You Are the Company You Keep: Managing Third Party Privacy Risk

  • July 04, 2024
  • Nadia Jandali Chao, partner, Lerners LLP

Privacy regulators across Canada are signalling an increased focus on a particular risk area: namely, reliance on service providers. In the past few weeks, we have seen a few key developments:

  • The Announcement of a joint investigation by the Privacy Commissioner of Canada, and the Privacy Commissioner for British Columbia, into a company relied on by landlords for background screening of potential tenants.
  • The release of a new guidance document, Privacy and Access in Public Sector Contracting with Third Party Service Providers, by the Information and Privacy Commissioner of Ontario (see the bulletin drafted by Jennifer Hunter, Privacy and Access Considerations When Contracting With Third Parties: The IPC Provides New Guidance to Public Entities) for organizations subject to Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA). The guidance builds on the positions articulated in the IPC’s Privacy Complaint Report[1] from February 2024 regarding McMaster’s use of third party proctoring software (the “McMaster IPC Report).
  • The Privacy Commissioner of Canada released its Annual Report to Parliament on June 6. One of the breach trends identified in the Report related to service providers: “Breach reports showed that third-party service providers, particularly IT and software providers, were targeted more frequently by threat actors.”

Further, the recently reported Ticketmaster privacy breach involved a service provider. By way of a filing with the US Securities and Exchange Commissioner, LiveNation (Ticketmaster’s parent company) stated: “On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) ….”[2] [emphasis added]

These events serve as a good opportunity to revisit what has always been an important topic.  What are the risks that arise from relying on service providers to handle personal information and how can those risks be best managed?