Currently, British Columbia’s Personal Information Protection Act (“PIPA”) does not contain a specific obligation for organizations to notify either the Information and Privacy Commissioner’s office (“OIPC”) or affected individuals in the event of an information security breach.
BC PIPA does, however, impose a general obligation on BC organizations to take reasonable steps to secure personal information against risks such as unauthorized access, unauthorized disclosure, and unauthorized destruction, etc. The general security obligation in PIPA may be interpreted, in some circumstances, to require notification of affected individuals in the case of an information security breach.
Although BC PIPA does not currently contain a specific notification provision for information security breaches, that may be about to change.
A special committee of the Legislative Assembly in Victoria (the “Special Committee”) is currently reviewing PIPA. A number of the submissions made to the Special Committee have suggested that PIPA should be amended to include a specific notification requirement for information security breaches. These submissions are in line with proposed amendments to both federal privacy legislation and legislation already enacted in several US states.
The BC Freedom of Information and Privacy Association (“FIPA”) has recommended that mandatory breach notification be incorporated into PIPA. FIPA has recommended adoption of a notification threshold applied in some US States; namely, “acquisition [of personal information], or reasonable belief of acquisition, by an unauthorized person”. This is a very low threshold for a notification requirement.
Recommendations of BC’s Information and Privacy Commissioner
BC’s Information and Privacy Commissioner Elizabeth Denham has also recommended to the Special Committee that mandatory breach notification be added to BC PIPA. Commissioner Denham advised the Special Committee that mandatory breach provisions would bring BC’s PIPA in line with other jurisdictions, such as Alberta whose PIPA currently contains an express duty to notify the Alberta Privacy Commissioner of any incident involving the loss of or unauthorized access to, or disclosure of, personal information that was under the organization’s control where “a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure”.
Federal Bill S-4 - Digital Privacy Act
The Government of Canada is also currently looking to update the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), (which applies to federally-regulated businesses, such as airlines and chartered banks), to include a required notification for organizations in the case of a security breach.
Federal Bill S-4, the Digital Privacy Act, proposes an amendment to PIPEDA to notify the Privacy Commissioner of Canada where an organization has experienced a breach of security safeguards and it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. In Bill S 4, “significant harm” is defined to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
California Enacts Even Tougher Security Breach Requirements
The State of California is taking breach notification requirements even further. California recently amended its breach notification legislation (Cal. Civ. Code 1798.81.5, 1798.82 and 1798.85 - effective January 1, 2015) to require that if the entity providing notification to consumers was the source of the breach, an offer to provide identity theft prevention or mitigation services, if any, must be made at no cost to the affected person for at least 12 months, along with all information necessary to take advantage of the offer.
What Should BC Organizations Do?
It remains to be seen whether the Special Committee in British Columbia will, in the end, recommend an amendment to BC PIPA that will make information security breach reporting a specific, express obligation. The Special Committee is expected to deliver its report by February 25, 2015. It also remains to be seen whether the Legislative Assembly will enact this type of amendment if recommended by the Special Committee. In the interim, we suggest that organizations:
- regularly review and internally audit their handling of personal information as a preventive measure;
- develop a written information security breach protocol (in order to be in a good position to respond quickly when an information security breach occurs); and
- carefully consider, in the event of any information security breach, whether affected individuals should be notified of the breach, in light of the existing PIPA obligation to take reasonable steps to secure personal information.