Third Quarter Accounting & Tax Update - KPMG

6 downloads 236 Views 2MB Size Report
Oct 3, 2016 - 2016 YTD. Energy Service and Midstream - No. of M&A Transactions ... 50,000. Aggregate Market Cap - To
Third Quarter Accounting & Tax Update Calgary, AB — October 3rd, 2016

Welcome Rick Whitley Regional Managing Partner

New partner announcement

Catherine Buhmiller Partner, Tax

Marcello D’Egidio Partner, Tax

Susanne DiCocco Partner, Advisory

Kimberly Payne Partner, Audit

Narmin Vasanji Partner, Advisory

David Yung Partner, Audit

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

3

Agenda • • • • • • •

Market activity overview – Chris Chan Regulatory update and impairment – Shane Doig Accounting updates – Reinier Deurwaarder Alberta carbon levy – Jeff Smith Tax dispute resolution update – Michel Bourque Cyber security – The Digital Privacy Act – Jeff Thomas Questions

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

4

Market activity overview

Chris Chan Partner, Advisory

Current environment and challenges • Low price environment with continuing risk of global oversupply of oil

• Continuing decline in drilling activity due to limited capital availability • Limited transactions in energy services sector with greater proportion of transactions in the midstream sector • E&P producers’ focus on capital efficiency and cost reduction

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

6

Comparison of utilization Rig Utilization

Rig Utilization %

Oct-16

Jul-16

Apr-16

Jan-16

Oct-15

Jul-15

Apr-15

Jan-15

Oct-14

Jul-14

Apr-14

Jan-14

Oct-13

Jul-13

Apr-13

Jan-13

Oct-12

Jul-12

Apr-12

Jan-12

Oct-11

Jul-11

Apr-11

Jan-11

Oct-10

Jul-10

Apr-10

Jan-10

100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

Average

Source: Canadian Association of Oilwell Drilling Contractors and Daily Oil Bulletin, JuneWarren-Nickle's Energy Group

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

7

Capital cost Average Drilling and Completion Costs 4,000

300

3,500

250

3,000

200

2,500

150

2,000

100

1,500

50

1,000

0 2012

2013

Total D&C Costs

2014

2015

2016

Average Cost per Stage Source: Canadian Discovery Frac Database

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

8

Comparison of M&A activities Energy Service and Midstream - No. of M&A Transactions 50 45 4

40 35

7

30

4

3

25 20 15

6

6

33

39

36 26

10

8

35 26

15

5 0 2010

2011

2012

2013

Energy Services

2014

2015

2016 YTD

Midstream Source: S&P Capital IQ and KPMG Analysis

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

9

Market metrics - Midstream • Steady industry growth and cash flows over the past several years

• Relative consistency in observable trading multiples

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

10

Midstream Midstream EV/NTM Trading Multiple 15.0 14.3

14.5

14.5

14.1

14.0

13.5 13.1

13.0 12.2 11.8

12.0 11.0 10.0 12/31/2013

12/31/2014

Average

12/31/2015

Median

6/30/2016 Source: S&P Capital IQ and KPMG Analysis

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

11

Market metrics – Energy services • Comparison of aggregate market cap of top energy service companies over the past several years • Comparison of Publicly traded trailing twelve months (TTM) and next twelve months (NTM) EBITDA multiples over the past several years • TTM EBITDA multiples misleading in current environment • 2017 and 2018 EV/EBITDA multiples reversing to historical forward multiples range

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

12

Comparison of market cap Aggregate Market Cap - Top 20 Energy Service Company 50,000 45,000 40,000

35,000 30,000 25,000 20,000 15,000 10,000 5,000 0

Source: S&P Capital IQ and KPMG Analysis

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

13

Comparison of multiple – Top 20 energy service company Median EV/TTM EBITDA

Median EV/NTM EBITDA

16.0x

2018 EV/EBITDA

9/23/2016

6/30/2016

12/31/2015

6/30/2015

12/31/2014

6/30/2014

12/31/2013

6/30/2013

12/31/2012

6/30/2012

12/31/2011

6/30/2011

12/31/2010

9/23/2016

6/30/2016

12/31/2015

6/30/2015

12/31/2014

4.0x

6/30/2014

4.0x

12/31/2013

6.0x

6/30/2013

6.0x

12/31/2012

8.0x

6/30/2012

8.0x

12/31/2011

10.0x

6/30/2011

10.0x

12/31/2010

12.0x

6/30/2010

12.0x

6/30/2010

14.0x

Source: S&P Capital IQ and KPMG Analysis

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

14

Regulatory update and impairment Shane Doig Partner, Audit

Regulatory update CSA Notice 51-346 Continuous Disclosure Review Program - Fiscal 2016 Financial Statement deficiencies • Market risk - sensitivity analysis • Contingent consideration in business combinations

• Goodwill and intangible assets recognized in business combinations • Functional currency • Operating segment aggregation • Credit risk disclosure MD&A deficiencies • Liquidity and capital resources • Forward looking information

• Overall performance (discussion of operating segments) • Non-GAAP financial measures disclosures © 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

16

Regulatory update CSA Notice 51-346 Continuous Disclosure Review Program - Fiscal 2016 Other • Material contracts • Audit committee composition – venture issuers • Management information circular • Annual information form • Insider reporting

• Oil and gas reporting

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

17

Regulatory update A few items to keep on your radar from the TSX: TSX Disclosure Requirements for Compensation Arrangements – comment period ended June 2016 • Expanded disclosures around multipliers • Several other disclosure amendments and alterations TSX Proposes Issuer Website Disclosures – comment period ended June 2016

• Considerable information would be required to be retained on your website such as • Constating documents • Security holder rights plans • Stock based compensation plans • Various governance documents (position descriptions, charters, etc.) © 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

18

Regulatory update The new audit report – aka the “long form report”

• Significant audit areas are discussed in your audit report • Disclosure of audit partner responsible What is the current status of the legislation • International – effective for years ending on or after December 31, 2016 • Canada – considering deferral from 2017 to 2018 (for TSX and into 2019 for TSX-V). Currently early adoption is not permitted

• United States – re-exposure draft has been issued and no adoption date has been set

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

19

Impairment Will triggers occur in Q3 or Q4

• Now more than ever difficult to predict what will occur • “System wide” impairment may be less likely in 2016 than in the prior year • Individual facts and circumstances will need to be considered very closely Some things to consider • No triggers for impairment • Trigger analysis must be specific to individual CGU’s

• Considerable area of judgment – disclosures adequate? • Triggers for impairment • Discounted cash flow model versus estimated value of the fleet • Goodwill and intangibles are gone – doesn’t mean there isn’t more to impair • Use of appraisal reports – fair value, orderly liquidation, liquidation values © 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

20

Impairment and ARO Fair value less cost to sell

Value in use

Discounted cash flows

100

100

Costs to sale

(5)

ARO – discounted at market rate

(10)

ARO – provision as recorded in the F/S

(30)

Recoverable amount

85

70

Net book value

120

120

ARO per the F/S

(30)

(30)

Net of ARO book value

90

90

Impairment

(5)

(20)

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

21

Accounting updates

Reinier Deurwaarder Partner, Audit

Accounting updates •

IFRS 15 / ASC 606 – Revenue from Contracts with Customers



IFRS 16 / ASC 842 – Leases



IFRS 9 – Financial Instruments



Extractive Sector Transparency Measures Act (ESTMA)

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

23

IFRS 15 - The five step model – A refresher 1

Identify the contract with a customer

2

Identify the performance obligations

3

Determine the transaction price

3

4

Allocate the transaction price

Step 3

5

Recognize revenue

5

4

1

Revenue

2018

2

The new Revenue Standard also includes guidance for specific situations © 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Source: KPMG

24

IFRS 15 - The journey matters

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

25

IFRS 15 - What have we seen? 1

Progress is limited

2

Surprises

3

Scoping the project is difficult

4

Not just an accounting project

5

Differences

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

26

IFRS 16 – A refresher

2019

All major leases on-balance sheet

Balance sheet

P&L

Asset

Lease expense

= ‘Right-of-use’ of underlying asset

Liability = Obligation to make lease payments

Depreciation + Interest = Front-loaded total lease expense

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

27

IFRS 16 – Transition overview: Lessee operating lease Identifying the population

Applying the standard

Full retrospective Applying lease definition

Apply recognition exemptions?

Select transition option Modified retrospective

Source: KPMG

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

28

IFRS 9 - Refresher

2018

New financial instruments standard:



Classification & Measurement



Impairment



Hedge accounting

Financial assets AR allowance

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

29

ESTMA - Refresher •

On June 1, 2015 the Extractive Sector Transparency Measures Act (the Act / ESTMA) came into force.



The Act requires extractive entities to report annually on payments made to governments relating to the commercial development of oil, natural gas, or minerals, at home and abroad.



ESTMA delivers on Canada’s international commitments to contribute to global efforts to increase transparency and deter corruption in the extractive sector.

Norway: Extractive industry country-bycountry reporting

Canada: Extractive Sector Transparency Measures Act

US: Dodd Frank Act Section 1504 (consultation)

EU: Accounting & Transparency Directive

OECD: Base Erosion Profit Shifting (BEPS) – Country-bycountry reporting by multinationals operating in OECD or G20 countries.

2016

UK: Report on payment to Governments Regulations 2014 Australia: Corporations Amendment (Publish What You Pay) Bill 2014 (pending)

EITI Candidate Country – Implementing EITI, not yet compliant Other

EITI Compliant Country – confirmed to have met all EITI requirements Suspended – Compliant/Candidate status is temporarily suspended Source: http://eiti.org/countries

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

30

Alberta carbon levy

Jeff Smith Senior Manager, Indirect Tax

Alberta carbon levy Where do we stand today? Two current pieces of legislation • •

Bill 20 – Climate Leadership Implementation Act - passed on June 7, 2016. Specified Gas Emitters Regulation (“SGER”) (to the Climate Change and Emissions Management Act)

One outstanding piece of legislation • Regulations to Climate Leadership Implementation Act

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

32

Alberta carbon levy - Framework Specified Gas Emitters Regulation (“SGER”) • • • •

Impacts Large Final Emitters (“LFE”) (> 100,000 tonnes of C02e) SGER requires that performance improves year over year based on a baseline emissions test Covers 45% of emissions in the province today Price will increase from $15 today to $20 (2017) and $30 (2018)

New Carbon Levy • Impact to consumers of fuels • Estimated that it will cover an additional 45% of emissions

Source: KPMG

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

33

Alberta carbon pricing - Framework Framework for LFEs

Framework for Conventional Drilling

• SGER to be replaced with Climate Competitiveness Regulation (CCR) in 2018

• Required Retrofitting of Pneumatic Pumps • Exemptions until 2023

• $15 per tonne increased to $20 and then $30

Framework for Distribution of Fuels

New Alberta Carbon Levy

Framework for Power Generation

• $ per litre

• Phase out of coal

• Collection mechanism – security vs tax

• Collection on retail sales

• Upstream/Midstream vs Downstream

Source: KPMG © 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

34

Alberta carbon levy – Overview Direct Remitters

• Registration requirement for sellers of fuel • Proposed licensing requirement to manage exempt purchases/self-assessments • May be required to register even where making all exempt sales Self-Assessment of Levy • Requirement to report and self-assess levy where consumption of own fuel

Exemptions • Identify and manage exempt purchases to ensure proper payment of levy

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

35

We’re going green – Alberta carbon levy Specific Exemptions

• Consumer with exemption certificate • Consumer using fuel in SGER facility • Consumer for prescribed use (as prescribed in the regulations) • Consumer uses the fuel before 2023 as set out in the regulations • Consumer of fuel used in farming • Consumer uses fuel that is not combusted: • As a raw material in an industrial process that produces another fuel

• As a raw material in an industrial process that produces something other than fuel • As a solvent or diluent in a pipeline • For prescribed use

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

36

Alberta carbon levy – Expected in regulations 2023 Exemption

• Available for fuel consumed in conventional oil and gas activities • Uncertainty to what constitutes “conventional” • Further uncertainty whether this extends to all fuel consumed – early indication was that it would only be available for “own use” fuel (i.e. would not be available to fuel purchased from a third party) Licensing and Registration • Indication that TRA would prefer to manage wholesalers and exporters with licensing - may be administrative in nature SGER Reporting Facilities

• Analysis to whether more beneficial to report under SGER – opt in election not currently being considered • Management of exemptions © 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

37

Alberta - Carbon levy rates by type of fuel Type of Fuel

January 1, 2017 Rate ($20/ton)

January 1, 2018 Rate ($30/ton)

Aviation Jet Fuel Aviation Gas Bunker Fuel Butane Coal Coke Coke Oven Gas Diesel Ethane Gas Liquids Gasoline Heating Distillate Oil Heavy Fuel Oil High Heat Value Coal Kerosene Locomotive Diesel Low Heat Value Coal Methanol Naphtha Natural Gas Non-Marketable or Raw Gas Pentanes Plus Propane Refinery Gas Refinery Petroleum Coke Upgrader Petroleum Coke

5.17 ¢/L 4.98 ¢/L 6.36 ¢/L 3.56 ¢/L $63.59 /ton 1.40 ¢/m3 5.35 ¢/L 2.04 ¢/L 3.33 ¢/L 4.49 ¢/L 5.51 ¢/L 6.35 ¢/L $44.37 /ton 5.14 ¢/L 5.94 ¢/L $35.39 /ton 2.18 ¢/L 4.49 ¢/L $1.011 /GJ $1.150 /GJ 3.82 ¢/L 3.08 ¢/L 3.77 ¢/m3 $63.86 $/ton $58.50 $/ton

7.75 ¢/L 7.47 ¢/L 9.55 ¢/L 5.34 ¢/L $95.39 /ton 2.10 ¢/m3 8.03 ¢/L 3.06 ¢/L 4.99 ¢/L 6.73 ¢/L 8.27 ¢/L 9.53 ¢/L $66.56 /ton 7.71 ¢/L 8.90 ¢/L $53.09 /ton 3.26 ¢/L 6.73 ¢/L $1.517 /GJ $1.720 /GJ 5.73 ¢/L 4.62 ¢/L 5.65 ¢/m3 $95.79 $/ton $87.75 $/ton Source: Alberta Finance, 2016 Tax Plan

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

38

Alberta carbon levy – Final thoughts • No regulations = No certainty but should be front of mind especially where new accounts and IT systems are impacted • Likely necessary for various functions to collaborate, especially those impacted by both SGER and Carbon Levy • May be a very short window to obtain registration and licenses – be prepared

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

39

Tax dispute resolution update Michel Bourque Partner, Tax, KPMG Law LLP

Tax dispute resolution update Tax authority initiatives

Tax authority areas of focus

Encouraging developments in recent Tax Court of Canada appeals

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

41

Cyber security – The Digital Privacy Act Jeff Thomas Partner, Advisory

Setting the stage Regulatory responses Europe • General Data Protection Regulation US • State level • Financial Sector – Gram-Leach-Bliley • Health Information – Health Insurance Portability and Accountability Act, American Recovery and Reinvestment Act • US Personal Data Notification and Protection Act (draft) Provinces • Various acts

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

43

The Digital Privacy Act - Background Background

• Digital Privacy Act (formerly Bill S-4) produced significant amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) • Royal Assent in June 2015 (many aspects already in force) • “Breaches of Security Safeguards” deferred pending development of associated regulation • Draft Breach Notification and Regulations issued for discussion March 2016 • Final Regulations are expected this fall

Today’s discussion will focus on the changes related to Breaches of Security Safeguards

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

44

The Digital Privacy Act – Your obligations Breach disclosure obligations Organizations must report • To the Office of the Privacy Commissioner of Canada (OPC) • Notify affected individuals • To relevant third parties About

• Breaches of Security Safeguards • That pose a “real risk of significant harm” to affected individuals

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

45

The Digital Privacy Act – Your obligations Definitions Breach

Notification



Personal information is lost, or accessed by an unauthorized individual



Required as soon as feasible after an organization determines a breach has occurred



The loss or access is a result of a violation of the organization’s security safeguards, or the failure to establish such safeguards



Must notify third parties who could reduce the risk or mitigate harm (ex. law enforcement)

Record keeping

Significant harm •





Bodily harm, humiliations, damage to reputation or relationships, loss of employment or business opportunities, financial loss

Maintain a record of all breaches involving personal information, and



Provide the OPC with the record on request

Organizations must consider the sensitivity of the information and the probability it will be misused

Penalties •

Failure to report to OPC or affected individuals, or to maintain a record of all breaches



Maximum fine of $100,000

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

46

The Digital Privacy Act – When to report Determining real risk of significant harm

• Organizations must conduct a situational analysis to determine whether or not the breach poses a “real risk of significant harm” • Context of the breach is seen as critical and therefore even seemingly innocuous information could have seriously harmful information Factors to consider include • The nature of the information and its sensitivity, whether it is anonymized or encrypted, and whether it can inflict harm • The cause and extent of the breach • The individuals affected, including their number and relationship to the organization (customers/clients, employees, etc.) • Foreseeable harm Consider the need to review related policies, procedures, monitoring, and record keeping © 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

47

The Digital Privacy Act – What to report Reporting objective

• Enable OPC to provide oversight and compliance • Standardized tracking of breaches Current OPC voluntary reporting includes • Date and location of the breach and date of its discovery • Description of the incident • Cause of the breach

• Estimated number of individuals affected • Relation of individuals to the organization (employee, customer, etc.) • Type of information involved • Measures taken by the organization to contain the breach • Whether anyone else has been notified of the incident (affected individuals, law enforcement, third parties) and when © 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

48

The Digital Privacy Act – Reporting timeline Current state for voluntary OPC reporting

• “As soon as feasible after the organization determines a breach has occurred” • Designed to allow time to deal with the breach • Recognizes that breach information may develop over time Other considerations • EU ePrivacy Directive requires initial reporting in 24 hours • Should early reports be updated as new information is determined? At what frequency?

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

49

The Digital Privacy Act – Notification requirements Notification to affected parties Content •

“The notification shall contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any, to reduce the risk of the harm that could result from it or to mitigate that harm”



Content requirements vary across provinces and countries



Europe has the most detailed requirements including “likely consequences of the breach to the individual” and “steps the organization has taken to mitigate the risk”



US notifications are often seen as confusing and containing too much legalese – making it difficult for affected individuals to understand the potential impact of the breach

Delivery •

Affected individual must clearly understand that their personal information has been compromised and they are at risk of potential harm



Communicated directly to the individual in a manner that ensures it is not confused with “junk mail”



Flexibility allowed to suit the circumstances, the organization, and the affected individuals



Existing delivery requirements vary widely by jurisdiction © 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

50

The Digital Privacy Act – Notification requirements Notification to third parties

“An organization that notifies an individual of a breach of security safeguards …shall notify any other organization, a government institution, …of the breach if the notifying organization believes that the other organization or the government institution …may be able to reduce the risk of harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied.” OPC currently specifies the following organizations for consideration: • Law enforcement agencies, if theft or crime is suspected • Insurance companies, if required by contract • Professional or other regulatory bodies, as requires by professional or regulatory standards • Credit card companies, financial institutions, credit reporting agencies, if required to mitigate harm • Union or employee bargaining units, if the breach involves their members Reporting requirements vary considerably across geographies. © 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

51

The Digital Privacy Act – Record keeping Organizations that become aware of a breach of security safeguards must keep and maintain a record of the breach, regardless of the conclusion of their situational analysis into whether the breach poses a “real risk of significant harm”. Objective • Allow the Privacy Commissioner to execute their oversight and compliance mandate • Force organizations to systematically document breaches, regardless of risk or severity, to enable organizations to take action to systemic problems and reduce the risk of future harm Existing record keeping frameworks include information such as • Details of the breach • Risk assessment demonstrating the assessment of probability of harm - including where the risk is assessed as low • Remedial actions taken © 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

52

The Digital Privacy Act – Next steps Consider understanding and assessing maturity of:

• Inventory of personal information • Risk assessment of personal information • Information security safeguards over personal information • Breach detection and incident response processes • Process for risk assessment of breach • Record keeping • Monitoring and compliance processes

• Regulatory compliance processes

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

53

Data Breach Preparation and Response About the book The first book to provide 360 degree visibility and guidance on how to proactively prepare for and manage a data breach and limit impact. •

Defines breach response plan requirements and describes how to develop a plan tailored for effectiveness within your organization



Covers critical first-responder steps and breach management practices, including containing a breach and getting the scope right, the first time



Offers guidance on how to manage internal and external breach communications, restore trust, and resume business operations after a breach, including the critical steps after the breach to reduce breach-related litigation and regulatory fines

About the author Kevvie Fowler is a Partner and National Cyber Response Leader for KPMG Canada and has over 19 years of IT security and forensics experience. He is an instructor who trains law enforcement agencies on cyber forensic and response practices. Credited with advancing the field of digital forensic science, Kevvie is a SANS lethal forensicator and sits on the SANS Advisory Board where he guides the direction of emerging security and forensics research.

Contact partner for more information about obtaining a copy

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

54

Questions? Today’s presentation will be posted to

kpmg.ca/quarterlyupdate

Thank you

kpmg.ca

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.