First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Privacy Compliance and Management

Standing Committee on Finance releases recommendations on Canada’s anti-money laundering and anti-terrorist financing regime

anti-money laundering

Recently, the House of Common’s Standing Committee on Finance released its report titled, “Confronting Money Laundering and Terrorist Financing: Moving Canada Forward” (the “Report”). The Report was released pursuant to the Standing Committee’s mandate under Standing Order 108(2), which directed the Committee to study the Proceeds of Crime (Money Laundering) and Terrorist Financing Act1 (“PCMLTFA”) and was […]

 

, ,

Five tips for compliance with new privacy consent guidelines

Privacy compliance is top of mind, not the least of all because of GDRP and Canada’s new mandatory breach notification rules. While you are updating your practices and procedures, do not forget that the Guidelines for obtaining meaningful consent (the “Guidelines”) will apply starting on January 1, 2019.

 

, ,

Mistakes to avoid in conducting effective workplace investigations

Experience has shown us time and again that, of all the elements contributing to effective investigations, investigators consistently dedicate insufficient time and effort in a few critical areas; four to be exact.

 

, ,

Security breach notification and reporting requirements are now in force under Canada’s PIPEDA

Canada’s long-awaited federal private-sector data breach notification and reporting requirements came into force on November 1, 2018.

 

, , , , ,

Ten considerations for a cybersecurity incident response plan

If you ask a group of cybersecurity experts what should be included in a Cybersecurity Incident Response Plan (“CIRP”), you will get a wide variety of answers. Happily, many of those answers contain similar themes including these ten important considerations your organization should be aware of when creating and managing a CIRP.

 

, , , , ,

Contractual considerations in robotic process automation and artificial intelligence outsourcing

RPA and AI technologies can be a game-changer for your organization from a commercial perspective, but procuring those technologies and managing the new risk landscape requires a fundamental shift in mindset vis-à-vis a traditional outsourcing contract.

 

, , , , , ,

First review of the GDPR: Four findings after four months

With four months of life behind the GDPR, now is an opportune time to review those developments. Indeed, after assessing those four months we can make the following four findings.

 

, , ,

Why are SOX compliance costs increasing so much?

From a recent survey by Protiviti, the information on how many organizations had to issue a cyber-security disclosure is interesting. Apparently, this generally resulted in an increase on SOX compliance hours – although the reason for a significant increase is not clear.

 

, , , , ,

Learn from British Airways’ security breach reporting and notification

British Airways’ experience described in this article underscores that cybersecurity is important, and Canadian entities preparing for mandatory security breach reporting and notification coming into force soon can take lessons from British Airways’ response to a security breach.

 

, , , , , , , , , , ,

Canadian developments in digital identity

search-warrant

Digital identity is increasingly becoming a hot topic globally and Canada is no exception. For example, amendments to the Bank Act (and equivalent legislation in respect of federal insurance companies and federal loan and trust companies) have recently been introduced permitting federally regulated financial institutions to provide “identification, authentication or verification services”.

 

, , , , , ,

CASL enforcement: Recent trend

It can be relatively difficult to read the tea leaves in the CRTC’s approach to CASL enforcement, because there is little public record of those enforcement activities. This was noted by the Standing Committee on Industry, Science and Technology, in its statutory review of the Act. However, what signs do exist suggest that enforcement activities are accelerating. In 2016 and 2017, the CRTC announced only one undertaking in a CASL proceeding. By contrast, in the first quarter of 2018, there have already been two.

 

, , , ,

Overarching limit on the collection, use and disclosure of personal information

A key takeaway for organizations is that it is not enough to comply with other provisions in PIPEDA, for example, obtaining meaningful consent. Organizations must still show that their purposes for collecting, using or disclosing personal information are those that a reasonable person would consider appropriate in the circumstances.

 

, , , ,

Is there an ROI for investing in cyber or information security?

IS ROI on cyber really as high as it may seem at first glance? At some point, it may be better to consider cyber risk as a “cost of doing business”. If you can’t actually reduce the likelihood of a breach, can you at least increase the likelihood of prompt detection and response?

 

, , , , , ,

What is an internal control, really?

What is a control, at an abstract level: what is it supposed to achieve, and how is it supposed to operate within an organization?

 

, , ,

Working together works: Ontario Securities Commission approves reduced sanction for insider tipper who cooperated with investigation

The OSC recently approved a settlement agreement in which the respondent admitted to providing material non-public information to a third party. The order in Re Hutchinson, which did not include an administrative penalty or disgorgement of profits, was held to be in the public interest given the respondent’s cooperation and other mitigating factors.

 

, , , , , , , , , , , , , ,

Previous Posts