This article is part of our Cybersecurity Blog Series, which is intended to provide readers with a 360° view on cybersecurity. To view other blog posts in the series, please visit Cybersecurity Blog Series from McCarthy Tétrault’s Cyber/Data Group.
The inevitable has happened. Your organization has suffered a data breach. Hopefully, your organization was prepared and had a response plan in place. But whether you are following your organization’s plan, or simply reacting to circumstances as they unfold, a key consideration is your organization’s notification obligations.
In this article, we discuss notification obligations and best practices in the event of a data breach. At a high level, there are three groups that your organization may be required to notify: (a) the relevant privacy commissioners; (b) affected individuals; and (c) insurers.
A. Relevant Privacy Commissioners
There are now mandatory requirements to notify privacy commissioners of a data incident under a number of privacy laws across Canada, including PIPEDA, Alberta’s PIPA, and Quebec’s recently proposed legislation (Bill 64, An Act Modernize Legislative Provisions Respecting the Protection of Personal Information, which received first reading on June 12, 2020 and was adopted in principle on October 20, 2020). Additionally, British Columbia is currently reviewing its PIPA, including consideration of adding mandatory reporting requirements.
In reporting to privacy commissioners, an organization should engage external legal counsel at the outset in order to ensure timely, accurate and compliant notification. Key considerations for notifications to privacy commissioners include:
- Whether notification is in fact required.
- Whether, as a practical matter, all relevant privacy commissioners should be notified (regardless of legal requirements) as a mitigation strategy for any future litigation, and to avoid an investigation initiated by the commissioner in the event of a complaint.
- Whether the form of notice complies with all statutory requirements. For example, under PIPEDA, a breach report form for the commissioner must include: (a) information of a point of contact within the organization; (b) approximation of the number of individuals affected; (c) time of the breach and its circumstances; (d) description of the security safeguards in place at the time of the breach and of the personal information involved; and (e) steps taken to notify affected individuals and mitigation strategy.
- Whether the organization has ensured that consistency of information has been provided to relevant privacy commissioners.
- What details and information to put in the notification to relevant privacy commissioners. The content of the notification may be subsequently disclosed pursuant to requests made under access to information laws, judicial review of a privacy commissioners’ decision, or in ensuing litigation over the data incident (statutory protection of information provided to commissioners is not necessarily as robust as it appears).
It is imperative that an organization engage internal or external legal counsel as soon as a breach is detected in order to meet compliance with regulatory notifications. Non-compliance may result in stiff penalties, including fines up to $100,000 under PIPEDA.
B. Affected Individuals
One of the most significant stakeholder groups in a data incident is an organization’s customers. Canadian consumers have high expectations that they be promptly notified about a data incident. But beyond maintaining good customer relations, PIPEDA requires organizations to notify affected individuals where there is a real risk of significant harm, and both Quebec and Manitoba have proposed legislation that, once in force, will require organizations to notify affected individuals in certain circumstances.
Under PIPEDA, the organization must notify affected individuals “as soon as feasible after the organization determines that the breach has occurred”. Furthermore, it may be prudent in certain circumstances to provide notifications even if the necessary conditions are not met, from both a customer relations perspective and to limit potential liability at common law.
Any notification to affected individuals ought to be drafted in careful consultation with legal counsel to ensure that both legal notifications obligations are met, and that the information contained in the notification is accurate to ensure that it will not unduly prejudice the organization in any later litigation over the incident. As a broad overview, the notification should be conspicuous and contain sufficient information to help affected individuals mitigate the risk of harm.
Additional best practices for consumer notifications include:
- Ensuring the notification meets any form and content requirements required by the relevant legislation.
- Considering steps an individual can personally take to reduce or mitigate the harm from the incident, and include that information.
- Accurately describing the circumstances of the breach, such as the date or period during which the breach occurred (or, if unknown, the approximate period) and personal information that was subject to the breach.
- Setting out details of the organization’s response to the breach, and providing contact information that the affected individual can use to obtain further information about the breach.
- Ensuring that the notification itself does not further perpetuate a breach of privacy. For example, if the breach concerns very private personal information, or if the individual’s involvement with the organization itself might give rise to privacy concerns, the organization should ensure that the notification itself is marked private and confidential, and remove any information from the envelope that might give rise to a fresh breach of privacy.
- Lastly, where it is not feasible or possible to provide personalized notifications to every affected individual, considering options for indirect notification, such as advertisements.
It is important to consider whether the organization has cybersecurity risk insurance at the very outset of any data incident because most insurance policies have a requirement that the insured promptly notify the insurer of a suspected incident. In reviewing the insurance policy, organizations should look to determine: (i) whether an insurance obligation is triggered, (ii) deadlines for notifying the insurer of a breach, and (iii) what information is required to be provided to the insurer with the notification. It is essential to engage legal counsel at the outset to review coverage and draft any notification to the insurer to limit the risk of denial of coverage.
Regardless of whether the breach happened through employee error such as an unencrypted data stick left on a train, or a sophisticated ransomware attack, you need to carefully think through your organization’s notification obligations and then follow through on those obligations, to mitigate risk and limit the damage as much as possible. Cyber experts like the Cyber/Data team at McCarthy Tétrault can be key partners to assist with your data incident response, including any notification obligations.