CASL, Enforcement thumb image

CASL: Personal Liability Exposure for Directors and Officers

An article from September 15, 2017 on underscores the point that an organization’s directors and officers can be potentially liable for a CASL infraction. The article also offers a few steps to help protect directors and officers of an organization from personal liability.

CASL’s anti-spam sections came into force on July 1, 2014. Every organization that CASL affects should now be complying with it – and their directors and officers need to make sure they do. CASL opens directors and officers up to personal liability for violations of it, so every director and officer must think about limiting her personal exposure. Here are five steps to get that process started.

Director and Officer Liability.
CASL expressly extends legal responsibility to both an organization’s directors and its officers. CASL says that an organization’s officers, directors and agents can be personally liable if the organization contravenes CASL, regardless of whether the Canadian Radio and Television Commission (the CRTC, the main agency charged with CASL’s administration) proceeds against the offending organization itself. To be personally liable, the officer, director, or agent must have:

  • directed the violation;
  • authorized the violation;
  • assented (somehow agreed) to the violation;
  • acquiesced in the violation (knew about it and allowed it to happen); or
    otherwise participated in the violation.

Click here to read the full article

Enforcement thumb image

More CASL Enforcement

An individual has been fined $15,000 for 10 violations by the CRTC. In an enforcement action, published last week, the CRTC stated:

The Commission imposes an administrative monetary penalty of $15,000 on William Rapanos for 10 violations of section 6 of Canada’s Anti-Spam Legislation. Specifically, Mr. Rapanos sent commercial electronic messages (i) that did not identify the sender, (ii) that did not include information that enables the recipient to readily contact the sender, (iii) without prior consent from the recipients, and (iv) that, in certain cases, did not include a functioning unsubscribe mechanism.

For more information please read this article by Word to the Wise regarding this incident or the original CRTC enforcement action.

Enforcement thumb image

CRTC CASL Compliance and Enforcement Update

On February 12th Lynne Perrault and Dana-Lynn Wood did a presentation to continue the CRTC’s “on-going dialogue” with industry. Keith Rose wrote a great synopsis for snIP/ITs:

As of early February 2016, the SRC has received over 500,000 complaints. These have been received fairly steadily at a rate of about 22,000 per month (5,000 – 6,000 per week), although there is a noticeable spike each time the CRTC issues an enforcement announcement.

More than 80% of the submissions from Canadians (a subset – the SRC accepts submissions from non-Canadians as well) have been about email. SMS is the next largest category, at about 13%. However, this may reflect (at least in part) the fact that the collection mechanisms that the SRC uses were largely designed with email in mind and it is much easier to report an email message to the SRC than any other kind of CEM.

An overwhelming 94% of complaints involved some form of consent issue (including both initial consent and withdrawal of consent/unsubscribe issues). Approximately 1/3 of complaints involved the identification requirements, and slightly less than that (28%) involved some allegation of deceptive marketing practices. (The numbers do not add up to 100% because complaints may involve multiple issues. Also, to be clear, the analysis is of issues reported by the complainants without any attempt to assess their merits.)

The presenters also addressed the interpretation of the due diligence provisions of the Act. As they explained it, whether an organization has exercised due diligence is an all-or-nothing question; there is no partial defence.

The presenters referred to a number of factors or tests that might be applied, including having adequate written policies with adequate on-going training, contemporaneous record-keeping, active monitoring and enforcement to put those policies into practice as well as responsiveness to complaints, problems and to inquiries from the CRTC. It was not entirely clear whether these were factors to consider, if relevant, or tests that would apply on a cumulative basis. But in any case, the Commission’s view seems to be that due diligence is not a one-time activity; it is an on-going, day-to-day activity that organizations will have to practice and document if they want to be able to rely on it as a defence.

To read the rest of the synopsis please visit:

Enforcement thumb image

CRTC executes warrant in malicious malware investigation

The CRTC has executed their second warrant under Canada’s anti-spam legislation at two locations in the Niagara region. The warrant was obtained as part of an ongoing investigation relating to the installation of malware based on a lead from FireEye Inc. (a cyber threat protection and forensics specialist).

“We are working to protect Canadians from online threats by pursuing those individuals and entities who violate Canada’s anti-spam legislation. We are grateful for the assistance that FireEye Inc. provided which led to the execution of this warrant, and we will continue to work closely with our domestic and international partners in the fight against cyber threats.”

Manon Bombardier
CRTC Chief Compliance and Enforcement Officer

At the moment details are sparse but visit the Government of Canada new release for more details.