Have a breach response plan in place prior to new rules
Private sector organizations in Ontario should become familiar with the new mandatory breach-reporting requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA), says business lawyer Joel Berkovitz.
The Digital Privacy Act — which includes amendments to PIPEDA — received royal assent in June but provisions relating to data breach reporting are not yet in effect, says Berkovitz, associate with Shibley Righton LLP.
A province can be exempt from PIPEDA — the federal privacy legislation that applies to all commercial activities by private sector organizations — if it has enacted its own substantially similar privacy legislation, he tells AdvocateDaily.com.
He notes that while Ontario has the Personal Health Information Protection Act, it applies only to personal health information in the province.
“These changes have been contemplated for quite some time now,” Berkovitz says of the PIPEDA reforms. “The amendments would apply to the commercial activities of private sector organizations, which is defined broadly and could include the activities of some charities or not-for-profits."
While the Digital Privacy Act became law a few months ago, the mandatory breach-reporting requirements still need to be proclaimed into force.
“Previously, it was a voluntary notification regime,” he explains. “Up until this amendment, organizations could elect to notify the privacy commissioner or affected individuals that there was a breach of their personal info.”
Berkovitz gives the common breach examples of an email sent to the wrong person by accident or a laptop lost on the subway that contains a spreadsheet of people’s personal info.
“By and large, most of these breaches are human error,” he says. “Currently it’s not mandatory to report these types of breaches but under the changes to PIPEDA, they will have to notify both the privacy commissioner and the affected individuals.”
Beyond these examples of human error, there are also problems with how records are stored or destroyed, says Berkovitz. For example, somebody discards an old computer but fails to wipe the hard drive.
If an organization fails to report a breach under the new mandatory regime, penalties can be up to $100,000.
The threshold for when a breach needs to be reported is when it’s reasonable in the circumstances to believe the breach creates a real risk of significant harm to an individual.
“That’s the key,” Berkovitz says. “Bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, lowered credit record, things of that nature, would meet the threshold.”
He points to the Ashley Madison website, which was hacked in the summer. The data breach saw hackers leak, among other things, personal details of millions of members of the infidelity website. A breach of this nature would cause a real risk of significant harm to an individual, he says.
“From the perspective of individuals, mandatory breach reporting is an additional protection for them. If their privacy has been breached, they’ll get a notification of it and at least know their information might be out there. Then they can take steps to safeguard their information, for example changing security questions or passwords.
No timeline has been given for when the mandatory breach-reporting requirements will come into effect, as the government is still consulting with stakeholders and working with the Office of the Privacy Commissioner.
Berkovitz says this delay is an opportunity for organizations to prepare for the requirements.
“There should be a breach response plan in place, because the reporting requirement is a bit subjective,” he says. “They will have to weigh the potential penalties under the act — which can be up to $100,000 — versus the reputational damage they’ll suffer if they have to report that they’ve lost personal info.”