Privacy Law Update
Feb 2022 Charity & NFP Law Update
Published on February 24 2022

By Esther Shainblum and Martin U. Wissmath

State-Sponsored Cyber Criminals Cause Privacy Risks for Canadian Networks: Cyber Centre

Warnings from the federal government about Russian state-sponsored hackers highlights the need for organizations to comply with privacy law and protect sensitive data. The Canadian Centre for Cyber Security (“Cyber Centre”) published a “Cyber threat bulletin” on January 26, 2022 that “urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity.” The Cyber Centre joined the United States’ Cybersecurity & Infrastructure Security Agency, along with the United Kingdom’s National Cyber Security Centre, in “recommending proactive network monitoring and mitigations.” Russian backed cyber threat actors are targeting Canadian critical infrastructure network operations, their operational and information technology, the Cyber Centre reported. The warning, though intended for “critical infrastructure network defenders” should remind charities and not-for-profit organizations across the country to increase their efforts to protect sensitive personal information in accordance with Canadian privacy law and best practices. The Cyber threat bulletin was published a week after a January 19 cyber attack on Global Affairs Canada amid fears of an escalating Russia–Ukraine conflict.

Under the Canada Not-for-Profit Corporations Act, directors of charities and not-for-profits have a duty to exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances. They could face potential personal liability if the organization suffers a loss because they have failed to take appropriate steps to identify, manage and mitigate privacy and cybersecurity risks. However, courts will not second-guess directors who act prudently in good faith, on a reasonably informed basis — a common law doctrine known as the “Business Judgment Rule.” In order to avoid potential liability, directors must be able to demonstrate that they obtained and considered information on cyber security and privacy issues and risks, that they took appropriate steps to make the organization compliant with privacy laws and best practices, and to put appropriate safeguards in place to protect personal information and to prepare for, and respond to, privacy breaches or cyber attacks. Directors should obtain regular reports from management on cybersecurity and privacy issues, as well as obtain adequate insurance to cover the risks involved. The Office of the Privacy Commissioner of Canada recommends that charities and NFPs follow the principles set out in Schedule 1 of the Personal Information Protection and Electronic Documents Act.


Read the February 2022 Charity & NFP Law Update