Amendments to the Personal Information Protection and Electronic Documents Act, which require mandatory reporting of unauthorized disclosure of personal information by private sector organizations, come into effect today, but federal Privacy Commissioner Daniel Therrien says his office was not given additional
resources to handle the data-breach reporting.
his office only has just two people assigned to analyze data-breach reports
and provide risk-mitigation advice.
The new regulations come from the Digital Privacy Act, which requires that, in the event of the unauthorized disclosure of personal information, private sector organizations report to the privacy commissioner and inform those whose information was affected, if it is reasonable to believe the breach risks significant harm to an individual. This notification must happen “as soon as feasible” after the breach occurs.
Organizations are to keep a record of every breach of personal information under their control and keep that record for two years.
“As we all know, data breaches are unfortunately a common occurrence. The Government of Canada is underlining the importance of these regulations as an important step for privacy protection,” Therrien says. “It is a step in the right direction, but it would be much more meaningful if the agency responsible for analyzing breach reports actually had some resources for the task at hand.”
Therrien says he sees as a potential problem with the new regulation in that, although there are fines for failing to report a data breach, there is no fine for failing to adopt security measures that would prevent a data breach.
“The legislation should seek to prevent privacy problems and not only deal with the consequences of breaches,” he says. “So a better privacy law in Canada, I think, would extend financial penalties to the absence of security safeguards that would actually prevent the problem.”
In recent years, data breaches and the exposure of personal information of service users has increased. Major companies including Facebook, Uber, British Airways, T-Mobile, Equifax, Deloitte, Tesco Bank, Yahoo and others have been fined and sued for the unauthorized disclosure of personal information.
On Oct. 25, the British Information Commissioner’s Office fined Facebook $837,564, the maximum fine, for the scandal surrounding the data-mining, political-profile-generating Cambridge Analytica, which harvested Facebook-user data to create targeted political advertising strategies. Facebook was fined under the old privacy regime, but under the new European Union General Data Protection Regulation, which came into effect on May 25, the fine would have been as much as $29,730,377.
Imran Ahmad is a partner at Miller Thomson LLP in Toronto and the leader of the firm's cybersecurity and data-breach practice. He says to stay in line with these new compliance requirements, those handling personal information have to develop a protocol, educate staff and keep a registry of all personal information they collect, use, disclose or store on an individual.
“Most clients have thought about it, but there is a big segment that are just catching up now or are not even aware that these changes are going to be kicking in soon,” he says. “So it's a bit of a scramble to make sure they're compliant.”
Prior to PIPEDA’s reporting requirements, organizations that suffered a breach would notify the regulator and receive guidance on which individuals needed to be told as well, Ahmad says.
Now, the “RROSH test” needs to be applied, he says. If there is real risk of significant harm to the individual whose information is compromised, all individuals affected, the OPC and any third party that can help mitigate the impact need to be notified.
Breach notifications will quickly become public information as they will likely spread on social media and create a risk of class action litigation, Ahmad says.
“Think of any major breach that has occurred in Canada. There's probably an equivalent class action going on,” he says. “So now that you're going to have this requirement to notify individuals when the RROSH is met and they have to do a self assessment, [this] means people may err on the side of over-notifying, initially at least. Then I suspect there's going to be a litigation exposure that goes up, at least in the short term.”
As many companies pass around user and customer data with third-party contractors, Bill Hearn, partner at Fogler Rubinoff LLP, says there was a lot of uncertainty as to who was liable for security breaches from a third party. Based on guidelines released by the OPC on Oct. 29, it is clear that the data controller is the principal organization. The principal organization is in charge of reporting the breach unless the third party discloses the personal information for purposes other than those stated in their data processing agreement.
“This has probably been the case for a number of years now anyway, that people have been building into these contracts processes for co-operation and collaboration where there has been a data breach,” says Bernice Karn, a partner at Cassels Brock & Blackwell LLP. “Those people have been building that kind of thing into contracts for a while.”
Karn says it is not the threat of fines from the OPC but the possible litigation that comes out of data breaches that worries businesses when it comes to data breaches.
“I don’t know that it's going to change that much really,” she says.
Frequently, when data breaches happen, they involve personal information not just from one jurisdiction but from people all over the world, she says. In the United States, all 50 states have their own data-breach regulations, including many different data-breach notification obligations.
“It gets very complicated to figure out what you have to do in each jurisdiction,” she says. “So this will just be one more jurisdiction to add to that list.”