Last week, the Government of Canada published an Order in Council that will bring into force, as of November 1, 2018, the much anticipated mandatory breach notification and record-keeping requirements under the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Once implemented, these changes will align the Canadian breach reporting regime with those in the United State and Europe.
Background
In June 2015, the federal government passed the Digital Privacy Act (the “DPA”), which modified PIPEDA in several key ways. While most of the amendments came into force when the DPA was passed, provisions relating to mandatory breach notification and record-keeping did not.
On September 2, 2017, after much delay, the federal government published proposed Breach of Security Safeguards Regulations (“Breach Regulations”) to bring those provisions into force. These regulations will impose significant new obligations on organizations, should they become subject to a data breach.
Note that this is not entirely new to Canada. Alberta’s Personal Information Protection Act brought in similar, but not identical, provisions in May 2010. Those already complying with PIPA will still need to be mindful of the differences between the federal and provincial regimes.
Notification Requirements
Under the new provisions of PIPEDA, a data breach, or “breach of security safeguards”, is defined as a loss or unauthorized access or disclosure of personal information resulting from a breach of the organization’s security safeguards. Organizations that experience a data breach must report the incident to the Office of the Privacy Commissioner of Canada (“OPC”) and notify affected individuals where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual.” The term “significant harm” includes, among other things, bodily harm, humiliation, damage to reputation or relationships, financial loss, identity theft, negative effects on the credit record and damage to, or loss of, property.
Report to the OPC
Under subsections 10.1(1) and (2) of PIPEDA and the Breach Regulations, specific information must be included in an organization’s report to the OPC. The report must include the following items:
- a description of the circumstances and cause of the breach;
- the date or period of the breach;
- a description of the personal information that is the subject of the breach;
- an estimate of how many individuals are exposed to a “real risk of significant harm”;
- a description of what the organization has done to reduce or mitigate harm;
- a description of what the organization has or intends to do to notify each individual; and
- contact information of a person who can answer the Commissioner’s questions about the breach.
Notification to Affected Individuals
Under subsections 10.1(3) to 10.1(8) of PIPEDA and the Breach Regulations, notification to affected individuals must also be provided in a prescribed form and include the following:
- a description of the circumstances of the breach;
- the day on which, or the period during which, the breach occurred;
- a description of the personal information that is the subject of the breach;
- a description of the steps taken by the organization to reduce or mitigate the risk of harm to the affected individual resulting from the breach;
- a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
- a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
- information about the organization’s internal complaint process and about the affected individual’s right, under PIPEDA, to file a complaint with the Commissioner.
Record-Keeping Requirements
Under section 10.3 of PIPEDA and the Breach Regulations, organizations will be required to maintain a record of every breach of security safeguards for a minimum of 24 months after the organization has determined that a breach has occurred. These records should be sufficiently detailed and include, among other things, the methodology undertaken and factors considered in determining whether a particular breach met the threshold of “real risk of significant harm.” These records will be used by the Commissioner as a means to verify compliance and inform further enforcement action, if required.
Key Takeaways
The coming into force of mandatory breach notification and record-keeping requirements on November 1, 2018 should be viewed by organizations as an effort to align Canadian legal and regulatory requirements with those in the United States and Europe (especially with the General Data Protection Regulations – or GDPR – coming into force in May 2018).
In order to comply with these requirements, organizations should take the following steps:
- First, ensure that the organization has written policies and systems in place allowing for internal monitoring, tracking and reporting of data breaches.
- Second, ensure that organizational policies address containment, investigation, notification and remediation of data breaches and reflect the new requirements. This may include the development of a “matrix” allowing the organization to quickly determine whether the “real risk of significant harm” threshold has been met for notification purposes.
- Third, assume that notifications to the OPC and affected individuals may result in scrutiny of the organization’s security safeguards and overall response to a data breach. This may come in the form of regulatory investigations, legal actions launched by affected individuals (including class actions) or queries from the media.
- Fourth, have a written “game plan” that takes into account key factors that matter to the organization (e.g., impact on the brand, operational disruption, etc.) and that outlines the organization’s response strategy.
