It’s been a long wait. More than two years have passed since Ottawa amended Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act, by enacting Bill S-4, the Digital Privacy Act, to establish mandatory data breach reporting requirements. Yet, ss. 10.1 through 10.3, the provisions outlining the obligations for breach reporting and notification, still are not in force pending the creation of necessary regulations.
It’s been a long wait. More than two years have passed since Ottawa amended Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act, by enacting Bill S-4, the Digital Privacy Act, to establish mandatory data breach reporting requirements. Yet, ss. 10.1 through 10.3, the provisions outlining the obligations for breach reporting and notification, still are not in force pending the creation of necessary regulations. On Sept. 2, the Department of Industry finally revealed the proposed Breach of Security Safeguards Regulations, along with a Regulatory Impact Analysis Statement, which can be found in the Canada Gazette. The proposed regulations will come into force at the same time as s. 10 of the Digital Privacy Act and are open for comments from interested parties for a period of 30 days.
By way of a refresher, following the implementation of the new data breach sections of PIPEDA, organizations that experience a data breach (referred to in PIPEDA as a “breach of security safeguards”) must determine whether the breach poses a “real risk of significant harm” (which may include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property) to any individual whose information was involved in the breach by conducting a risk assessment. When conducting this risk assessment, organizations must consider the sensitivity of the information involved and the likelihood of whether it will be misused. If the answer is yes, the organization is required to notify affected individuals and the privacy commissioner of Canada as soon as “feasible.” Additionally, since the primary objective of the new data breach reporting and notification framework in PIPEDA is to prevent or mitigate the potential harm to individuals resulting from a breach, the updated act requires organizations that notify individuals of breaches to notify other third-party organizations, government institutions (or part of a government institution) of a potentially harmful data breach if the organization making the notification concludes that such notification may reduce the risk of harm that could result from the breach or mitigate the potential harm.
Data breach report to the commissioner
The proposed regulations provide a list of requirements that must be covered in any notice to the commissioner. The RIAS further notes that this list is not intended to be exhaustive and there is nothing in the regulations that precludes an organization from providing additional information to the commissioner should the organization believe that the information is pertinent to the commissioner’s understanding of the incident.
At a minimum, the data breach report to the commissioner must be in writing and must contain the following information:
(a) a description of the circumstances of the breach and, if known, the cause;
(b) the day on which, or the period during which, the breach occurred;
(c) a description of the personal information that is the subject of the breach;
(d) an estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm;
(e) a description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm;
(f) a description of the steps that the organization has taken or intends to take to notify each affected individual of the breach in accordance with s. 10.1(3) of the act; and
(g) the name and contact information of a person who can answer, on behalf of the organization, the commissioner’s questions about the breach.
Notifying the affected individual
Similarly, while the proposed regulations also list the requirements that must be contained in any notification to affected individuals, the RIAS states that companies can provide additional information and/or design the notice to suit the intended audience. Minimally, the following information is required in any notice to an affected individual:
(a) a description of the circumstances of the breach;
(b) the day on which, or period during which, the breach occurred;
(c) a description of the personal information that is the subject of the breach;
(d) a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
(e) a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
(f) a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
(g) information about the organization’s internal complaint process and about the affected individual’s right, under the act, to file a complaint with the commissioner.
Direct notification/indirect notification
The regulations confirm that organizations can communicate with affected individuals through a variety of channels, including: (a) by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner; (b) by letter delivered to the last known home address of the affected individual; (c) by telephone; or (d) in person.
However, the regulations also recognize that there might be circumstances when “indirect” notification of affected individuals is acceptable. Examples include: when (a) the giving of direct notification would cause further harm to the affected individual; (b) the cost of giving of direct notification is prohibitive for the organization; or even when (c) the organization does not have contact information for the affected individual or the information that it has is out of date. In these circumstances, the proposed regulations suggest that a public announcement, i.e., a “conspicuous message” posted on the organization’s website for at least 90 days, or the use of an advertisement that is “likely to reach the affected individuals” would be acceptable. However, one may question whether this carve-out, which clearly puts the onus on the aggrieved party to take active steps to find out about the breach, is actually reasonable in most circumstances as it may prove rather tempting to organizations that would rather avoid the considerable cost of individual notification and instead rely on digital publication.
Data breach record-keeping
Significantly, companies that experience data breaches will no longer have the ability to hide them. Under the draft regulations, organizations must maintain a record (the word is undefined and may arguably be broadly interpreted) of every breach of security safeguards for a minimum of 24 months after the day on which the organization determines that the breach has occurred. Ouch. Even worse, the “record” has to be sufficiently detailed and must contain any information pertaining to the breach that enables the commissioner to verify compliance with s. 10.1(1) and (3) of the act. The regulations do confirm that the data breach report provided to the commissioner as described above can also be considered a “record” of the breach of security safeguards.
What does this all mean for Canadian businesses? For one thing, organizations may wish to dust off and revisit their existing corporate data breach/breach of security safeguards policies to ensure that they at least minimally dovetail with the proposed regulations. If an organization does not yet have a data breach/breach of security safeguards policy, then it’s high time to consider putting one in place.
As the recent Equifax data breach earlier this month reminded us, no company is immune to the threat of hackers and the loss of personal information and organizations that are subject to PIPEDA will be obliged to report such incidents. Once the mandatory provisions of PIPEDA dealing with breach reporting, notification and recordkeeping come into force, any organization that knowingly fails to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fails to maintain a record of all such breaches, could face fines of up to $100,000 per violation. Therefore, there is no time like the present for smart companies to review their current practices and establish those critical safeguards/methodologies to avoid these penalties.