McCarthy Tétrault LLP Box 48, Suite 4700 Toronto Dominion Bank Tower Toronto ON M5K 1E6 Doing the Deal: Privacy, Security and Risk Issues in Outsourcing The Seventh Annual IT Law Spring Training Program May 14, 2007 Barry Sookman

2 OSFI Guidelines Released on December 15, Sets out OSFI’s expectations for federally regulated entities (“FREs”) which outsource any of their business activities. Under the guideline, FREs are expected to evaluate the risks associated with all existing and proposed outsourcing arrangements; develop a process for determining the materiality of arrangements; implement a program for managing and monitoring risks, depending on the materiality of the arrangements; and ensure that the board of directors, chief agent or principal officer receives information sufficient to enable them to discharge their duties under the Guideline.

3 When and How they Apply Applies, inter alia, to banks, trust and loan companies, cooperative credit associations, insurance Companies, holding companies and subsidiaries, and branches. Applies to an agreement between an FRE and a service provider whereby the service provider performs a business activity that is, or could be, undertaken by the FRE. Applicability to outsourcing arrangements not involving FREs – why are they important? They are prudent practices applied according to the nature of the outsourcing and the circumstances of the FRE. FREs to use sound judgment. The expectations may vary, depending on the nature of the outsourcing being contemplated and the relationship between the FRE and the service provider.

4 Due Diligence Processes FREs must conduct an internal due diligence to determine the nature and scope of the business activity to be outsourced, its relationship to the rest of the FRE’s activities, and how the activity is managed. In selecting a service provider, or renewing a contract or outsourcing arrangement, FREs are expected to undertake a due diligence process that fully assesses the risks associated with the outsourcing arrangement, and addresses all relevant aspects of the service provider, including qualitative (i.e., operational) and quantitative (i.e., financial) factors. For foreign deals, the FRE should pay particular attention to the legal requirements of that jurisdiction, as well as the potential foreign political, economic and social conditions, and events that may conspire to reduce the foreign service provider’s ability to provide the service, as well as any additional risk factors that may require adjustment to the risk management program.

5 Contracting for Services – Scope of Service OSFI expects material outsourcing arrangements to be documented by a written contract that addresses all elements of the arrangement. FREs are expected to address all issues relevant to managing the risks associated with each outsourcing arrangement to the extent feasible and reasonable given the circumstances. Contract must document the nature and scope of the service being provide. Performance measures should be established that allow each party to determine whether the commitments contained in the contract are being fulfilled. The contract is expected to specify the type and frequency of reports that allow the FRE to assess whether the performance measures are being met and any other information required for the FRE’s monitoring program. The contract must include procedures and requirements for reporting events to the FRE that may have the potential to materially affect the delivery of the service.

6 Service Provider Contingency Planning The contract should outline the service provider’s measures for ensuring the continuation of the outsourced business activity in the event of problems affecting the service provider’s operations. The service provider must regularly tests its business recovery system and notify the FRE of the test results. The FRE should be notified in the event that the service provider makes significant changes to its business resumption and contingency plans, or encounters other circumstances that might have a serious impact on the service.

7 FRE Business Continuity Plan An FRE’s business continuity plan should address reasonably foreseeable situations where the service provider fails to continue providing service. The business continuity plan and back-up systems should be commensurate with the risk of a service disruption. The FRE must have in its possession, or can readily access, all records necessary to allow it to sustain business operations, meet its statutory obligations, and provide all information as may be required by OSFI to meet its legislated mandate, in the event the service provider is unable to provide the service.

8 Audit Rights The contract must stipulate the audit rights of the FRE. The FRE must have the right to evaluate the service provided or, alternatively to cause an independent auditor to evaluate, on its behalf, the service provided. This includes a review of the service provider’s internal control environment as it relates to the service being provided. OSFI must be given rights of access and audit.

9 Subcontracting The contract is expected to set out any rules or limitations to subcontracting by the service provider. Security and confidentiality standards should apply to subcontracting or outsourcing arrangements by the primary service provider. The audit and inspection rights of both the FRE and OSFI should continue to apply to all significant subcontracting arrangements.

10 Monitoring the Outsourcing Arrangement The FRE should monitor all material outsourcing arrangements to ensure that the service is being delivered in the manner expected and in accordance with the terms of the contract. Monitoring may take the form of regular, formal meetings with the service provider and/or periodic reviews of the outsourcing arrangement’s performance measures. An FRE should review its material outsourcing arrangements to ensure compliance with its outsourcing risk policies and procedures and with the expectations of this Guideline. Reviews of material outsourcing arrangements should be periodically undertaken by the FRE’s internal audit department or another independent review function either internal or external to the FRE, provided it has the appropriate knowledge and skills. Management should adjust the scope of the review depending on the nature of the outsourcing arrangement.

11 Monitoring the Service Provider At least annually, the FRE should review the service provider to ascertain its ability to continue to deliver the service in the manner expected. The review could include an assessment of the service provider’s circumstances including its financial strength, prospects and technical competence.

12 Requirement to Maintain Copies and Process Information in Canada April 20, 2007 amendments to Bank Act, the Insurance Companies Act and the Trust Companies Act removed the requirement for an Exemption Order to be issued by OSFI before data could be processed or stored off-shore. “245. (1) If the Superintendent is of the opinion that it is incompatible with the fulfilment of the Superintendent’s responsibilities under this Act for a bank to maintain, in another country, copies of records referred to in section 238 or of its central securities register or for a bank to process, in another country, information or data relating to the preparation and maintenance of those records or of its central securities register — or if the Superintendent is advised by the Minister that, in the opinion of the Minister, it is not in the national interest for a bank to do any of those activities in another country — the Superintendent shall direct the bank to not maintain those copies, or to not process the information or data, as the case may be, in that other country or to maintain those copies or to process the information or data only in Canada.”

13 Confidentiality and Security The contract must set out the FRE’s requirements for confidentiality and security. Ideally, the security and confidentiality policies adopted by the service provider would be commensurate with those of the FRE and should meet a reasonable standard in the circumstances. OSFI expects appropriate security and data confidentiality protections to be in place. The contract should address which party has responsibility for protection mechanisms, the scope of the information to be protected, the powers of each party to change security procedures and requirements, which party may be liable for any losses that might result from a security breach, and notification requirements if there is a breach of security.

14 How to Deal With Security Who has obligation to define security standards and processes to address unauthorized access to data? expertise and personnel technical competence who has control over function regulatory responsibilities risks of assuming/delegating security responsibilities Ongoing responsibilities; dealing with new threats Dealing with contaminants Dealing with inherited problems What is the standard e.g., comply with schedule, provide “adequate” safeguards, “commercially reasonable” efforts, strict standard, agreement to security processes, policies, and practices? Who bears costs for dealing with security?

15 How to Deal with Privacy What is the appropriate allocation of responsibilities for privacy compliance? Customer responsibility to define scope of rights to access, use and disclose PI. Customer responsibilities to obtain consents including consents for processing PI outside of Canada. Vendor policies, training and practices. Dealing with Patriot Act concerns e.g., limitations on vendor’s right to process/ transmit data outside of Canada, contractual provisions to mitigate Patriot Act disclosures, vendor duties when serviced with an order or subpoena to disclose information. Dealing with changes in law.

16 Allocation of Risks for Breaches of Security and Privacy Are breaches of security and privacy obligations different from breaches of confidentiality? Should the standard for liability be strict, or some higher standard? What are the limits of liability, normal caps, stretch caps, no caps?

Vancouver P.O. Box 10424, Pacific Centre Suite Dunsmuir Street Vancouver BC V7Y 1K2 Tel: Fax: Calgary Suite – 7th Avenue SW Calgary AB T2P 4K9 Tel: Fax: Toronto Box 48, Suite 4700 Toronto Dominion Bank Tower Toronto ON M5K 1E6 Tel: Fax: Ottawa The Chambers Suite Elgin Street Ottawa ON K1P 5K6 Tel: Fax: Montréal Suite De La Gauchetière Street West Montréal QC H3B 0A2 Tel: Fax: Québec Le Complexe St-Amable 1150, rue de Claire-Fontaine, 7 e étage Québec QC G1R 5G4 Tel: Fax: United Kingdom & Europe 5 Old Bailey, 2nd Floor London, England EC4M 7BA Tel: +44 (0) Fax: +44 (0)