Transmission of malware leads to CASL fine for two companies
In a novel enforcement step, the Canadian Radio-television and Telecommunications Commission (CRTC) levied administrative monetary penalties (AMPs) totaling $250,000 against two companies for aiding in the installation of malware via online advertising. The penalties, and associated notices of violation, were issued under Canada’s Anti-Spam Legislation (CASL) on 11 July 2018. This marks the first time that CASL has been used by the CRTC to penalize malware installation.
Sunlight Media Network Inc. (Sunlight) and Datablocks, Inc. (Datablocks) provide networks to online third-party advertisers, allowing them to distribute their advertisements on various legitimate websites. However, these advertisers installed malicious programs on the devices of users who viewed the advertisements. The malware allowed the same third-party clients who initially created the advertisements to lock user’s systems, steal their data, or use their computer resources for financial gain. In so doing, these unnamed clients violated CASL, with the CRTC alleging that Sunlight and Datablocks aided the contraventions. Specifically, the CRTC alleged that Sunlight accepted anonymous and unverified clients who used its services to distribute the malware, and Datablocks provided the necessary software for Sunlight’s clients to carry this out. After investigation, the CRTC found that both companies could have prevented the distribution of malware, but omitted to implement the necessary safeguards to that effect, thus violating CASL. Datablocks faced a fine of $100,000, while a $150,000 fine was levied against Sunlife.
Companies and their management would be wise to remember that the compliance regime created by CASL is not limited to practices surrounding the distribution of commercial electronic messages. Rather, CASL’s application extends to the installation of programs on another’s computing device as well. Moreover, as illustrated by these AMPs, online intermediaries, such as organizations that provide infrastructure or advertising networks, may also be targeted by the CRTC for CASL enforcement action. As a compliment to fulsome internal compliance mechanisms, cyber liability insurance can help organizations looking to transfer some of the risk that can arise should malicious code be unwittingly transferred to third parties. The policy will cover defence costs, judgments and settlements where the organization is involved in third-party litigation or a regulatory proceeding. If the cyber liability insurance your company procures contains robust wording, you may also have the ability to argue that non-criminal fines and penalties, such as some of the AMPs imposed under CASL, are insurable and thus covered under the policy.