Organizations are now required by law to report a data breach to the Office of the Privacy Commissioner of Canada (OPC), where it is reasonable to believe that it presents a real risk of significant harm to a person. In such cases, they will also have to notify affected individuals. This must be done “as soon as feasible”, and according to the OPC, even if not all the information surrounding the cause or any planned mitigation measures, is known or confirmed. Information can be corrected and updated as it becomes available.
What's more, organizations in Canada have to keep a record of all breaches of security safeguards, involving personal information under their control, that come to their attention, whether there is a real risk of significant harm or not.
As the OPC says, to put it simply, there must be a record of every breach of security safeguards.
The new mandatory breach notification and record keeping requirements, introduced as amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), came into force on November 1, 2018.
In assessing risk stemming from a breach, organizations will have to develop a reliable response plan that takes into account the sensitivity of the information, and the likelihood it would be misused. As the OPC states in its guidance document, some information, on its face, will clearly be considered sensitive. But there also may be circumstances at play that “may make the information more or less sensitive.”
As for determining the probability of misuse, organizations targeted by a breach should ask themselves a number of questions. These include how likely is it that someone would be harmed as a result of the breach; who might have accessed the information; how long the information has been exposed; and whether there is any evidence of malicious intent (e.g. theft, etc). Also, has disclosure of the information been limited to known people or entities who have committed to destroy and not disclose the data? Or, in the case of an accidental disclosure to unintended recipients, is it unlikely they will share the information in a way that would cause harm?
For further details on reporting and notification requirements, please consult our earlier post on the issue.