How Quebec’s Bill 64 Prioritizes the Safety of your Personal Information

In this article we are going to define personal information, why it’s so important, how valuable to hackers, how organizations have been misusing personal information and how they will need to manage it after the introduction of Quebec’s Bill 64.

‍

What is personal information?

Your personal information is nothing less than your identity. It makes you unique and serves to differentiate you. It is specific to each individual and includes any information relating to a particular person that makes it possible to identify them directly or indirectly. Quebec's Bill 64 broadened the definition by making any information about an individual automatically protected by the legislative provisions.

‍

How to recognize personal information

‍

Any piece of information that can be used to identify an individual will be considered personal information. This includes an individual’s name, address, or date of birth. It also includes more sensitive personal information, like a social insurance number, banking data and medical information as well as political views, religion and sexual preferences.

‍

Why it’s important for citizens to protect their personal information

‍

Similar to how you lock your car doors or how you lock your smartphone, citizens need to view their personal information as extremely valuable and take the same precaution by making sure it doesn't get in the wrong hands and misused. We all know that nowadays, cyber criminals have the tools to exploit your data, sell your data on the dark web and hack your systems by using that same data, sometimes causing irreversible damage.

‍

Lately, we unfortunately have come to realize that trusting recognized institutions with our personal data didn’t necessarily mean it would be safe. Companies have not been prioritizing the safety surrounding personal data and that has become a serious problem by enabling a new easy and lucrative line of business for cybercriminals.

‍

Why Hackers want Personal Information

‍

Cyber criminals value and rely on personal data because by stealing it, they can restrict the company from accessing it and are therefore in a position to demand a ransom in exchange for regaining control. They can also leverage the data to conduct additional cyberattacks or threaten to do so.

‍

Data is the lifeblood of company operations and revenue. Cyber criminals encrypt company data with the aim that companies will have to pay to regain access to that precious data and preserve their reputation in the process. Hackers are smart, they know downtime is VERY costly so they rely on the fact that by disrupting business continuity, the company will have no other choice but to pay to mitigate the damages and go back to business as soon as possible.

‍

This is how cyber criminals make their money. However, it wouldn’t be as lucrative if people and companies proactively protected personal information.

‍

Why Quebec’s Bill 64 is No Surprise

‍

The introduction of Quebec’s Bill 64 comes as no surprise. The lack of privacy initiatives by companies, inadequate training for employees, and even not following the policies and practices, put a lot of people at risk of harm.

‍

One story you may have heard is about Canada’s largest financial breach of the popular bank, Desjardins. The data breach involved 9.7 million people – active and inactive users. The personal information stolen included last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories.

‍

These stories always pop up in the news but this bank was taken to court, so there’s a lot more information about the story. (ITWorldCanada)

‍

‍

Here is what you need to know:

1. The data was stolen by a marketing employee who had access to the files and uploaded the information on a USB stick.
2. He was apparently stealing it over a timeframe of 26 months (between 2017-2019) and selling it to a private lender.
3. The police department identified the breach in 2019 – this happened 26 months after the employee started this initiative.
4. Half of the data stolen was personal information on inactive users (about 4 million people affected).
5. Desjardins had 13 data privacy policies that were either incomplete or not implemented.

‍

‍

This year, the Superior Court of Quebec approved the $200.9 million settlement of class-action lawsuit against Desjardins.

‍

Stories like this are happening every day. Companies are just not prioritizing the safety of personal information.

‍

So, how could an incident like that been possibly prevented? By adopting a stricter legislation that would be enforced in the province.

‍

Let’s review how our new provincial law will restore the lack of protection for personal information within the province and how citizens will be better protected under Quebec’s Bill 64 - especially in similar cases to Desjardins.

‍

A new era for the protection of personal information under Quebec’s Bill 64

‍

Quebec has recently adopted its most restrictive data privacy law to date, modernizing the whole data privacy landscape in the province. Bill 64 establishes a new legislative framework much more adapted to the reality of today’s cyberworld and the online vulnerabilities that companies are experiencing.

‍

Every business processing personal information must comply to the newly enacted legislation, starting September 2022. As this legislation imposes major changes for businesses, there is a gradual implementation of the different provisions of Quebec’s Bill 64 that have to be fully implemented by September 2024, the vast majority being in 2023.

‍

The purpose of the more stringent requirements is to force organizations to take privacy seriously and focus notably on the implementation of appropriate security safeguards. Otherwise, severe new penalties will be enforced on offending companies, which could have disastrous consequences.

‍

By being compliant, organizations will prevent a lot of confidentiality incidents, or at least better position themselves to be able to mitigate the damages.

‍

Here’s a brief overview of what to expect from Bill 64:

• Bill 64 serves to help organizations be more aware of the personal information they are processing. It offers a framework to protect personal data and to establish an internal structure regarding data privacy.
• Bill 64 is adamant on giving employee training not only in relation to the functions they hold, but also in order to bring awareness to cyber security measures.
• It will be crucial to restrict internal access to data (to avoid situations like Desjardins).
• There will be strict rules to outsource the data.
• Privacy impact assessments will also be the norm to evaluate the risk regarding personal information.
• Clear governance policies will need to be published on every company’s website. Businesses will be required to divulge almost every aspect on how they protect the personal information they process. It will make them much more accountable for those actions and omissions.
• It will also now be mandatory for companies to destroy the personal information that is no longer needed or required by law and therefore have specific mechanisms in place for retention and destruction of the personal information.

‍

‍

Those are just a few of the numerous requirements that businesses will need to meet compliance and not be held accountable for a lack of safety measures. Here is a list of all the requirements.

‍

As of right now, many enterprises are not being proactive and things will undeniably have to change. With Quebec’s Bill 64, it won’t be an option to consider privacy as a crucial component of an organization practices. Businesses will have to meet compliance or face the consequences.

‍

Next Steps

‍

Have any questions about personal information? Contact us here.

‍

If you’re a business, consider Assurance IT’s Bill 64 training. As the pioneer in the space, we offer a complete 8-hour training that prepares your Data Protection Officer for Quebec’s new data privacy law.

‍