When an entity (Affected Entity) experiences a data breach incident (Breach Incident), it is instantly faced with a number of issues that it must address with urgency. Among such, an Affected Entity must manage crucial regulatory compliance obligations that may be triggered by the Breach Incident. The most obvious of these obligations arise under the Personal Information Protection and Electronic Documents Act and other applicable provincial privacy laws, which likely include certain mandatory breach reporting obligations.
What is often less obvious is the need to consider regulatory consequences arising from the Breach Incident under the current anti-money laundering (AML) regime in Canada (which is governed by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its Regulations (the PCMLTFA) as well as the Criminal Code (Canada) (the Criminal Code)).
What follows is an overview of certain key implications of a Breach Incident under the AML regime that should be addressed following a Breach Incident:
- Assess obligations under the AML regime: The first issue that should be addressed is whether the Breach Incident is a “reportable activity” under the PCMLTFA and/or the Criminal Code. For entities that are reporting entities under the PCMLTFA, the issue can be a delicate one as the entity must decide whether the incident rises to a level that requires suspicious transaction reporting. For entities that are not subject to the PCMLTFA, but are nevertheless subject to the Criminal Code (which applies widely to all Canadian entities) a guided approach might be needed to address two issues: (i) whether the Criminal Code has not been breached as a result of the Breach Incident; and (ii) whether appropriate steps have been taken to remediate any AML risks brought about by the Breach Incident. These factors are crucial, particularly where the Breach Incident is part of a larger money laundering scheme, which fact may not be immediately known to the Affected Entity.
- Assess impact on operational risk management framework: The Affected Entity should carefully assess how the Breach Incident might impact its operational risk management obligations, given the legal risks of non-compliance. These obligations are often specific to individual entities as they depend on how the entity is organized. For example, a federally regulated financial institution might want to consider how the Breach Incident affects its overall risk exposure and the resultant effects on its different lines of defence. The need to run this assessment is a vital obligation that typically impacts all categories of Affected Entities alike, regardless of their regulatory position under the PCMLTFA or the Criminal Code.
- Assess third party concerns: If the subject-matter of the Breach Incident that is stolen or otherwise wrongfully obtained from the Affected Entity (i.e., an asset, information or data) belongs to a third party entity, that entity is likely subject to the same considerations outlined in sections (1) and (2) above. It would therefore be prudent for the Affected Entity to carefully assess how it will prevent or deal with issues that may arise from a liability perspective.
- Assess general liability parameters: The Affected Entity must consider any sanctions and penalties under the AML regime that might be triggered as a result of its failure to comply with applicable AML obligations. An Affected Entity should be apprised of the AML liability parameters that surround the Breach Incident and that are applicable to it in order to help set in motion a liability mitigation plan, if necessary.
It is worth noting that the points outlined above are not exhaustive. There may well be other issues that arise from a Breach Incident which could require urgent redress and carry equal weight.
If you have any questions or wish to discuss any aspect of this article, please contact the author.
The author would like to thank Breanne Matheson, summer student, for her contribution to this legal update.