In keeping with the global movement towards increased data protection legislation, as evidenced by the recent enactment of the General Data Protection Regulation (GDPR) in Europe and similar legislation adopted in California and Brazil, Canada will (as of November 1, 2018) join the growing list of countries who have adopted data protection legislation with mandatory breach reporting and notification requirements.
The Digital Privacy Act (Canada), which was passed by the Canadian federal government in June 2015, brought important changes to Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). While the majority of those changes came into force immediately, those relating to data breach reporting and record keeping did not. More than two years later, in September 2017, the Canadian federal government published the Breach of Security Safeguards Regulations (“Breach Regulations”) to finally bring those provisions into force. The Breach Regulations are significant in that, as of November 1, 2018, organizations will be legally required to adhere to record-keeping, reporting, and notification requirements in the context of a data breach where the breach creates a real risk of significant harm to an individual.
While similar reporting and notification requirements have been in force since 2010 under Alberta’s Personal Information Protection Act, organizations operating in the rest of Canada should be aware of the new breach reporting, notification and record-keeping requirements.
Mandatory Breach Reporting Requirements
Under the new Section 10.1(2) of PIPEDA and Section 2 of the Breach Regulations, organizations will be required to submit written reports to the Office of the Privacy Commissioner (the “OPC”) as soon as reasonably possible following the discovery of any security breach involving personal information, if the breach creates a real risk of significant harm to individuals. The report must be fairly detailed, including: (i) a description of the circumstances of the breach and its cause, (ii) the date on which it occurred, (iii) the type of information involved, (iv) the number of affected individuals involved, (v) the steps taken by the organization to mitigate harm, (vi) the intended method of notification to affected individuals, and (vii) the contact information of a person at the organization who can answer questions regarding the breach.
Pursuant to the new Section 10.1 of PIPEDA and Sections 3-5 of the Breach Regulations, organizations will also be required to notify affected individuals as soon as feasible following the discovery of a security breach, except if doing so would result in further harm, or would place undue hardship on the organization. Similar to the report to the OPC, the notification to affected individuals must include: (i) a description of the circumstances of the breach and its cause, (ii) the date on which the breach occurred, (iii) the type of personal information involved, (iv) the steps taken by the organization to mitigate harm, (v) the steps individuals can take to mitigate harm, and (vi) the contact information of a person at the organization who can answer questions regarding the breach.
Under the new Section 10.3(1) of PIPEDA and Section 6 of the Breach Regulations, organizations will be required to maintain sufficiently detailed records of each breach of a security safeguard for a period of twenty-four (24) months following the discovery of the breach, and be in a position to allow the OPC to access the records.
It is anticipated that once the mandatory breach reporting and notification requirements come into force, data breaches will become increasingly public, thereby increasing the risk of reputational harm and legal liability for organizations. Accordingly, it is critical that organizations ensure they have an updated and standalone cybersecurity incident response plan in place that allows for the quick identification of, and efficient response to, a cybersecurity breach.
From a record-keeping perspective, organizations should ensure that they currently have mechanisms in place for the identification and internal reporting of any breach of security safeguards. These should be built into the organization’s broader compliance program.
Given that fines for non-compliance with the new reporting, notification and record-keeping requirements can reach up to $100,000.00, organizations should undertake a thorough review of their existing policies and, if needed, prepare and implement new ones prior to November 1, 2018.