CASL Now Being Used to Crack Down on Cyber Incidents

Since 2014, Canada’s Anti-Spam Legislation (CASL) has been used to crack down on companies sending out spam emails and other unwanted electronic communications. But recent CASL fines indicate the legislation is also being used to crack down on cyber incidents.

On January 26, 2022, the Canadian Radio-television and Telecommunications Commission (CRTC) announced it had fined four individuals who were allegedly active on the Dark Web. According to the CRTC, the individuals allegedly sent out emails mimicking well-known brands in an effort to steal credit card numbers, banking credentials and other sensitive information. The four individuals were fined for sending commercial electronic messages without consent – a violation of CASL.

CRTC Hints at Additional Dark Web Enforcement “in the Near Future”

Each of the people fined was allegedly involved in a Dark Web marketplace called Canadian HeadQuarters (CanadianHQ), a website that sold stolen credentials, spamming services, phishing kits and access to compromised computers. CanadianHQ was taken offline following a CRTC investigation.

The CRTC fined three individuals $50,000 each for violating CASL. A fourth individual, who was identified by the CRTC as the alleged creator and administrator of CanadianHQ, was fined $150,000.

The fourth individual received a higher penalty for “allegedly aiding in the commission of numerous violations of CASL by [CanadianHQ’s] vendors and customers,” the CRTC said, adding that its investigation uncovered other vendors on the Dark Web who will face enforcement actions “in the near future.”

What This Means for Legitimate Businesses

Legitimate businesses can face hefty fines for sending out spam emails – and so can people who send out spoof emails designed to look like they’re from legitimate businesses. If your business has been “spoofed” in an attempt to steal your customers’ sensitive information, you may be glad to see the CRTC using CASL to crack down on cyber incidents, and this may become a useful tool in the future.

That said, legitimate businesses that send out electronic communications without consent also risk hefty fines from the CRTC. Before you click send on an email or text message to your clients or prospective clients, it’s important to make sure you have their consent.

The lawyers in our Privacy, Data Protection & Cybersecurity team have extensive experience advising clients on CASL compliance and helping them avoid costly fines. We’ve also developed a CASL Compliance Guide and Checklist to help you review your organization’s practices and ensure you remain CASL compliant when sending out commercial electronic messages. Fill out the form below to download our checklist.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.