#CyberFLASH: CRTC joins global anti-spam drive

crtc_logoCanada’s telecom regulator is teaming up with enforcement agencies outside the country to beef up the fight against electronic spam.

The Canadian Radio-television and Telecommunications Commission says it has signed an agreement with 10 agencies in eight countries, with the goal of better enforcing anti-spam laws.

Canada’s own law, which came into effect nearly two years ago, has resulted in a significant drop in digital spam originating in Canada, according to email marketing firm Cyberimpact.

And while the law has resulted in some big fines, including one last year for $1.1 million against Quebec-based Compu-Finder, legal experts have questioned whether Canadian authorities might have difficulty enforcing the law against companies in foreign jurisdictions.

But CRTC chairman Jean-Pierre Blais says the agreement sends a strong message that the international enforcement community intends to stop spammers from sending annoying — and sometimes dangerous — electronic spam.

Signatories include Canada’s privacy commissioner, the U.S. Federal Trade Commission and Federal Communications Commission, communications and consumer authorities in Australia, the Netherlands and the United Kingdom, and agencies in Korea, New Zealand and South Africa.

Read more here

#CyberFLASH: Privacy And Cybersecurity Issues In Canadian M&A Transactions

a-woman-uses-her-computer-keyboard-to-type-while-surfing-the-internet-in-north-vPrivacy and cybersecurity have become areas of significant potential liability in Canada and elsewhere. Organizations that misuse personal information or fall victim to a data breach face reputational damage, regulatory scrutiny and possible class action lawsuits. In addition, businesses that fail to comply with “Canada’s Anti-Spam Law”2 (“CASL”) can be subject to significant fines.

In the context of M&A transactions, it is important for organizations to understand applicable statutory requirements and take steps to reduce and mitigate risks. This will involve consideration of privacy and cybersecurity issues in the due diligence process and negotiation of the purchase agreement, as well as attention to restrictions upon transfer and use of personal information on and after closing.

Due Diligence

In order to determine the amount and extent of privacy and cybersecurity due diligence that will need to be performed in a transaction, it is important to initially consider the nature of the target’s business. Some businesses, like traditional manufacturing companies, may process minimal sensitive or personal information. Therefore, it may be unreasonable to expect that such organizations would have detailed and comprehensive privacy compliance infrastructures, and risks related to privacy and cybersecurity may be limited. In such cases, the scope of due diligence with respect to privacy and cybersecurity matters could be fairly narrow.

However, in this “information age” the core function of many businesses revolves around data. When organizations seek to purchase these types of businesses, it is important to thoroughly canvas the target’s history and current practices and procedures, to identify any potentially significant liabilities. Poor information handling practices or outdated technological controls may require a significant investment to bring the business into compliance with all applicable laws, or in a worst case scenario could expose the business to costly litigation.

Read more here

#CyberFLASH: Why Canada’s Telecom Regulator Is Suddenly Acting More Like the Cops

crtc_logo“If you abide by the law, you have nothing to fear.”

These might sound like the words of a police chief or FBI official, but they were actually spoken in 2014 by Jean-Pierre Blais, the buttoned-down head of Canada’s equally buttoned-down telecommunications regulator, the Canadian Radio-television and Telecommunications Commission. At the time, Blais was announcing the CRTC’s role in enforcing Canada’s newly introduced anti-spam legislation, or CASL.

The message was clear: the CRTC is ready to get its hands dirty. And now it finally has.

In November of 2015, CRTC inspectors executed the first search warrant in the regulator’s nearly 50-year history. They entered a building in Brampton, Ontario to retrieve documents as part of a telemarketing investigation. Less than a month later, the CRTC executed yet another warrant, this time under CASL, shutting down a botnet server in Toronto as part of an international operation involving multiple agencies.

So far, it looks as though the CRTC is living up to Blais’ tough talk in 2014. And yet, knocking on doors and executing warrants seems a lot like something the cops would do, not a federal regulator in Canada.

The CRTC’s new attitude has its roots in the passing of Bill C-37 in 2005. This amended the Telecommunications Act to give the regulator new powers to enter and inspect businesses and places of interest, seek warrants to inspect people’s homes, and levy fines against telemarketers. The bill also created the National Do Not Call List (DNCL).

Read more here

#CyberFLASH: CRTC settles alleged CASL violation

crtc_logoOn November 20, 2015, the Canadian Radio-television and Tele-communications Commission (“CRTC”) announced that Rogers Media Inc. paid $200,000 as part of settlement of alleged violations of Canada’s anti-spam legislation (commonly known as “CASL”). The alleged CASL violations included the sending of commercial electronic messages containing a deficient unsubscribe mechanism.


CASL creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties designed to prohibit unsolicited or misleading commercial electronic messages (“CEMs”), the unauthorized commercial installation and use of computer programs on another person’s computer system and other forms of online fraud.

For most organizations, the key parts of CASL are the rules for CEMs. Subject to limited exceptions, CASL prohibits the sending of a CEM unless the recipient has given informed consent (express or implied in limited circumstances) to receive the CEM and the CEM complies with prescribed formalities (including an effective and promptly implemented unsubscribe mechanism) and is not misleading.

CASL and its regulations require that a regulated CEM “clearly and prominently set out” an unsubscribe mechanism that is “able to be readily performed”. CRTC guidance explains that an unsubscribe mechanism must be accessible “without difficulty or delay” and “simple, quick and easy” for a consumer to use. CASL requires that a CEM sender give effect to an unsubscribe request “without delay” and in any event no later than 10 business days after the unsubscribe request has been sent, all without any further action on behalf of the unsubscriber.

CASL and its regulations also require that a regulated CEM “clearly and prominently” set out prescribed information, including the name and contact information of the CEM sender, that remains valid for a minimum of 60 days after the CEM is sent.

Read more here

#CyberFLASH: Canada’s Anti-Spam Law Must Be Taken Seriously: The Case Of Porter Airlines

cra-passwords-security_211076204-e1402005190177Last June 29th, Porter Airlines Inc. agreed to pay $150,000 pursuant to an agreement with the Canadian Radio-television and Telecommunications Commission (CRTC), for alleged violations to Canada’s anti-spam law. Porter Airlines was indeed under investigation by the CRTC for these alleged violations.

On January 1st, 2014, the majority of the provisions of Canada’s anti-spam legislation came into force1. These provisions include those governing the transmission of unsolicited electronic messages for commercial reasons to recipients. It is, however, relevant to note that on January 15, 2015, the provisions of the Act dealing with the unsolicited installation of computer software came into force, while the provisions providing for the right to institute a private action against infringers will come into force only on July 1, 2017.

The last 18 months have revealed that the CRTC intends on setting examples to ensure that Canada’s anti-spam law is respected. In this regard, the recent case of Porter Airlines offers a striking example of the broad scope of this law, as well as the possible consequences of breaching its provisions, even unintentionally.

The Anti-Spam Act: Rules and Interdictions

Since January 1st, 2014, a company may not send unsolicited commercial electronic messages without obtaining the consent of the recipient. A commercial electronic message is defined as an e-mail of which the purpose is to encourage the recipient to participate in a commercial activity. This includes advertisement, offers to purchase or sell, as well as business or investment opportunities.

The recipient’s consent may be implicit in certain situations specifically provided for in the Act, such as when an “existing business relationship” exists between the sender and the recipient. If no implicit consent exists, the recipient’s consent needs to be expressed.

A request for consent must include specific information, including the purpose for which the consent is being sought and the information necessary to identify the person soliciting the recipient. Each commercial electronic message targeted by the Act must contain an “unsubscribe mechanism” allowing the recipient to freely express his willingness to stop receiving any commercial electronic messages.

Read more here

#CyberFLASH: Privacy law and anti-spam: Guidance from the Office of the Privacy Commissioner of Canada

images-126Recent enforcement under Canada’s anti-spam legislation (CASL) by the Canadian Radio-Television and Telecommunications Commission (CRTC) is keeping the spotlight on this new legislation, which came into force just last year. While the CRTC is responsible for the bulk of enforcement under CASL, organizations should remember that CASL also brought in changes to Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use and disclosure of personal information (including individuals’ email addresses).

The federal Office of the Privacy Commissioner of Canada (OPC) is responsible for investigating violations related to the new provisions under PIPEDA that target the practice of address harvesting. Address harvesting generally involves collecting electronic addresses through the use of a computer program, such as through web scraping, spyware, or automatic generation.

The OPC recently issued a guide and tip sheet for organizations on pratical steps to take to avoid contravening the PIPEDA requirements, including:

1. Obtain consent: Organizations must ensure that individuals are informed clearly and accurately at the point of collection about how their email addresses will be used. Just because an email address is posted online, it cannot be assumed that the individuals at the addresses posted have provided consent to receive email marketing. It is also useful to remember that there is no exception for address harvesting of business email addresses; PIPEDA’s definition of personal information includes business addresses.

2. Due Diligence with Service Providers: If an organization buys a list of email addresses from a vendor or employs service providers to conduct email marketing on their behalf, they should take due diligence steps by asking key questions, such as:

Read more here



The Canadian Radio-television and Telecommunications Commission (CRTC) announced today that by working with a small Saskatchewan business, it has stopped malicious spam messages from being sent to Canadians. Millions of spam messages were unknowingly being sent from a server owned by a Saskatchewan-based computer reseller.

In July 2014, the Spam Reporting Centre received reports of spam messages routed through Access Communications, an Internet service provider (ISP). During its investigation, the CRTC discovered that the spam messages were actually coming from a small business’s server, which used Access Communications as its ISP. This business’s server had become infected with malware, which had caused it to join the botnet “Ebury.” It is estimated that the infected server had sent millions of malicious spam messages without the business’s or Access Communications’ knowledge.

Once alerted to the situation by the CRTC, the small business and Access Communications fully cooperated and removed all traces of the malware.

Read more here

#CyberFLASH: Microsoft wavers on Canadian spam fears


Microsoft has reconsidered a move to cease security emails in Canada, following the introduction of an anti-spam law north of the border.

The company had originally intended to stop sending email notifications of its monthly security bulletins, as Canada’s anti-spam law came into effect. The law, passed in 2010, became effective July 1 and prohibits the sending of commercial email without explicit consent from recipients.

Canada’s anti-spam legislation is one of the most aggressive in the world, with potential fines of up to $10 million for companies contravening the rules. It requires senders to obtain opt-in permission from recipients. The law is administered by the Canadian Canadian Radio-television and Telecommunications Commission (CRTC).

Microsoft announced on June 27 that it would stop sending the email notices, which warn security administrators that updates to its software are on the way. It confirmed that the move was “due to changing governmental policies concerning the issuance of automated electronic messaging”

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.