On September 2, 2017, the Government of Canada published proposed “Breach of Security Safeguards Regulations”. The proposed regulations relate to the provisions in Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), which are not yet in force. The PIPEDA provisions will require an organization to notify affected individuals, and report to the Office of the Privacy Commissioner of Canada (“OPC”), as soon as feasible, regarding any data breach which poses a “real risk of significant harm” to any individual whose personal information was involved in the breach. The breach provisions in PIPEDA specify that such notification and reporting must be done in accordance with regulations passed pursuant to PIPEDA. Representations on the proposed regulations may be submitted up to October 2, 2017.
Failure to notify the OPC of a security breach, as required by the PIPEDA provisions yet to come into force, is an offence, punishable by a fine of up to $100,000. PIPEDA also contains a private right of action for affected individuals, which could result in damages being awarded by the Federal Court of Canada for failure to notify affected individuals. This private right of action also opens the door to potential class actions for an organization’s failure to comply with the breach notification provisions in PIPEDA.
The breach provisions in PIPEDA also require organizations to notify any other organization that may be able to mitigate harm to affected individuals, for example, service providers and law enforcement entities. In addition, organizations must maintain a record of any data breach and provide the record to the OPC upon request1
The proposed Breach Regulations specify that reports to the OPC must be in writing and must contain certain stipulated information, such as a description of the circumstances of the breach, the date or time period of the breach, an estimate of the number of affected individuals, a description of the steps taken to reduce the risk of harm, and a description of the organization’s notification or intended notification steps.
Notification to affected individuals must include similar information as provided to the OPC, and must also include:
- a toll-free number or email address that affected individuals can use to obtain further information about the breach; and
- information about the organization’s internal complaint process and about the affected individual’s right to file a complaint with the OPC.
Acceptable methods of direct and indirect notification to individuals are also set out in the proposed Breach Regulations. Indirect notification may be given in circumstances such as where the giving of direct notification would cause further harm to the affected individual, where the organization does not have the current contact information for affected individuals, or where the cost of giving direct notification is prohibitive for the organization.
We expect that consumer advocacy organizations may object to the inclusion of a cost factor for organizations in the proposed Breach Regulations, so it remains to be seen whether this part of the proposed regulations will ultimately survive.