February 2015

In a recent case involving a breach of patients’ privacy rights — Hopkins v Kay,[i] — the Ontario Court of Appeal ruled that a proposed class action could proceed based on allegations of violation of patients’ common law privacy rights, concluding that those rights were not preempted by the Personal Health Information Protection Act (PHIPA). Specifically, the court determined that PHIPA is not a “complete code” and therefore did not “oust” the plaintiff’s common law tort claim for breach of privacy (the tort of intrusion upon seclusion). Hopkins provides important guidance in the fields of privacy law and class actions, as well as with respect to the sustainability of privacy claims that touch upon areas governed by legislation.

On February 13, 2015, President Obama spoke forcefully on cybersecurity threats at the Cybersecurity and Consumer Protection Summit, and signed an Executive Order designed to encourage the sharing of cyber-threat information through the formation of “hubs” – Information Sharing and Analysis Organizations (ISAOs).

The President observed that much of the United States’ critical infrastructure runs on networks connected to the Internet, resulting in vulnerabilities that foreign governments and criminals are probing every day. The President outlined four basic principles that should guide the efforts to combat cyber threats:

  • A shared mission between the private sector and the government;
  • Focus by private and public sectors on their unique strengths;
  • Flexibility in the approach to cybersecurity; and
  • Protection for the privacy and civil liberty of the American people.

The President called the protection against cyber-threats a shared mission because neither government nor the private sector can defend against cyber-attacks alone. While the government has many capabilities, it is neither appropriate nor possible for the government to secure the networks of the private sector. On the other hand, the private sector is at the cutting edge of technology, but does not always have the situational awareness, the ability to warn other companies in real time, or the capacity to coordinate a response across companies to a cyber-attack.

Financial institutions around the country recently received cybersecurity guidance in the form of a new appendix to the Federal Financial Institutions Examination Council’s (“FFIEC’s”) Business Continuity Planning Booklet, which is part of its Information Technology Examination Handbook. In the guidance, the FFIEC places the onus on financial institutions, their boards of directors, and senior management to manage the cybersecurity risks, recovery services, testing programs, and “cyber resilience” associated with outsourced or third-party technology services. The guidance came just a week before another important event for financial and other institutions: the White House Summit on Cybersecurity and Consumer Protection that was held at Stanford University on Friday, February 13, 2015, and that featured, as attendees and speakers, government and industry leaders, including those from financial institutions.

The FFIEC is the federal interagency body tasked with setting forth uniform principles, standards, and forms for examining and supervising financial institutions. In that capacity, the FFIEC provides guidance on “business continuity planning” or how financial institutions will recover and resume their businesses after an unexpected disruption, which, in today’s world, necessarily includes cyber breaches and attacks.

Here is our take on the FFIEC’s recent round of updates: