG) goals.
ESG factors are, at their core, non-financial in nature but play an ever-increasing role in value creation in business. In mergers and acquisitions, conducting ESG due diligence on a target company has become an important part of assessing its value and measuring current and future risk. Considering the current and planned changes to Canada’s privacy and cybersecurity regulations, specifically, Bill 64 in Quebec and Bill C-26 and C-27 at a federal level, including privacy and cybersecurity in an ESG reporting framework, is no longer a “nice-to-have.” Rather, it shows how an organization must take an enterprise and wider-lens approach to addressing data management and cybersecurity risks. Failing to adequately address privacy and cybersecurity aspects of business can also be seen as a failure to adequately implement measures to comply with ESG requirements or address matters related to satisfactory risk mitigation.
Mapping privacy and cybersecurity against the “social” and “governance” aspects of ESG
Businesses should have a comprehensive program in place to ensure compliance with privacy laws, such as the Personal Information Protection and Electronic Documents Act (“PIPEDA”), Bill 64 (Quebec) (“Bill 64”), or the European General Data Protection Regulation (“GDPR”). This program requires a governance framework so that IT systems, employees, third parties, and products and services are appropriately assessed and managed. It also requires that policies and procedures are created, implemented, and monitored. This is part of the “governance” of ESG.
Similarly, cybersecurity is a key aspect of meeting privacy compliance goals as part of ESG, but it is also a stand-alone concept. In fact, some argue there should be a “C” added to ESG – ESG and C. What privacy and cybersecurity have in common is that both can create reputational damage and litigation risk. However, failure to manage cybersecurity risks can also result in business interruption and possible physical risks at a scale that is problematic for an organization, but not considered a core risk when it comes to privacy compliance. For example, a hospital or airline can experience attacks that carry immediate and long-term consequences due to service interruptions without ever having “personal information” compromised as part of a data breach.
Failure to properly manage and address cybersecurity and privacy risks is not only related to governance but also to the social aspects of an organization’s activities. There are ethical considerations when it comes to the handling of personal information and the transparency that is associated with data processing activities. Failing to secure systems from cyber-attacks can result in data extortion and ransomware incidents, which may lead to payments to cyber criminals. These harmful cyber activities, as we have seen, can be linked to, and sometimes fund, military action.
Organizations have a number of existing tools available in order to meet ESG goals related to privacy and cybersecurity. The principles of PIPEDA and related privacy laws, as well as security standards, provide the roadmap. An organization can also use the basic principles of a proper compliance program to track progress. From experience, the below non-exhaustive factors are key components that can assist in this regard. These factors are interdependent and overlapping but separating them, as we have done below, will clarify and focus attention on discrete targets.
1. Implement the Principle of Accountability and Board Oversight
This principle is embedded in PIPEDA. Importantly, it means that an organization should have someone in charge of privacy (and security) to oversee the proper creation and implementation of policies and procedures. This person should have the right resources, both financial and administrative, to implement these measures. This is not possible without an organization’s board of directors (“Board”) being kept apprised of the relevant risks and allocating these resources appropriately. Implementing this principle includes an assessment of whether proper cyber insurance is in place.
2. Map Security against Established Security Standards
Being able to demonstrate that an organization is mapping its efforts against a well-established standard (NIST, ISO, or SOC 2) will go a long way in meeting its goals. It will also allow for transparent reporting on which aspects are being met as well as those that require additional work or resources. For instance, if an organization is not following proper system patching routines, does not have an endpoint detection and response (EDR) tool in place, or does not have multi-factor authentication implemented, this should be apparent and known to leadership so that these risks can be addressed.
3. Measure and Track Performance
Measuring performance of non-financial factors can be challenging but an organization should find ways to develop these metrics. For example, privacy training frequency and completion can be measured, as can statistics on data intrusion attempts or breaches, and progress towards security certifications.
4. Privacy and Cybersecurity by Design
Privacy by design/default is a concept that has been around for over 25 years, but it is now being included in mandatory regulatory frameworks, rather than simply being considered a best practice or “gold standard” for organizations. Both the GDPR and Bill 64 include the concept. Arguably, section 9(1) of Bill 64 is stricter than Article 25 of GDPR, but both provisions put the onus on the data controller to implement technology that will protect personal information at the design stage and by default. Implementing this is no easy task – it means privacy and security must be taken into account from Day 1 when contemplating a service, product, or process. For that to happen, it usually requires an organizational shift as core processes must change. This requires strong governance and oversight.
5. Incident Preparedness
In our experience, it is very challenging for any organization, even those with strong security controls, to avoid data breaches. It is the consequences of those breaches that separate devastating incidents from ones that result in minor disruptions or legal risks. For an organization to be truly prepared for a cyber-incident or data breach, its leaders must contemplate these incidents in a specific way, and not only as a general crisis. Preparation should include education at the Board level and senior management table-top exercises. It also requires a discussion about insurance. Coming full circle, these tasks are also measurable and can be tracked as part of an ESG compliance framework.
6. Data Hygiene
Collecting information is valuable in a data driven economy. However, collecting too much data and personal information, or retaining it for longer than it is required or creates value, is a liability. It is a quantifiable liability when it comes to the costs of remediating a data breach, and proper management is a way to improve the social (and governance) factors of ESG for two reasons. One, it reduces exposure of information in the case of a breach and two, over collection is generally an infringement of an individual’s privacy right. From an ESG perspective, an organization should be able to demonstrate that it has given thought to data collection activities, the concept of data minimization and the importance of data retention policies.
7. Mergers and Acquisitions
Privacy and cybersecurity risks are already core aspects of proper diligence in mergers and acquisitions, be it via legal or technical reviews, or a combination of both. Framing diligence in this area through the ESG lens is helpful because it takes a broader view of the risks and frames them in a more holistic way. It focuses the risk at a governance level.
The ESG practices, policies and guidelines that organizations develop over time should be informed by the developing legal and regulatory landscape, best practices, and consumer, investor and other stakeholder demands (among other factors). In each case, these factors must be considered within the context of the particular business’ needs, objectives and plans. Invariably, an ESG-informed approach to business will include robust planning around privacy and cybersecurity considerations.
Please be in touch with the authors and other members of the Miler Thomson ESG and Carbon Finance practice for insights into how to incorporate privacy and cybersecurity observations and protocols within your ESG framework and planning.
™ Trademark of Miller Thomson LLP