Quebec’s New Privacy Regime Isn’t Just Your Lawyer’s Problem

“An Act to modernize legislative provisions as regards the protection of personal information” is the name of the new law voted in 2021 by the National Assembly of Québec.

As of September 22nd 2022, the law will require organizations to notify the CAI and the affected individuals following a confidentiality incident involving personal information that poses a risk of serious harm. Furthermore, organizations will be required to maintain a register of every confidentiality incident they underwent. The CAI may consult this register upon request.

While the bulk of the law aims to improve data governance and privacy practice, there is also a significant technological aspect to it. Traditionally, lawyers would assist in setting in place the appropriate guidelines in organizations when it came to information management. While lawyers can still propose guidelines based on laws and good practice, they are not the most qualified to implement the safeguards needed. Nowadays, since most of the information is stored digitally, it is time to shine for the CISOs and the CTOs that need to implement controls for data protection.

For one of the first time ever, organizations will legally need their tech staff to up their game and be able to detect (and report when needed) confidentiality incidents or face some hefty fines. Since data is mostly stored and shared via technological means in 2022, lawyers will not be at the forefront anymore and engineers will most likely be responsible for detecting those types of incidents.

So, what is a confidentiality incident?

Maintaining a register of all confidentiality incidents will be critical. As per the law, a confidentiality incident is defined as

(1) Access not authorized by law to personal information;

(2) use not authorized by law of personal information;

(3) communication not authorized by law of personal information; or

(4) loss of personal information or any other breach of the protection of such information.

This implies that for large organizations, incidents may happen daily, meaning that the register must be updated continuously. Examples of confidentiality incidents can be the following but are not limited to:

1. An employee emails the wrong client with personal banking information.
2. An employee uploads client files on the Google Drive account and immediately shares them with his own personal account.
3. An employee shares the SIN and the phone number of a client with a friend over Facebook Messenger.
4. An employee may accidentally upload numerous SIN to a SharePoint available to all the organization.
5. An employee exports thousands of clients’ phone numbers to a USB key and takes it home.

These data leaks happen every day. Nevertheless, each of these incidents can have severe impacts on the business if they aren’t detected or (even better) blocked in a timely fashion. Therefore, appropriate technological tools are of the utmost importance to detect them.

Confidentiality incidents can happen from any location, device or user.

Which technologies do I need to detect confidentiality incidents?

A DLP (Data Loss Prevention) and CASB (Cloud Access Security Broker) are your best bets. However, solid GPOs (Group Policy Objects) and EDRs (Endpoint Detection and Response) are not to be forgotten as they can enhance the workstation's security and reduce potential data leakage. These 4 together will be able to cover the workstation itself, the traffic sent to the Internet and data stored at rest in the various SaaS applications the organization uses.

In terms of DLP tools, one that can capture, and decrypt traffic in-line is critical. Employees will often send PII (Personally identifiable information) and other sensitive information via the Internet and only a tool that is positioned in the middle will be able to analyze the traffic for sensitive information. Is it very important to choose a tool that can read files and also conduct OCR (Optical Character Recognition). PII is too often shared in a PDF and some tools cannot efficiently recognize information in these types of files.

Zscaler offers in-line DLP that can decrypt and analyze web traffic for sensitive information.

CASB can be of major assistance to the data protection team. Information that was already stored in Dropbox, Salesforce, OneDrive, GitHub or other corporate tenants would not be detected by in-line DLP. This is when an API (Application Programming Interface) becomes handy because you can scan those tenants automatically to detect sensitive information. Integration usually takes only a few minutes, and you can set up recurrent scans. Certain tools can even alert you when a user shares a specific file from within his corporate cloud app with an external user.

Zscaler offers CASB that can scan and detect sensitive information in your corporate cloud apps.

Beyond technology

While we have established technological tools as essential, it is unfortunately not the only aspect to consider when achieving compliance with Québec’s new privacy regime. A strong data management policy is still the cornerstone of data protection. It remains critical to understand what data we are collecting, why we are collecting it, how we are collecting it and how we are managing it throughout its lifecycle.

Furthermore, tagging information appropriately is part of good practice and can assist information protection tools in blocking data exfiltration. For example, Zscaler can ingest Microsoft’s AIP labels and take immediate action to allow or block the data transmission before it reaches someone’s Gmail account.

In conclusion

Quebec’s new privacy regime highlights a big gap between where companies currently sit in terms of data protection and where they need to be. Unfortunately, it comes with a heavy workload for IT professionals within organizations in scope. Nonetheless, compliance is achievable with help from the appropriate law specialists and data protection solutions.

Thanks to Eugen Miscoi and Ryan Matthews for the peer review of this article.