SlideShare una empresa de Scribd logo
1 de 21
Descargar para leer sin conexión
Canada’s Anti-Spam Legislation
              by
        David Polsky
Who we are
•   Canadian-based Information Technology consulting company founded in 2003.

•   Provides range of I.T. solutions -> Strategy through Implementation.

•   Focused on mid-to-large size businesses

•   Team comprised of I.T. practitioners with subject matter specializations &
    designations in all key areas of technology.

•   Track record of client satisfaction on every engagement.




                                         Page 2
What we do

Strategic Advisory                              Business Solution Implementation
•   IT Assessment                               •   Vendor Selection
•   IT Strategy                                 •   ERP Optimization
•   Merger & Acquisition Due Diligence          •   SharePoint Solutions
•   IT Management                               •   Web Development
                                                •   Post-Merger Integration


Security Solutions                              Infrastructure & Managed Services
•   Information Security Health Check           •   Managed Services & Hosting
•   Threat Risk Assessment & Penetration
    Testing
•   Information Security Program
    Development
•   Enterprise Security




                                           Page 3
Who we have helped




                     4
CASL - Bill C28

• What is it and what’s in it?
• When is it in play?
• What does it really mean to Canadian Businesses?
• What are the top 5 things I should do about it if
  anything?
• What help is out there?




                          Page 5
CASL - What is it and what’s in it?
CASL = Canada's Anti-Spam Legislation
• It is intended to target spam emails, malware, pharming, phishing and other
   malicious communications.
• New laws governing the use of CEMs, the alteration of transmission data and
   computer software installs. CEM is a new broader category greater than email.
CEM = Commercial Electronic Message
• CEM includes any electronic message… so email, SMS, instant messages and some
   social media postings all count as CEMs.

The net is 6 New Laws enforced by CRTC, The Competition Bureau, and the Office of
the Privacy Commissioner

•   Governs any CEMs sent from inside Canada or any external CEM’s sent into Canada
•   Violations are not criminal offences




                                        Page 6
We all get more than we want!




                                Page 7
CASL - What is it and what’s in it? – Con’t
•   Who does what in terms of enforcement?

CRTC scope
• the sending of unsolicited commercial electronic messages
• the altering of transmission data
• installing a computer program with computer systems and networks without
   consent

Competition Bureau Scope
• misleading and deceptive practices and representations online, including false or
   misleading headers and website content

Office of the Privacy Commissioner scope
• take measures against the collection of personal information via access to a
    computer
• the unauthorized compiling or supplying of lists of electronic addresses


                                        Page 8
CASL – The rules
Senders of CEMs must identify themselves, indicate on whose behalf the message is
being sent, provide up-to-date contact information, and access to an unsubscribe
mechanism. The provided credentials must also be valid for 60 days.

You need to have consent from the receiver to send a CEM
• The big question – what is consent?

Consent under the new law
• Express consent (opt ins) – also see PIPEDA for more on consent
• Implied Consent (only for the transition period)
      – Existing relationship with the recipient (business or non business) within 2 years
      – Recipient published their address is a prominent manner
      – Recipient provided their address directly to the sender

We are the last of the G8 to enact this type of legislation




                                               Page 9
CASL – The Penalties and reach
•   Fines up to $1,000,000 per violation for individuals and up to $10,000,000 for
    organizations.

•   Allows for private right of action (means people can sue violators)

•   Enables the three agencies to work with their counterparts in other countries to
    enforce the laws.

•   Purpose of penalties a stated is to “promote compliance … and not to punish”




                                          Page 10
CASL - When is it in play?
• When was it Approved?
    – It was approved Dec 15, 2010

• When is it Effective?
    – No date set – recent comments from Industry
      Minister Paradis indicate it will be coming
      into force in 2013.

• How much time after effective is
  compliance required?
    – Implied consent lasts for three years – after
      that express consent is required




                                     Page 11
CASL - What does it really mean to Canadian Businesses?
• Compliance is required for any businesses that send CEM’s
• Large fines can be levied on businesses that are not compliant

• The net – you need consent to send a CEM
• Need to have a central database of addresses and the consent
  status (consent given, consent implied, consent withheld)
• No more spreadsheets with email addresses in 20 different
  location!!!
• Need to offer opt-in and opt-out visibly and easily




                              Page 12
CASL - What are the top 5 things I should do about it if
anything?

 •   Conduct an internal Audit
 •   Change supplier requirements
 •   Governance in place – create a CASL policy
 •   Platform to enforce governance
 •   Internal Training




                               Page 13
Conduct an Internal Audit
• Where are the CEMs ?
• What are you sending?
• What mechanism’s are you using? Does it support
  unsubscribe?
• Find all the channels!
• Assess existing contracts/relationships to determine implied
  consent
• Gain consent now while seeking consent is not a violation –
  after the law comes into effect seeking consent is in itself in
  violation of the law.
• After the law comes into effect you will have three years to
  obtain express consent


                                Page 14
Change your requirements for your suppliers
• Require any lists you buy to be “clean” (consent based)
• Make it part of the RFP process when engaging new vendors
• Make CASL compliance part of the minimum requirements –
  particularly for eMail and Marketing vendors, but consider it
  for all vendor relationships.
• When you provide email addresses to third parties such as
  consultants and other outside entities make them agree to
  use those addresses in a CASL-compliant manner




                              Page 15
Draft a CASL policy for your organization
• Create the governance policy and framework
• Communicate the policy
• Be in line with CASL organizationally
• Include maintaining a record of consent as a
  requirement
• Augment your new client in-take process to include
  documenting consent
• Should cover off all forms and procedures




                               Page 16
Support and Enforce your policy

• Make sure all channels provide that visible opt-out
• Make sure the opt-out is enforced broadly across all
  channels and within 10 days of the opt-out action
• Make sure all outbound CEM’s are sourced from the
  screened lists
• Define the consent basis and track it (given vs.
  implied vs. declined)
• If you don’t have tools in place
then get them and deploy them



                             Page 17
Train your workforce

• Train your workforce on your policy, the governance
  and internal tools that you can provide them
• Make sure they understand CASL
• Make sure they know the rules so they can avoid
  violations
• This is part of your diligence
defence




                         Page 18
Diligence and Enforcement
•   Do your diligence and we believe you have a reasonable position to defend any
    breaches of the law
•   No one knows yet how aggressively this will be enforced
•   They may draft and distribute guidelines when the law goes into effect

We operate based on the assumption that the point of this law is not to interfere with
the normal course of Canadian business.

It isn’t over though…
• Many comments have been submitted and the delay in making the law take force
     may be due to the assessment of these comments.
• Many feel CASL is too strong and possibly even disruptive to business – e.g. What
     about a start-up company –where do they find new customers?
• Is mass email marketing really bad?
• Is CASL too broad?



                                         Page 19
Mini-FAQ
•   What help is out there
      – It’s still early but companies are preparing offerings
      – We can help you with Audits, Governance and Policy
      – We can help you with technology deployments of tool sets

•   How does this differ from the CAN-SPAM passed in the US in 2003?
      –   Broader in scope and definitions of spam
      –   CASL might actually be enforced
      –   CASL extends beyond Canada’s borders
      –   Stiffer penalties
      –   More stringent consent required

•   What is Commercial?
      – Encourages some sort of commercial activity – transaction or similar


•   How will violators be caught?
      – Spam Reporting Center



                                              Page 20
For more info…

The CASL web site - http://www.ic.gc.ca/eic/site/030.nsf/eng/home

The CRTC regulations - http://www.crtc.gc.ca/eng/archive/2012/2012-183.htm

Can-Spam wiki - http://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003

PIPEDA - http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html

TB PIPEDA - http://www.tbs-sct.gc.ca/pgol-pged/piatp-pfefvp/course1/mod2/mod2-3-eng.asp

The laws - http://lois-laws.justice.gc.ca/eng/AnnualStatutes/2010_23/FullText.html

CRTC has already published their regulations under CASL in the Canada Gazette –
http://www.gazette.gc.ca/rp-pr/p2/2012/2012-03-28/pdf/g2-14607.pdf




For questions and follow-up david.polsky@litcom.ca



                                           Page 21

Más contenido relacionado

La actualidad más candente

Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protectionMRS
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
 
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...Legal Evolution PBC
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONSaurabh Pandey
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliantSiddharth Ram Dinesh
 
Overview of regulatory change in legal services market (June 2020)
Overview of regulatory change in legal services market (June 2020)Overview of regulatory change in legal services market (June 2020)
Overview of regulatory change in legal services market (June 2020)Legal Evolution PBC
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsAnitafin
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleUlf Mattsson
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?DATUM LLC
 
In house lawyers' forum - March 2018, Birmingham
In house lawyers' forum - March 2018, BirminghamIn house lawyers' forum - March 2018, Birmingham
In house lawyers' forum - March 2018, BirminghamBrowne Jacobson LLP
 

La actualidad más candente (19)

Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protection
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
 
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 
Canadian Anti Spam Legislation
Canadian Anti Spam Legislation  Canadian Anti Spam Legislation
Canadian Anti Spam Legislation
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
 
Overview of regulatory change in legal services market (June 2020)
Overview of regulatory change in legal services market (June 2020)Overview of regulatory change in legal services market (June 2020)
Overview of regulatory change in legal services market (June 2020)
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I   Feb 5 07Privacy Access Letter I   Feb 5 07
Privacy Access Letter I Feb 5 07
 
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
 
In house lawyers' forum - March 2018, Birmingham
In house lawyers' forum - March 2018, BirminghamIn house lawyers' forum - March 2018, Birmingham
In house lawyers' forum - March 2018, Birmingham
 
GDPR FAQ'S
GDPR FAQ'SGDPR FAQ'S
GDPR FAQ'S
 

Destacado

Effective it leadership
Effective it leadershipEffective it leadership
Effective it leadershipVioleta Cohen
 
Corporate overview2012
Corporate overview2012Corporate overview2012
Corporate overview2012Violeta Cohen
 
Effective It Leadership
Effective It LeadershipEffective It Leadership
Effective It LeadershipVioleta Cohen
 
Corporate Overview2012
Corporate Overview2012Corporate Overview2012
Corporate Overview2012Violeta Cohen
 
CAN SPAM Legislation: Is your organization ready?
CAN SPAM Legislation: Is your organization ready?CAN SPAM Legislation: Is your organization ready?
CAN SPAM Legislation: Is your organization ready?Violeta Cohen
 
20 Ideas for your Website Homepage Content
20 Ideas for your Website Homepage Content20 Ideas for your Website Homepage Content
20 Ideas for your Website Homepage ContentBarry Feldman
 

Destacado (7)

Effective it leadership
Effective it leadershipEffective it leadership
Effective it leadership
 
Corporate overview2012
Corporate overview2012Corporate overview2012
Corporate overview2012
 
Effective It Leadership
Effective It LeadershipEffective It Leadership
Effective It Leadership
 
Corporate Overview2012
Corporate Overview2012Corporate Overview2012
Corporate Overview2012
 
CAN SPAM Legislation: Is your organization ready?
CAN SPAM Legislation: Is your organization ready?CAN SPAM Legislation: Is your organization ready?
CAN SPAM Legislation: Is your organization ready?
 
MTI - Returning Residents Information Manual [Dominica]
MTI - Returning Residents Information Manual [Dominica]MTI - Returning Residents Information Manual [Dominica]
MTI - Returning Residents Information Manual [Dominica]
 
20 Ideas for your Website Homepage Content
20 Ideas for your Website Homepage Content20 Ideas for your Website Homepage Content
20 Ideas for your Website Homepage Content
 

Similar a Casl 2012 Final

Canada Anti-Spam Legislation: Obligations and Opportunity
Canada Anti-Spam Legislation: Obligations and OpportunityCanada Anti-Spam Legislation: Obligations and Opportunity
Canada Anti-Spam Legislation: Obligations and OpportunitySHKLaw
 
SMS and GDPR - what you need to know to be compliant
SMS and GDPR - what you need to know to be compliantSMS and GDPR - what you need to know to be compliant
SMS and GDPR - what you need to know to be compliantEsendex
 
e-Marketing Policy-Building Workshop
e-Marketing Policy-Building Workshope-Marketing Policy-Building Workshop
e-Marketing Policy-Building WorkshopMatt Vernhout
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Jim Kaplan CIA CFE
 
CASL - What you need to know for your organization
CASL - What you need to know for your organizationCASL - What you need to know for your organization
CASL - What you need to know for your organizationEric Hollebone
 
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds Sutherland
 
Managed Service Provider Contracts
Managed Service Provider ContractsManaged Service Provider Contracts
Managed Service Provider ContractsWhitmeyerTuffin
 
Keeping your law license slideshare.net
Keeping your law license slideshare.netKeeping your law license slideshare.net
Keeping your law license slideshare.netLisa A Montgomery
 
Fighting Internet and Wireless Spam Act
Fighting Internet and Wireless Spam ActFighting Internet and Wireless Spam Act
Fighting Internet and Wireless Spam ActMatt Vernhout
 
Preparing for CASL
Preparing for CASLPreparing for CASL
Preparing for CASLMarketo
 
How will GDPR affect your business - Marketing Fox & Birkett Long
How will GDPR affect your business - Marketing Fox & Birkett LongHow will GDPR affect your business - Marketing Fox & Birkett Long
How will GDPR affect your business - Marketing Fox & Birkett LongLouise Owens
 
Using Technology in Your Law Practice - MO SASF
Using Technology in Your Law Practice - MO SASFUsing Technology in Your Law Practice - MO SASF
Using Technology in Your Law Practice - MO SASFDowney Law Group LLC
 
How to apply for an ABS licence
How to apply for an ABS licenceHow to apply for an ABS licence
How to apply for an ABS licenceJonathon Bray
 
Protecting your castle from CASL
Protecting your castle from CASLProtecting your castle from CASL
Protecting your castle from CASLBrian Banks
 
MACPA Fall 2014 - Professional Issues Update
MACPA Fall 2014 - Professional Issues UpdateMACPA Fall 2014 - Professional Issues Update
MACPA Fall 2014 - Professional Issues UpdateTom Hood, CPA,CITP,CGMA
 
Canadian Anti-Spam Legislation - What you need to know in 2014 - GrowthFusion
Canadian Anti-Spam Legislation - What you need to know in 2014 - GrowthFusionCanadian Anti-Spam Legislation - What you need to know in 2014 - GrowthFusion
Canadian Anti-Spam Legislation - What you need to know in 2014 - GrowthFusionRajesh Kadam
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotatedwdsnead
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 
Trade Secret Asset Management
Trade Secret Asset ManagementTrade Secret Asset Management
Trade Secret Asset ManagementDonal O'Connell
 

Similar a Casl 2012 Final (20)

Canada Anti-Spam Legislation: Obligations and Opportunity
Canada Anti-Spam Legislation: Obligations and OpportunityCanada Anti-Spam Legislation: Obligations and Opportunity
Canada Anti-Spam Legislation: Obligations and Opportunity
 
Abaethicspapers1104
Abaethicspapers1104Abaethicspapers1104
Abaethicspapers1104
 
SMS and GDPR - what you need to know to be compliant
SMS and GDPR - what you need to know to be compliantSMS and GDPR - what you need to know to be compliant
SMS and GDPR - what you need to know to be compliant
 
e-Marketing Policy-Building Workshop
e-Marketing Policy-Building Workshope-Marketing Policy-Building Workshop
e-Marketing Policy-Building Workshop
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10)
 
CASL - What you need to know for your organization
CASL - What you need to know for your organizationCASL - What you need to know for your organization
CASL - What you need to know for your organization
 
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
 
Managed Service Provider Contracts
Managed Service Provider ContractsManaged Service Provider Contracts
Managed Service Provider Contracts
 
Keeping your law license slideshare.net
Keeping your law license slideshare.netKeeping your law license slideshare.net
Keeping your law license slideshare.net
 
Fighting Internet and Wireless Spam Act
Fighting Internet and Wireless Spam ActFighting Internet and Wireless Spam Act
Fighting Internet and Wireless Spam Act
 
Preparing for CASL
Preparing for CASLPreparing for CASL
Preparing for CASL
 
How will GDPR affect your business - Marketing Fox & Birkett Long
How will GDPR affect your business - Marketing Fox & Birkett LongHow will GDPR affect your business - Marketing Fox & Birkett Long
How will GDPR affect your business - Marketing Fox & Birkett Long
 
Using Technology in Your Law Practice - MO SASF
Using Technology in Your Law Practice - MO SASFUsing Technology in Your Law Practice - MO SASF
Using Technology in Your Law Practice - MO SASF
 
How to apply for an ABS licence
How to apply for an ABS licenceHow to apply for an ABS licence
How to apply for an ABS licence
 
Protecting your castle from CASL
Protecting your castle from CASLProtecting your castle from CASL
Protecting your castle from CASL
 
MACPA Fall 2014 - Professional Issues Update
MACPA Fall 2014 - Professional Issues UpdateMACPA Fall 2014 - Professional Issues Update
MACPA Fall 2014 - Professional Issues Update
 
Canadian Anti-Spam Legislation - What you need to know in 2014 - GrowthFusion
Canadian Anti-Spam Legislation - What you need to know in 2014 - GrowthFusionCanadian Anti-Spam Legislation - What you need to know in 2014 - GrowthFusion
Canadian Anti-Spam Legislation - What you need to know in 2014 - GrowthFusion
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
 
Trade Secret Asset Management
Trade Secret Asset ManagementTrade Secret Asset Management
Trade Secret Asset Management
 

Casl 2012 Final

  • 2. Who we are • Canadian-based Information Technology consulting company founded in 2003. • Provides range of I.T. solutions -> Strategy through Implementation. • Focused on mid-to-large size businesses • Team comprised of I.T. practitioners with subject matter specializations & designations in all key areas of technology. • Track record of client satisfaction on every engagement. Page 2
  • 3. What we do Strategic Advisory Business Solution Implementation • IT Assessment • Vendor Selection • IT Strategy • ERP Optimization • Merger & Acquisition Due Diligence • SharePoint Solutions • IT Management • Web Development • Post-Merger Integration Security Solutions Infrastructure & Managed Services • Information Security Health Check • Managed Services & Hosting • Threat Risk Assessment & Penetration Testing • Information Security Program Development • Enterprise Security Page 3
  • 4. Who we have helped 4
  • 5. CASL - Bill C28 • What is it and what’s in it? • When is it in play? • What does it really mean to Canadian Businesses? • What are the top 5 things I should do about it if anything? • What help is out there? Page 5
  • 6. CASL - What is it and what’s in it? CASL = Canada's Anti-Spam Legislation • It is intended to target spam emails, malware, pharming, phishing and other malicious communications. • New laws governing the use of CEMs, the alteration of transmission data and computer software installs. CEM is a new broader category greater than email. CEM = Commercial Electronic Message • CEM includes any electronic message… so email, SMS, instant messages and some social media postings all count as CEMs. The net is 6 New Laws enforced by CRTC, The Competition Bureau, and the Office of the Privacy Commissioner • Governs any CEMs sent from inside Canada or any external CEM’s sent into Canada • Violations are not criminal offences Page 6
  • 7. We all get more than we want! Page 7
  • 8. CASL - What is it and what’s in it? – Con’t • Who does what in terms of enforcement? CRTC scope • the sending of unsolicited commercial electronic messages • the altering of transmission data • installing a computer program with computer systems and networks without consent Competition Bureau Scope • misleading and deceptive practices and representations online, including false or misleading headers and website content Office of the Privacy Commissioner scope • take measures against the collection of personal information via access to a computer • the unauthorized compiling or supplying of lists of electronic addresses Page 8
  • 9. CASL – The rules Senders of CEMs must identify themselves, indicate on whose behalf the message is being sent, provide up-to-date contact information, and access to an unsubscribe mechanism. The provided credentials must also be valid for 60 days. You need to have consent from the receiver to send a CEM • The big question – what is consent? Consent under the new law • Express consent (opt ins) – also see PIPEDA for more on consent • Implied Consent (only for the transition period) – Existing relationship with the recipient (business or non business) within 2 years – Recipient published their address is a prominent manner – Recipient provided their address directly to the sender We are the last of the G8 to enact this type of legislation Page 9
  • 10. CASL – The Penalties and reach • Fines up to $1,000,000 per violation for individuals and up to $10,000,000 for organizations. • Allows for private right of action (means people can sue violators) • Enables the three agencies to work with their counterparts in other countries to enforce the laws. • Purpose of penalties a stated is to “promote compliance … and not to punish” Page 10
  • 11. CASL - When is it in play? • When was it Approved? – It was approved Dec 15, 2010 • When is it Effective? – No date set – recent comments from Industry Minister Paradis indicate it will be coming into force in 2013. • How much time after effective is compliance required? – Implied consent lasts for three years – after that express consent is required Page 11
  • 12. CASL - What does it really mean to Canadian Businesses? • Compliance is required for any businesses that send CEM’s • Large fines can be levied on businesses that are not compliant • The net – you need consent to send a CEM • Need to have a central database of addresses and the consent status (consent given, consent implied, consent withheld) • No more spreadsheets with email addresses in 20 different location!!! • Need to offer opt-in and opt-out visibly and easily Page 12
  • 13. CASL - What are the top 5 things I should do about it if anything? • Conduct an internal Audit • Change supplier requirements • Governance in place – create a CASL policy • Platform to enforce governance • Internal Training Page 13
  • 14. Conduct an Internal Audit • Where are the CEMs ? • What are you sending? • What mechanism’s are you using? Does it support unsubscribe? • Find all the channels! • Assess existing contracts/relationships to determine implied consent • Gain consent now while seeking consent is not a violation – after the law comes into effect seeking consent is in itself in violation of the law. • After the law comes into effect you will have three years to obtain express consent Page 14
  • 15. Change your requirements for your suppliers • Require any lists you buy to be “clean” (consent based) • Make it part of the RFP process when engaging new vendors • Make CASL compliance part of the minimum requirements – particularly for eMail and Marketing vendors, but consider it for all vendor relationships. • When you provide email addresses to third parties such as consultants and other outside entities make them agree to use those addresses in a CASL-compliant manner Page 15
  • 16. Draft a CASL policy for your organization • Create the governance policy and framework • Communicate the policy • Be in line with CASL organizationally • Include maintaining a record of consent as a requirement • Augment your new client in-take process to include documenting consent • Should cover off all forms and procedures Page 16
  • 17. Support and Enforce your policy • Make sure all channels provide that visible opt-out • Make sure the opt-out is enforced broadly across all channels and within 10 days of the opt-out action • Make sure all outbound CEM’s are sourced from the screened lists • Define the consent basis and track it (given vs. implied vs. declined) • If you don’t have tools in place then get them and deploy them Page 17
  • 18. Train your workforce • Train your workforce on your policy, the governance and internal tools that you can provide them • Make sure they understand CASL • Make sure they know the rules so they can avoid violations • This is part of your diligence defence Page 18
  • 19. Diligence and Enforcement • Do your diligence and we believe you have a reasonable position to defend any breaches of the law • No one knows yet how aggressively this will be enforced • They may draft and distribute guidelines when the law goes into effect We operate based on the assumption that the point of this law is not to interfere with the normal course of Canadian business. It isn’t over though… • Many comments have been submitted and the delay in making the law take force may be due to the assessment of these comments. • Many feel CASL is too strong and possibly even disruptive to business – e.g. What about a start-up company –where do they find new customers? • Is mass email marketing really bad? • Is CASL too broad? Page 19
  • 20. Mini-FAQ • What help is out there – It’s still early but companies are preparing offerings – We can help you with Audits, Governance and Policy – We can help you with technology deployments of tool sets • How does this differ from the CAN-SPAM passed in the US in 2003? – Broader in scope and definitions of spam – CASL might actually be enforced – CASL extends beyond Canada’s borders – Stiffer penalties – More stringent consent required • What is Commercial? – Encourages some sort of commercial activity – transaction or similar • How will violators be caught? – Spam Reporting Center Page 20
  • 21. For more info… The CASL web site - http://www.ic.gc.ca/eic/site/030.nsf/eng/home The CRTC regulations - http://www.crtc.gc.ca/eng/archive/2012/2012-183.htm Can-Spam wiki - http://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003 PIPEDA - http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html TB PIPEDA - http://www.tbs-sct.gc.ca/pgol-pged/piatp-pfefvp/course1/mod2/mod2-3-eng.asp The laws - http://lois-laws.justice.gc.ca/eng/AnnualStatutes/2010_23/FullText.html CRTC has already published their regulations under CASL in the Canada Gazette – http://www.gazette.gc.ca/rp-pr/p2/2012/2012-03-28/pdf/g2-14607.pdf For questions and follow-up david.polsky@litcom.ca Page 21