Data Breach Notification Obligations Coming into Force
This article originally appeared on The Lawyer’s Daily website published by LexisNexis Canada Inc. on May 7, 2018.
On June 18, 2015, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) was amended to impose data breach reporting requirements. On April 18, 2018, the federal government released the Breach of Security Safeguards Regulations (The “Regulation”), which set forth the rules and requirements applicable in the event of a breach of security safeguards affecting personal information. The Regulation will come into effect on November 1, 2018, at the same time as the statutory requirements pertaining to data breach reporting.
This delay should be used by organizations to review their incident readiness and response processes and procedures and ensure they are ready to monitor record and report security incidents in compliant fashion. We set out the gist of these statutory and regulatory requirements.
Mandatory data breach reporting under PIPEDA: PIPEDA is a federal statute that applies in all provinces except those that have enacted comprehensive privacy legislation deemed substantially similar such as Quebec, Alberta and British Columbia. PIPEDA also applies to federally regulated business regardless of the location of their activities. Alberta is currently the only province to have introduced breach notification requirements in its legislation, but Quebec and B.C. are expected to follow suit. Failing to do so would likely entail a review of the federal government’s position as to the substantial similarity of the provincial statutes.
Under PIPEDA, organizations that experience a data breach will have to determine whether the incident poses a “real risk of significant harm” to any individual whose information was involved, considering the sensitivity of it and the probability of misuse. If so, they will have to notify affected individuals and report to the Privacy Commissioner of Canada as soon as practicable. They will also have to notify other organizations that could mitigate harm to affected individuals. Finally, organizations are required to maintain a record of any data breach it becomes aware.
Specifications provided by the Regulations: The Regulations specify the minimum requirements for notifying affected individuals and reporting to the Commissioner, as well as the scope and retention period for data breach record-keeping.
Notifying affected individuals: The Regulations list what information must be contained in a notification to affected individuals. In short, notifications must at least describe, using the best information available:
- The circumstances and timing of the breach;
- What information was involved;
- Risk or harm mitigation measures taken or available;
- How to obtain further information.
The format, design and means of notification—any means that “would be considered reasonable under the circumstances” is acceptable—have been either broadly defined or left unregulated, such that the Regulations are flexible and technologically neutral.
Direct notification is the default rule, but notification through “public communication” will be permitted if direct notification is likely to cause further harm or if it would result in “undue hardship” for the organization (another broad, adaptable notion), for example.
Reporting to the Commissioner: The Regulations list what information must be contained in the reports to be provided to the Commissioner as required under the Act. This information is comparable to the information listed above, but also includes the cause of the breach, if known, and steps taken or to be taken to notify individuals.
Data breach record-keeping: The Regulations specify that organization must maintain a record of “every” data breach—even those determined not to pose a “real risk of significant harm”—for at least 24 months (the Commissioner recommends that records be kept for five years) from the day on which the organization concludes that the breach has occurred. Such record must contain “any information that enables the Commissioner to verify compliance”.
All things considered, the amendments to PIPEDA and theses Regulations align closely with the recommendations of the Office of the Privacy Commissioner of Canada (OPC), with the breach notification rules adopted by Alberta and certain US states, and with the core of the personal data breach reporting obligations set forth in the EU’s General Data Protection Regulation coming into force in May 2018.
Why all this is important: The Regulations aim to ensure that all Canadians (and the Commissioner) receive consistent and timely information about data breaches that pose a risk of significant harm to them. It will thus provide a levelled playing field imposing notification to all organisations and setting aside the reputational damage element that has kept business from providing notices in the past.
In view of the importance of mitigation efforts in the appreciation of fault and liability for damages, and the greater scrutiny that the regulation will entail, we recommend that organisations:
- review the adequacy of their security procedures and safeguards;
- review or implement cyber security training within their organisation;
- review or implement an incident response plan;
- consider cyber security insurance coverage.