As of November 1, 2018, organizations from coast-to-coast must comply with new mandatory breach notification rules under the Personal Information and Protection of Electronic Documents Act (“PIPEDA”). Non-compliance can result in fines of up to $100,000. If your organization has not already done so, it is time to consider your obligations and get a plan and process in place to comply.
What Are the Legal Requirements?
Any organization that is subject to PIPEDA will have reporting, notice and record retention obligations for any “breach of security safeguards.” While all breaches trigger the requirement to retain records of the breach, reporting and notification are only engaged where there is a “real risk of significant harm” to an individual (or a “RROSH”). The number of affected persons is irrelevant: whether the breach affects one person or one million people, the existence of a RROSH is what triggers your obligations. Here is what you need to know about RROSHs:
- “‘Significant harm’ includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
- Factors that are relevant to determining whether a breach of security safeguards creates a RROSH include the sensitivity of the personal information involved in the breach of security safeguards and the probability the personal information has been/is/will be misused.
“As soon as feasible” after determining there has been a breach and a RROSH involving personal information under its control, an organization must:
- Report the breach to the Office of the Privacy Commissioner of Canada (“OPC”).
- Notify any individual whose personal information was involved.
- Notify “any other organization, a government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm.”
There are also record retention requirements. Whether or not there is a RROSH, an organization needs to keep a security breach log for 24 months following a breach of security safeguards. The OPC can request those records at any time.
What Should My Organization Do?
Mandatory breach notification makes breaches even more costly, so prevention is more important than ever. Breaches can hit even the most secure organizations, so you also need an incident response plan to minimize the damage. Here are some things you should do:
- Map out how personal information flows through your organization. A data map will help with privacy law compliance and put you in a stronger position to assess the impact of a suspected breach and determine if there is a RROSH.
- Prepare and test an incident response plan. It should be tailored to your organization and include:
- Contact information for internal and external resources, including security, legal, human resources and communications, with backups for each individual.
- A framework for assessing each potential RROSH.
- Other reporting obligations you may have, such as under contract. You may also be subject to sector-specific requirements, such as IIROC’s Proposed Amendments Respecting Mandatory Reporting of Cybersecurity Incidents. Public companies should also see our post on the Canadian Securities Administrator’s cybersecurity guidance to understand disclosure requirements.
- A step-by-step plan for addressing a suspected breach.
- Regular testing, review and update procedures.
- A security breach log that helps you record all of the information required for your record retention obligations.
- Template notification letters that meet the notice obligation requirements in the regulations.
- Look at your agreements with each vendor and service provider that may have access to personal information that is under your control. They should be obligated to report any security breach to you, as the reporting and notice requirements fall on the organization that controls the personal information.