Policy updates needed as mandatory breach notification nears

By Staff

Canadian businesses need to revamp their privacy breach policies as mandatory reporting moves closer to reality, Toronto corporate lawyer Peter Murphy tells

In April, the federal government finally released the regulations for its mandatory breach reporting regime under the Personal Information Protection and Electronic Documents Act (PIPEDA).

"The new Breach of Security Safeguards Regulations supplement the data breach provisions being added to PIPEDA by the Digital Privacy Act," says Murphy, a partner with Shibley Righton LLP.

The government has confirmed that these amendments to PIPEDA and the regulations will both come into force on Nov. 1, 2018, he says, adding that Canadian organizations should have the date circled on their calendars.

“In the wake of these new data breach notification and record-keeping requirements, Canadian organizations are going to have to take a fresh look at their privacy and breach response policies and procedures,” Murphy says.

“Fines will be available for violations, which makes it all the more important that Canadian organizations ensure they will comply with the new rules.”

Once the provisions of PIPEDA are in force, subject companies will be required to report security breaches that pose a "real risk of significant harm” to the people whose data was compromised and to the Office of the Privacy Commissioner of Canada.

Companies will have to decide if a breach reaches that threshold by taking into consideration a number of factors, including the sensitivity of the personal information involved, the probability it may be misused, and the potential for significant harm to result. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, and damage to — or loss of — property.

Once the test has been satisfied, organizations must notify the federal privacy commissioner of a breach “as soon as feasible” and include the following information:

  • a description of the circumstances of the breach, including the cause, if known;
  • the personal information that is the subject of the breach;
  • the number of individuals affected by the breach;
  • the steps the organization has taken to mitigate the risk of harm to affected individuals;
  • the steps it has taken to notify affected individuals.

The regulations stipulate an almost identical list of information that must be included in notices to affected individuals, except for the cause and number of people affected, Murphy says.

"The notice to the affected individuals must be given directly by telephone, regular mail, email or any other way that a reasonable person would consider appropriate," he says.

Organizations can rely on indirect methods to give notice, such as an advertisement, if direct notice is likely to cause further harm, would create undue hardship for the company, or if the company does not have the contact information of the people affected.

Murphy says many companies already have voluntary breach notification policies, while those who do business in Alberta may be familiar with a similar notification requirement imposed by that province's privacy statute. However, he says another major requirement being added to the federal requirements — which will force organizations to keep records of any security breach for two years — will be new to many.

“The new record-keeping requirement applies to every breach of security safeguards involving personal information under the organization's control, regardless of whether the breach meets the ‘real risk of significant harm’ threshold,” Murphy explains.

“These records must contain any information that enables the privacy commissioner to verify compliance with the reporting and notification obligations, so it will be left to organizations to exercise good judgment when documenting security breaches. The organization will be required to give the privacy commissioner access to these records on request.”

PIPEDA's enforcement provisions will extend to the new obligations, he says. Any organization that knowingly breaches the new notification, reporting or record-keeping requirements could face a fine of up to $100,000.

“Compliant organizations may still be exposed to civil damages arising from data breaches," says Murphy.

"Increased reporting under the mandatory notification system may result in more class actions being launched in Canada in relation to security breaches,” he adds.

To Read More Peter Murphy Posts Click Here