Canada's long-awaited federal private-sector data breach reporting regulations have now been published by the Canadian government and will take effect November 1, 2018. This gives organizations approximately seven months to get ready for compliance.
Back in June 2015, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) was amended (via the Digital Privacy Act) to include, among other things, an obligation for organizations to notify affected individuals, and report to the Office of the Privacy Commissioner of Canada (OPC), about any data breach posing a "real risk of significant harm" to affected individuals.
However, while the reporting/notification obligation has been "on the books" for more than two years, it has not been in force, due to the need for more detailed direction to be provided in the form of PIPEDA regulations.
PIPEDA's data breach obligation applies only where there is "a real risk of significant harm to an individual." The relevant PIPEDA provisions will require organizations to assess a number of factors in determining whether any breach of security safeguards is reasonably believed to meet this threshold. Organizations must consider the sensitivity of the information involved, the probability that the information will be misused and the potential for "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property" when assessing risks.
Organizations that knowingly violate the breach notification requirements may face fines of up to CA$100,000 per violation.
Class actions for information security and other privacy breaches are becoming more prevalent in Canada, and the mandatory breach reporting obligations will likely lead to increased class actions in response to breaches.
The now-published data breach reporting regulations require an organization's written report to the OPC to include:
- a description of the circumstances of the breach and, if known, the cause;
- the day or period during which the breach occurred or, if neither is known, the approximate period;
- a description of the personal information that is the subject of the breach (to the extent known);
- the number of individuals affected by the breach if known (or approximate number);
- a description of the steps taken to reduce the risk of harm to affected individuals or to mitigate that harm;
- a description of the steps that the organization has taken or intends to take to notify affected individuals; and
- the name and contract information of a person who can answer, on behalf of the organization, the Commissioner's questions about the breach.
Very similar information must be provided in the organization's notification to affected individuals. Interestingly, however, the cause of the breach and the number of affected individuals need not be identified in notifications to individuals.
While some breach notification laws require that updated information must also be provided to the regulator as it becomes known, Canada's regulations state that an organization "may" submit to the Commissioner any new information about the breach that comes to light after the initial report.
Notification to individuals must be "conspicuous", given as soon as feasible after the organization determines that the breach has occurred, and generally must be given directly to the affected individuals. Indirect notification must be given where:
- direct notification would be likely to cause further harm to the affected individual;
- direct notification would be likely to cause undue hardship for the organization, or
- the organization does not have contact information for the affected individual.
It remains to be seen what circumstances will be accepted as giving rise to "undue hardship" for an organization in providing direct notification, and whether the cost of providing direct notification will be considered a valid basis for an organization to opt for indirect notification.
Indirect notification must be given by "public communication" (like substitute notice in the United States) or a similar method that could reasonably be expected to reach the affected individuals.
PIPEDA's security breach provisions also require an organization to keep a record of every breach of security safeguards as stipulated in the regulations. Some had anticipated that these record-keeping regulations may be quite detailed and onerous. The published regulations dispel that concern to some degree, in that they require the records to contain any information that enables the Commissioner to verify compliance with the reporting and notification obligations. While this wording may be seen as lacking in direction, it does provide helpful flexibility and allows an organization's management to exercise their own good judgement in determining how best to document and handle security breaches. The Regulatory Impact Analysis issued with the breach regulations indicates that the wording of the record-keeping requirements was, in part, intended to minimize the risk that such reporting documentation could be obtained by third parties through an access to information request made to the OPC.
Breach records must be retained for at least 24 months, running from the day on which the organization determines that the breach has occurred.