Mandatory breach reporting takes effect November 2018
Cybersecurity continues to occupy the forefront of the digital age, with a countless number of data breaches reported over the past few years. And it’s likely that many less-severe breaches were not publicly reported.
One study, conducted by IDC Canada for Scalar Decisions, estimated that 87 per cent of Canadian companies experience one successful breach at some level of severity. If these figures are representative of the level of cyber-attacks, companies and their data assets are clearly at significant risk.
Canada implemented the Digital Privacy Act in June 2015 to improve on the rules around management and use of personal data. A number of regulations within the act set out criteria for reporting data breaches that could result in significant harm. However, these regulations did not come into immediate effect. Additional provisions about mandatory reporting were released in September 2017 for consultation and passed in March of this year. They are set to take effect on Nov. 1, 2018.
The regulations will make it mandatory for Canadian companies, and companies that do business in Canada, to report data breaches. This will ensure that the Office of the Privacy Commissioner of Canada, along with affected citizens, are notified quickly and consistently of any data breaches that may result in significant harm. The Act defines significant harm as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
The new regulations bring Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) into closer alignment with other privacy regulations around the world, specifically the General Data Protection Regulation (GDPR) in the European Union. This alignment will allow for the continued free flow of personal information between Canada and the EU, which is important to ongoing trade between the two parties.
The new regulations set out specific criteria for how and what should be reported, along with requirements for record-keeping of any breaches. These are important considerations for companies as they will be required to ensure they have adequate security measures and also an action plan in place in the event of a breach.
If a company experiences a breach that can reasonably be considered as resulting in significant harm, the company is required to notify the Privacy Commissioner and provide the following details:
- a description of the circumstances of the breach and, if known, the cause;
- the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
- a description of the personal information that is the subject of the breach to the extent that the information is known;
- the number of individuals affected by the breach or, if unknown, the approximate number;
- a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
- a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act;
- the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
In addition to notifying the Privacy Commissioner, companies must also notify any individuals that were affected by the breach. The regulations set out a clear list of details that are to be provided as part of the notification process. This includes:
- a description of the circumstances of the breach;
- the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
- a description of the personal information that is the subject of the breach to the extent that the information is known;
- a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
- a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
- contact information that the affected individual can use to obtain further information about the breach.
Affected individuals can be notified directly or indirectly. Direct notification can be provided “in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances.” Indirect notification can be done through any public communication or similar measure that could be reasonably expected to reach the affected individual. For example, posting a notification on the company website could be considered as indirect communication.
However, indirect notification can only be used under specific circumstances. If a company can clearly show that direct notification “would be likely to cause further harm to the affected individual; would be likely to cause undue hardship for the organization; or the organization does not have contact information for the affected individual” it can then utilize an indirect form of communication. Since notification of individuals could be costly and time-consuming, these provisions may be helpful for smaller organizations that experience a breach which affects a large number of users.
In addition to the mandatory reporting, the new regulations outline a requirement to maintain a record of every breach a company experiences regardless of whether the breach is deemed as creating significant harm. Records will need to be maintained for 24 months following the date a breach was determined to have happened. The records must contain any information that allows the Commissioner to verify an organization has complied with the mandatory reporting section of the Act.
Canadian companies need to be ready to handle these new regulations when they take effect on Nov. 1 regardless of the size of the organization. This will require establishing a plan on how to manage a data breach and ensure proper measures are taken to report the breach in a timely way.
Companies will also need to ensure that their systems are able to identify breaches and establish steps for recording relevant details on an ongoing basis. These tasks will take time and effort to put in place but will be important to ensure companies can remain in compliance. Failure to do so could result in significant fines, not to mention the negative press that could accompany such an event.
Companies should seek legal guidance to ensure they understand the new regulations, and their potential impacts, in detail. They should also take measures to ensure they can implement steps for reporting any breaches through the proper channels and maintain records of all breaches. Having a plan in place before an incident occurs will be critical to addressing such a situation in a timely, effective way.
More information about these additional provisions is available here. And information on reporting a breach is on the Office of the Privacy Commissioner’s website.
As companies continue to gather and utilize data to build their businesses, privacy measures will only continue to gain prominence. These regulations are merely the next step in ensuring companies have security measures in place to manage their data assets and protect the consumers who entrust them with their personal information. And it is likely that these regulations will continue to evolve as cyber-attacks continue to become for frequent and sophisticated.