Strict new Canadian security breach notification requirements are expected to be finalized and come into force during 2018. The requirements will impose new notice requirements in the event of a “breach of security safeguards” for organizations regulated by the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and corresponding new record-keeping requirements.

The requirements are based on 2015 amendments to PIPEDA that set out a basic breach notification framework, along with proposed Breach of Security Safeguards Regulations (“Regulations”) that were released in 2017 for comment. The Regulations are expected to be finalized in the near future, and the amendments and Regulations will likely come into force later this year.

Three-pronged notice requirement

The new security breach notification provisions contain a three-pronged notice requirement:

  1. a report to the Office of the Privacy Commissioner of Canada,
  2. a notice to affected individuals, and
  3. a notice to other organizations.

Each is outlined in more detail below.

A report to the Commissioner is required “as soon as feasible after the organization determines that [a breach of security safeguards] has occurred,” where the breach involves personal information under the organization’s control and it is reasonable to believe that the breach creates a “real risk of significant harm” to an individual. The proposed Regulations prescribe the content, form and manner of the reporting.

A notice to affected individuals is required—unless prohibited by law—if it is reasonable to believe that the breach creates a “real risk of significant harm” to the individuals. The notification must be given “as soon as feasible after the organization confirms that the breach has occurred,” and the Regulations similarly prescribe the content, form, and manner of notification, but include (i) a description of the circumstances of the breach, (ii) a description of the personal information that is the subject of the breach, and (iii) and a toll-free number or email address that the affected individual can use to obtain further information about the breach.

Organizations are also required to “notify any other organization, a government institution, or a part of a government institution of the breach” where the notifying organization believes that the other organization or institution “may be able to reduce the risk of harm that could result or mitigate that harm, or if any of the prescribed conditions are satisfied.” The proposed Regulations are silent with respect to any prescribed conditions in relation to the notification of organizations.

Record-keeping obligations

When the new requirements come into force, organizations will also be required to retain records with respect to every breach of security safeguards involving personal information (and not just for breaches that are deemed to create a “real risk of significant harm”). The proposed Regulations prescribe that organizations must maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred, and that the record must contain any information pertaining to the breach that enables the Commissioner to verify compliance with the reports to the Commissioner and notification to affected individuals requirements.

Harmonizing Canada’s Regime

According to the Regulatory Impact Analysis Statement issued by the Government of Canada, the proposed Regulations will harmonize Canada’s regime for data breach reporting with those of other jurisdictions, reducing the burden of reporting for organizations operating in multiple jurisdictions. In particular, the mandatory breach reporting aligns with the regime recently enacted by the European Union under the General Data Protection Regulation, which comes into force in May of 2018.

In preparation of the proposed Regulations coming into force, organizations should be taking steps to review and augment their privacy-related corporate compliance programs and the corresponding written policies, practices and procedures related to evaluating risks of a breach of security safeguards, identifying an existing breach, what to do in the event of a breach, and swiftly responding as appropriate.