By Richard Stobbe

Canada’s Anti-Spam Law (affectionately known as CASL) is best known as a means to combat unwanted email and other commercial electronic messages, but the law also contains anti-malware provisions. We first reviewed those software-related provisions in 2014, when the legislation was being rolled out. Essentially, you can’t install software onto someone’s computer or device without getting their consent.

The CRTC recently announced an enforcement action against two Ontario companies, Datablocks and Sunlight Media, and assessed a Notice of Violation carrying penalties of $250,000, for allegedly aiding in the installation of malware through the distribution of online advertising. The penalty can be disputed by the two companies.

This recent notice of a possible penalty comes hot on the heels of a search warrant which was executed in January, 2016.  So, that means the legislation came into force in January, 2015… the first search warrant was in 2016… the first penalties were assessed in July 2018. Not exactly an enforcement blitz.

Perhaps the take-home message from this case is that the companies in question are alleged to have accepted anonymous clients who then deployed malware to the computer systems of Canadians using the infrastructure and operations of Datablocks and Sunlight Media.  It may be good practice for vendors to implement some version of the “know your client” rules that currently apply to banks, financial advisors, lawyers and other professional advisors. At a minimum, compliance should involve written agreements with clients or customers, and according to the CRTC, neither Datablocks nor Sunlight had written contracts in place with their clients regarding compliance with CASL, or monitoring measures in place to guard against this risk.

Calgary – 07:00