Training and education key for compliance with CASL

Training and educating employees about the risks and penalties associated with violating Canada’s Anti-Spam Legislation (CASL) is key to managing emerging privacy challenges, speakers said last week at the Canadian Insurance Financial Forum.

CASL came into effect on July 1, 2014 and prohibits the sending of a commercial electronic message (CEM) without consent or implied consent. Under the legislation, a CEM (such as an email, text message or instant message) is a message that “encourages participation in a commercial activity, including, but not limited to: offering, advertising or promoting a product, a service or a person,” according to the CRTC. Penalties for the most serious violations can go as high as $10 million for businesses and $1 million for individuals.

“If you do have one rogue employee who sends off a CEM and doesn’t have proper form of contact, an unsubscribe mechanism, and there ends up being a complaint, the regulator will look at what you’ve done as far as training and making sure that everyone is aware and you’ve put in the due diligence,” said Jennifer Drost, chief compliance officer and senior counsel, Canada, with Travelers Canada.

“That will be something that they will take into consideration. So make sure you do educate the employees and make sure they understand the procedures for complying with CASL,” she added during the privacy session, titled Emerging Privacy and Data Risk Management Challenges, at the Metro Toronto Convention Centre.

For insurance companies, compliance depends on whether the insurer is selling directly to the consumer or using brokers exclusively, Drost said. “If you are selling directly to the policyholders, then yes, you are going to have to comply completely with CASL and deal with all the consents and make sure you have the form of contact requirements,” she said, referring to a valid unsubscribe mechanism.

“But if you are using an insurance broker, then you’re not dealing with the policyholder directly, so you’re not the ones sending the CEMS directly to them. So brokers are the ones who have to make sure they are complying with CASL when they are sending out marketing materials, prospecting, getting new clients,” Drost (pictured below) told conference attendees.

But the lines of responsibility can get blurred and “the regulators haven’t really been addressing this that much,” she said. “Are [brokers] sending [CEMs] out on the insurance company’s behalf or are they sending them out for themselves to the policyholders, who are really their clients?” she asked. “We certainly take the view that it’s the broker who is responsible for complying with the legislation.”

Calling it a “policy nightmare,” Adam Kardash, partner, Privacy & Information Management, Osler, Hoskin & Harcourt LLP, told attendees that “a lot of the examples we had to consider under CASL were ridiculous, had nothing to do with unwanted messaging.” Adding to the issue is rapidly changing developments in information technology. “What we are experiencing now is not just lightning speed, it’s almost surreal the pace in which there’s technological change,” he said. “In the last 18 months to two years, there’s been an absolute explosion in data. The amount of data that our clients are dealing with now are not just large amounts, they’re incalculable.”

With the huge amounts of data, it can be difficult to determine how to comply with the legislation. Drost said that the following examples might cause some red flags to pop up: emails to a non-contracted broker about setting up a new contract with the insurance company; an email blast of marketing materials to a broker; text messages or instant messages (for example, a consultant requesting an appraisal or inspection report); voicemail messages that come into email; and sending an email to a broker to invite them to, for example, a sporting or charity event.

But there are some steps that companies can take to ensure that their brokers are compliant, Drost noted. Companies should ensure that contracts with brokers are complying with the law, even specifically mentioning CASL, and put notice into the contract that the broker consents, on its employees behalf, to CEMs being sent to their employees, Drost recommended. “That’s a little something extra that you can have that gives you that express consent,” she says.

Other suggestions include: taking inventory (identifying CEMs and going across all lines of the business to see how the company communicates with customers using CEMs); determining if there are any exemptions (complete or partial and if the consent is expressed or implied); having a reliable system to track consents; requiring in contracts that third-party service providers comply with CASL; and keeping record of security breaches.

Noting that Alberta already has breach notification requirements, Drost gave an example of an insurance company where “there was some unauthorized access given when there was some migration to a server, so some people had access to information they shouldn’t have,” such as resumes and offer letters.

Although the people said that they didn’t view the information, the Alberta commissioner determined that some of this information was “moderately to highly sensitive information and there was a real risk of significant harm, so they required notification to individuals,” Drost related. “If their notification requirements are any indication of what it’s going to be like once the new legislation comes in federally, it’s going to be extremely onerous on insurance companies.”

More coverage of the Canadian Insurance Financial Forum

Canadian commercial lines writers see improved combined ratio in Q1 2015

Number of wildfires in Canada double since the same time last year: CatIQ