Information Technology, Privacy

Companies must directly notify people affected by privacy breaches: watchdog


OTTAWA – Companies that lose personal customer data should be required to directly notify affected people — with limited exceptions — about the nature and date of the lapse along with steps taken to reduce the harm, says the federal privacy watchdog.

The Trudeau government plans to introduce breach-notification regulations in coming months to improve transparency and help consumers.

Several large businesses have been stung by hackers in recent years, causing embarrassment for proprietors and potential headaches for customers whose personal and financial details are suddenly circulating in cyberspace.

Legislation passed last year laid the groundwork for mandatory reporting of private-sector breaches that pose a “real risk of significant harm'' to individuals.

The government recently asked the public and interested parties for comment on shaping the regulations and determining what companies and other private organizations will have to do in the event of a lapse.

The office of federal privacy commissioner Daniel Therrien says companies should directly notify those affected by a breach through means such as telephone calls, emails or mailed letters.

The notice should tell people about the circumstances, the date of the breach (or at least an estimate), a description of the personal information, steps taken to control the harm, measures those affected can take and the contact information of someone at the company who can answer questions.

Setting out the requirements in regulation would “provide important clarity and certainty about the type of information that organizations should communicate to individuals,'' the commissioner's office says in its submission to the government.

It also urges the government to give thought to cases in which affected people live outside Canada.

In its submission, the Canadian Bar Association also recognizes the importance of providing meaningful notice to individuals of data breaches. “The regulations should avoid being overly prescriptive, however, in the form and manner of notifications. Organizations should have flexibility to determine whether direct or indirect notification is most suitable.''

The privacy commissioner says organizations should be allowed to notify individuals indirectly only when:

- Direct notification is likely to cause undue further harm, for instance by informing family members of the person's purchase of a confidential product or service;

- Giving direct notification to every affected person on an individual basis would involve prohibitive costs;

- Contact information for affected individuals is out of date, incomplete or inaccurate.

Under the new system, organizations covered by Canada's private-sector privacy law would also have to report significant lapses to the privacy commissioner, which would allow his office to determine whether appropriate actions were indeed being taken.

In addition, organizations that experienced a breach would have to keep a record of the data breach and make these records available to the privacy commissioner upon request.

One of the thornier issues to be decided in the regulatory scheme is whether data breaches in which the information is encrypted — encoded so as to make it indecipherable without a digital key — should be considered “low risk'' events.

The privacy commissioner says encryption may indeed play a role in reducing or even eliminating risk of harm.

However, it cautions that as algorithms evolve, encryption standards once deemed strong “may be eventually be rendered decipherable.'' Alternatively, an organization's key management system might be compromised.

“In either case, personal information could then be easily decrypted.''

In an interview with, Toronto privacy lawyer Peter Murphy says the privacy commissioner’s comments are not surprising.

“We have been waiting for the Digital Privacy Act's notification provisions to come into effect since this legislation was enacted in June 2015. As the Privacy Commissioner of Canada indicates, the regulations with respect to breach notification are an opportunity for the legislator to provide much needed clarity,” says Murphy, a partner with Shibley Righton LLP.

For example, he says, the new rules require that notice of a privacy breach be given where there is a real risk of significant harm to an individual whose personal information was affected.

“As the privacy commissioner has pointed out, it would be useful if the regulations provide some guidance as to what will be considered a real risk of significant harm,” he says.

The Personal Information Protection and Electronic Documents Act, which applies to the private sector in Ontario and many other Canadian provinces and territories, does not expressly require organizations to notify affected individuals or privacy regulators where there has been a breach of privacy, Murphy says.

“This will change once regulations have been issued and the Digital Privacy Act notice requirements are brought into force,” he tells the online legal publication.

Murphy says when it comes to notice requirements for privacy breaches, the United States is out in front of Canada.

“Almost every state in the U.S. has some form of mandatory privacy breach notice requirement,” he notes. “In California, organizations that experience a privacy breach are required, in certain circumstances, to supplement notification to affected individuals by providing them with identity theft prevention and mitigation services – at the organization's cost, for at least 12 months.”

— with files from

© 2016 The Canadian Press

To Read More Peter Murphy Posts Click Here