Canadian privacy laws are about to change to require mandatory breach notification. Draft regulations have been introduced to guide businesses on when and how to notify consumers and the privacy commissioner if there has been a security breach. The government has tried to strike a balance so that consumers receive meaningful notification of breaches that rise to the level of a “real risk of significant harm”. If the right balance is struck, consumers will pay attention and take steps to protect themselves, and mitigate further harm. If the wrong balance is struck, there will be an influx of notices, and there is a real risk of notification fatigue.
Mandatory data breach reporting has been expected since 2015, with amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), Canada’s private sector privacy law; however, breach notification is on hold until regulations come into force. Draft regulations were released in September 2017 and they are expected to come into force in 2018.
There is currently voluntary breach reporting throughout most of Canada, with Alberta being the only province with private sector mandatory breach notification.
Once the new law is in force, when an organization suffers a breach of security safeguards that gives rise to a “real risk of significant harm”, the organization must (i) report the incident to the Office of the Privacy Commissioner of Canada; (ii) notify affected individuals; and (iii) notify any other third party that is in a position to mitigate the risk of harm to affected individuals. These notifications must be made as soon as feasible after the organization determines that the breach has occurred.
When assessing risk, the regulations require businesses to consider, among other things, the sensitivity of the information and the probability of the information being misused. Under the legislation, “significant harm” goes far beyond “identity theft” and is defined to include humiliation, damage to reputation or relationships, loss of employment or other opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. A “real risk” may even extend to a breach of encrypted information, a position the government justified on the basis that there remains a possibility that information could be decrypted.
Businesses will also be required to maintain records of all data breach incidents for a minimum of 24 months (irrespective of whether the business concludes the breach gives rise to a real risk of significant harm to affected individuals) after the day on which the organization determines that the breach has occurred. The Commissioner may request and review the history of breaches experienced by a particular business within the prior 24-month window. Records must contain sufficient information to permit the Commissioner to verify compliance with the breach reporting regime.
The implementation of mandatory breach notification is intended to harmonize Canadian law with other jurisdictions, including the European Union’s General Data Protection Regulation (GDRP), which comes into force in 2018, and includes mandatory data breach reporting. Many businesses already have systems and policies in place to monitor, track and report breaches, for example, to comply with the laws in Alberta and/or those of another country. If not, now is the time to start to do so. The regulations provide for a delayed coming into force date after publication of the final regulations, to ensure businesses have ample time to adjust their policies and procedures to comply with the new law.