The New Mandatory Data Breach Reporting Regimes: Four Key Elements
On October 15, 2018 Statistics Canada published the results of a survey on cyber-security revealing that more than one in five Canadian businesses has been targeted by a cyber-attack, and that in 2017 they spent $14 billion to prevent and/or deal with the consequences of such security incidents1. As a general rule, businesses have no legal obligation to report a cyber-attack to government authorities unless personal information is involved and applicable legislation imposes a mandatory reporting regime. As the Act respecting the protection of personal information in the private sector2 (the “Quebec Statute”) and Canada’s Personal Information and Electronic Documents Act3 (“PIPEDA”) impose no such regime, Quebec enterprises were not subject to such an obligation.
However, recent legislative developments may have changed this situation for certain Quebec businesses. For 2018 saw the coming into force of two mandatory reporting regimes in Europe and Canada that can potentially apply to them, i.e. the European Union’s General Data Protection Regulation4 (“GDPR”), in effect since May 25, 2018 and, under PIPEDA, the new Breach of Security Safeguards Regulations5 (the “Regulation”), effective as of November 1, 2018.
Is your business subject to either of these new mandatory reporting regimes? If so, what are the principal differences between the two regimes? Here are the four key things you need to know.
1. To whom does the regime apply?
The GDPR applies to the processing of personal data in connection with the activities of data controllers or processors within the territory of the European Union. To the extent that a Quebec business has an establishment in the EU, the GDPR thus applies to its data processing activities.
The GDPR also applies to the processing of personal data by data controllers or processors outside of the EU in connection with:
a) offering goods or services to persons in the EU, whether or not a payment is involved; and
b) monitoring the behaviour of persons, insofar as that behaviour takes place within the EU.
Thus, a Quebec business with no establishment in the EU may be subject to the GDPR to the extent that any data processing it does meets the criteria for the GDPR’s extraterritorial application.
|PIPEDA / Regulation
a) to federally regulated organizations (such as banks, telecommunications and transportation companies) and their employees;
b) in provinces where there is no legislation substantially similar to PIPEDA, except insofar as employees are concerned6;
c) to interprovincial or international transfers of personal information.
Because the Quebec Statute is substantially similar to PIPEDA, the latter only applies in Quebec to federally regulated businesses or businesses that collect, use or disclose personal information outside of the province7.
2. What is the standard giving rise to the obligation to report?
The standard differs depending on whether it is the supervisory authority that must be notified, or the individuals concerned (“data subjects”).
The competent supervisory authority must be notified if the breach is “likely to result in a risk to the rights and freedoms of natural persons”8. However, notice to individuals themselves is only required where the breach is “likely to result in a high risk” to their rights and freedoms9.
It is thus possible for a situation to arise where, despite a breach reported to the supervisory authority, the data subjects will not be notified.
|PIPEDA / Regulation
The standard under PIPEDA for reporting to the Privacy Commissioner (the “Commissioner”) and notifying affected individuals is the same, i.e. if it is reasonable to believe that the breach creates a “real risk of significant harm” to an individual10.
The concept of significant harm is broadly defined to include a wide range of situations such as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”11. PIPEDA also specifies the factors for determining whether a breach creates a real risk of significant harm, including the sensitivity of the personal information and the probability that is has been or will be misused12.
3. What is the time limit for reporting?
The competent supervisory authority must be informed “without undue delay”, and if possible no later than 72 hours after having become aware of a breach13. Where the notification is not made within 72 hours, it must be accompanied by the reasons for the delay.
The data subjects must be informed “without undue delay”, but no time limit is stipulated.
|PIPEDA / Regulation
Both the Commissioner and affected individuals must be notified “as soon as feasible” after the organization determines that a breach has occurred.14
4. What information must be provided?
The controller must at least specify to the supervisory authority the nature of the data breach as well as the categories and approximate number of data subjects and records concerned. It must also communicate the name and contact details of the person from whom more information can be obtained. Finally, it must describe the likely consequences of the breach as well as the measures taken or proposed to address the breach or mitigate its effects15.
The controller must also communicate this information to the data subjects concerned by the breach, but without having to specify the categories and approximate number of data subjects and records concerned16.
|PIPEDA / Regulation
The organization’s report to the Commissioner must contain a description of the circumstances of the breach and the cause (if known), the day or period when the breach occurred, the nature of the personal information that is the subject of the breach, the number of individuals affected by the breach, and the name and contact information of a person who can answer questions about the breach. The organization must also describe the steps taken to reduce the risk of harm that could result from the breach or to mitigate that harm, and the steps the organization has taken or intends to take to notify affected individuals17.
The notification to affected individuals differs somewhat. The organization must describe the circumstances of the breach, the day or period when the breach occurred, the nature of the personal information that is the subject of the breach, the steps the organization has taken to reduce the risk of harm that could result from the breach, and contact information that an affected individual can use to obtain further information about the breach. The organization must also describe the steps that affected individuals could take to reduce the risk of harm that could result from the breach or mitigate that harm18.
In the event of a data breach involving personal information, Quebec businesses must be aware of certain reporting regimes they may be subject to, requiring them to notify the appropriate authorities or the individuals concerned. As the Quebec Statute is currently being revised, it can be anticipated that Quebec will institute a similar reporting regime within the next few years. Thus, Quebec businesses that are not currently subject to any regime must be alerted to the fact that similar obligations may be imposed on them in the near future.
1 Statistics Canada, 2017 Canadian Survey of Cyber Security and Cybercrime (CSCC), October 15, 2018
2 CQLR, c. P-39.1
3 S.C. 2000, c. 5
4 Regulation (EU) 2016/679
6 Currently only Alberta, British Columbia and Quebec have adopted legislation substantially similar to PIPEDA.
7 Organizations in the Province of Quebec Exclusion Order, SOR/2003-374, s. 1
8 GDPR, art. 33 (1)
9 GDPR, art. 34(1)
10 PIPEDA, s. 10.1(1)
11 PIPEDA, s. 10.1(7)
12 PIPEDA, s. 10.1(8)
13 Article 33 (1) of the GDPR provides that notification must be given without undue delay, and where feasible not later than 72 hours after the breach becomes known.
14 PIPEDA, s. 10.1(2)
15 GDPR, art. 33 (3)
16 GDPR, art. 34 (2)
17 Regulation, s. 2(1)
18 Regulation, s. 2(3)