Earlier this month, Innovation, Science and Economic Development Canada ("Canada's Department of Industry") released its proposed data breach notification regulations under Canada's federal private sector privacy law - the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5, as amended) ("PIPEDA") (the "Proposed Regulations").
The government of Canada is accepting public comments on the Proposed Regulations until the end of September 2017.
In Canada, PIPEDA applies to the collection, use or disclosure of personal information in the course of commercial activities. A commercial activity is defined as, essentially, any transaction, act or conduct that has a "commercial character.", To the extent that organizations engage in the sale of goods or services, or otherwise engage in commercial activities, any personal information collected, used or disclosed in the context of that activity will generally be subject to PIPEDA.
Notwithstanding that some provinces have legislation separate and apart from PIPEDA, PIPEDA applies to all interprovincial and international transactions conducted by organizations subject to PIPEDA in the course of their commercial activities. Additionally, PIPEDA applies to federally regulated organizations (called "federal works, undertakings or businesses"). These include banks, transportation companies, and telecommunications providers and resellers.
In 2015, the Canadian government enacted the Digital Privacy Act (S.C. 2015, c. 32, as amended) (the "Digital Privacy Act") to address, in part, the concern that PIPEDA did not contain data breach notification requirements. On September 2, 2017, the Proposed Regulations were published in the Canada Gazette.
Data Breach Notification Requirements
When the Regulations come into force (at a date yet to be determined), organizations will be required to report to the Office of the Privacy Commissioner of Canada (the "Commissioner") any "breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual." (the "Reports to the Commissioner")
A "breach of security safeguards" has been defined as "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in clause 4.7 of Schedule 1 [to PIPEDA] or from a failure to establish those safeguards."
Clause 4.7 (Principle 7 - Safeguards) of Schedule 1 to PIPEDA states:
4.7 Principle 7 — Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
4.7.1 - The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
4.7.2 - The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.
4.7.3 - The methods of protection should include (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, for example, the use of passwords and encryption.
4.7.4 - Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.
4.7.5 - Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3).
"Significant harm" has been defined to include "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property."
In determining whether a breach of security safeguards creates a real risk of significant harm to an individual, the following factors must be considered: (a) the sensitivity of the personal information involved in the breach; (b) the probability that the personal information has been, is being or will be misused; and (c) any other prescribed factors. The Proposed Regulations do not prescribe any other factors.
Reports to the Commissioner must be made as soon as feasible after an organization determines that a breach of security safeguards has occurred. The Proposed Regulations require that Reports to the Commissioner must be in writing and they must contain the following:
(a) a description of the circumstances of the breach and, if known, the cause; (b) the day on which, or the period during which, the breach occurred; (c) a description of the personal information that is the subject of the breach; (d) an estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm; (e) a description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm; (f) a description of the steps that the organization has taken or intends to take to notify each affected individual of the breach in accordance with subsection 10.1(3) of the Act [PIPEDA]; and (g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
Organizations are also required to notify individuals of any breach of security safeguards involving their personal information under the organization's control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individuals, unless an organization is otherwise prohibited by law from doing so.
Notifications to individuals must contain sufficient information to allow individuals to understand the significance to them of the breach of security safeguards and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. The Proposed Regulations require that the notification also contain:
(a) a description of the circumstances of the breach; (b) the day on which, or period during which, the breach occurred; (c) a description of the personal information that is the subject of the breach; (d) a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm; (e) a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm; (f) a toll-free number or email address that the affected individual can use to obtain further information about the breach; and (g) information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner.
Notifications must be conspicuous, must be given as soon as feasible after an organization determines that a breach has occurred, and must be given directly to individuals in a prescribed form and manner. The Proposed Regulations require that direct notification must be given to affected individuals in one of the following ways:
(a) by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner; (b) by letter delivered to the last known home address of the affected individual; (c) by telephone; or (d) in person.
Notification to individuals can be given indirectly where direct notification would cause further harm to the individual; the cost of direct notification would be prohibitive for the organization; or the organization does not have the contact information for the individual, or the information is out of date. Indirect notification can be given in one of two ways: (a) by a conspicuous message, posted on an organization's website for at least 90 days; or (b) by means of an advertisement that it likely to reach the affected individuals.
Record Keeping Requirements
Organizations are required to keep and maintain a record of every breach of security safeguards involving personal information under its control (collectively, "Records"), and are required to provide the Commissioner with access to, and a copy of, the Records.
Under the Proposed Regulations, organizations will be required to maintain the Records for at least 24 months after the day on which an organization determines that a breach has occurred. In addition, the Proposed Regulations require that Records must contain any information pertaining to a breach that enables the Commissioner to verify an organization's compliance with its notification obligations. Fortunately, the Proposed Regulations state that Records may be used by organizations as a record of breaches.