CASL’s anti-spam sections came into force on July 1, 2014. Every organization that CASL affects should now be complying with it – and their directors and officers need to make sure they do. CASL opens directors and officers up to personal liability for violations of it, so every director and officer must think about limiting her personal exposure. Here are five steps to get that process started.

Director and Officer Liability. CASL expressly extends legal responsibility to both an organization’s directors and its officers. CASL says that an organization’s officers, directors and agents can be personally liable if the organization contravenes CASL, regardless of whether the Canadian Radio and Television Commission (the CRTC, the main agency charged with CASL’s administration) proceeds against the offending organization itself. To be personally liable, the officer, director, or agent must have:

• directed the violation;
• authorized the violation;
• assented (somehow agreed) to the violation;
• acquiesced in the violation (knew about it and allowed it to happen); or
• otherwise participated in the violation.

Teeth. CASL gives the CRTC the teeth to back it up. Individuals and organizations that don’t comply with CASL risk significant penalties – any of which can be imposed or brought against an offending organization’s directors or officers personally:

• The CRTC has the power to impose monetary penalties of up to $1M on individuals and $10M on other entities.
• The CRTC can also bring a criminal charge for obstructing a CASL investigation, failing to comply with a demand to preserve transmission data, or failing to produce documents when required.

Effective July 1, 2017, a person or corporation affected by a CASL contravention can bring a civil lawsuit against the offending person or entity – and seek remedies including monetary compensation and expenses. The maximum penalties are $200 for each commercial electronic message contravention (to a maximum of $1M/day), and $1M for each day on which a software contravention occurs (CASL’s software sections come into force on January 1, 2015).

Due Diligence Defence. CASL does, however, provide a “due diligence” defence. So, when the CRTC seeks to impose personal liability on an

organization’s directors or officers for a CASL violation, they – or the organization itself – may be able to raise the defence that they exercised due diligence if:

• the organization took reasonable steps, including at the board and executive levels, to prevent the CASL violation; and
• the organization can prove that it took those reasonable steps with records and/or other tangible evidence that clearly demonstrate the steps taken to avoid violating CASL.

Executive Compliance Program. Every organization that CASL affects needs a CASL compliance program. But directors and officers must ask themselves whether there are sufficient compliance mechanisms at the board and executive levels to avoid running into personal liability issues down the road: have the board and the executive taken all reasonable steps to prevent a CASL violation?

Designing and implementing an executive CASL compliance program specific to its directors and officers is a way to for them to exercise – and prove – due diligence to help protect them from personal liability under CASL. Here are five ideas to start that process:

1. Audits. Require the organization to conduct regular internal audits on CASL compliance overseen by the officers and management team to prevent and detect CASL violations.
2. Routine Reporting. Require routine reporting, perhaps monthly or quarterly, by the organization’s officers and management team to its board of directors respecting the organization’s audit results.
3. Periodic Reporting. Require reporting by the officers and management team to the board of directors whenever the organization updates or modifies the corporate CASL compliance procedures and policies, and immediate reporting to the board and executive of any complaints that could signal non-compliance.
4. Chief CASL Compliance Officer. Appoint a member of the senior management team as chief compliance officer responsible for managing and reporting on the executive compliance program.
5. Attestations. Require CASL compliance attestations from senior management in the course of the organization’s regular compliance process.

Visit our CASL Knowledge Page at www.mcinnescooper.com/services/privacy/casl/ to learn more about CASL.

McInnes Cooper has prepared this article for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this article. McInnes Cooper excludes all liability for anything contained in this article and any use you make of it.

© McInnes Cooper, 2014. All rights reserved. McInnes Cooper owns the copyright in this article. You may only reproduce and distribute it with McInnes Cooper’s consent. Email McInnes Cooper at publications@mcinnescooper.com to request consent.

About the Authors:

David Fraser is a partner with McInnes Cooper and leads its Privacy Law and CASL Teams. David is recognized as a foremost Canadian technology and privacy lawyer and has extensive experience advising private and public sector clients on implementing compliance programs for Canadian privacy legislation, including CASL. You can reach David at david.fraser@mcinnescooper.com.

Trent Skanes is a lawyer with McInnes Cooper, and a member its CASL and Corporate and Business Law teams. You can reach Trent at trent.skanes@mcinnescooper.com.