Receiving a Data Breach Notification – Commissioner’s Guidance for Individuals, Lessons for Organizations

September 25, 2019 | David Krebs

As reported by numerous previous articles, Canada’s federal data breach notification laws have been in effect since Nov 1, 2018, and require all organizations subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) to report to the federal Commissioner all breaches of security safeguards that could lead to a “real risk of significant harm” and to notify all impacted individuals. PIPEDA and the Breach of Security Safeguards Regulations set out the rules surrounding timing and content of this notification.

The Privacy Commissioner has now released a new Guidance directed at individuals receiving data breach notifications. While the target audience is the public affected by breaches, the Guidance contains some important insights for organizations regarding the risks to individuals and their expectations with respect to risk mitigation. This report also discusses who should be the organization’s contact person to ensure proper follow-up after a breach and mentions the expectations of the Commissioner when assessing the quality of individual breach notification.

What individuals should expect from a breach notification

The Guidance confirms that individuals should expect the following from a notification:

  1. to be contacted as soon as feasible by the organization;
  2. to be contacted directly;
  3. to be contacted indirectly, under certain circumstances only;
  4. that indirect notification should be made via a “prominent” public announcement; and
  5. the information in the notification should be easy to understand.

While this is generally in line with the obligations set out in the PIPEDA, the Guidance provides additional context for the reader. For example, it states that the notification should be “easy to understand,” whereas the legislation itself refers to “sufficient information to allow the individual to understand the breach and consequences.” In practical terms, when read together, this means that a notification should be easy to understand and contain sufficient information to make that understanding complete.

What to do after a breach

The Guidance reiterates the information that a notification must contain: a description of the personal information at issue, steps taken to reduce the harm, information about what individuals can do, and, importantly, contact information for someone at the organizations.

This last item is crucial for organizations. Contact persons should be well-briefed about the incident, understand the breach and what was done (organizationally and technically) in response, and be able to navigate communication plans for the business. As the Guidance indicates, the “first point of contact” for individuals to find out more about the breach should be the person noted in the notification.

The Guidance also advises individuals to: stay vigilant, change passwords, monitor accounts, and keep notifications in a safe place for future reference, which all points to the importance of the document and its utility beyond the initial “heads-up” about the occurrence of an incident.

Takeaways

A notification should never be viewed as a “tick-the-box” exercise but rather as an important risk mitigation document and a tool that the Commissioner is highlighting in this recent Guidance.

Organizations need to understand the purpose underlying these notifications, how to draft the documents properly and under what circumstances, and who should be put in charge to field questions from recipients.

Disclaimer

The blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of the blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.