The federal government has introduced new regulations setting out what information must be disclosed to consumers and to the Privacy Commissioner after a data breach. These regulations will take effect on November 1, 2018.

As noted previously in this blog, new requirements are coming into force on November 1, 2018 that require organizations to notify consumers and the Privacy Commissioner of any data breach that creates a real risk of significant harm to an individual. Regulations published last week provide more clarity on what an organization that suffers a data breach must tell affected individuals and the Privacy Commissioner after the breach.

Notifications to both the affected individuals and the Privacy Commissioner must contain:

  • a description of the circumstances of the breach and, if known, the cause;
  • the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
  • a description of the personal information that is the subject of the breach, to the extent that the information is known;
  • a description of the steps that the organization has taken to reduce the risk of harm to the affected individuals that resulted from the breach, or to mitigate that harm; and
  • contact information for the organization (and in the case of the notification to the Privacy Commissioner, the name of a person who can answer the Commissioner’s questions on behalf of the organization).

Notifications to the affected individuals must also include a description of the steps that the individual could take to reduce the risk of harm that could result from the breach, while notifications to the Privacy Commissioner must include the number of individuals affected by the breach (or an approximate number if unknown) and a description of the efforts made to notify affected individuals. As new information becomes available about the circumstances of the breach, the organization may update the Privacy Commissioner.

Notifications to the Privacy Commissioner can be provided by any secure means of communication, while notifications to the affected individuals can be provided by telephone, mail, email, in person, or by any other reasonable form of communication. However, if contact information is not available for the affected individual, or if direct notification would be likely to cause further harm to the affected individual or undue hardship for the organization, then the notification can be made indirectly via a public announcement that could reasonably be expected to reach the affected individuals.

An organization that has been affected by a data breach should keep records relating to the breach for at least two years after the breach is discovered, including records of the notifications that were provided to affected individuals and to the Privacy Commissioner.

The changes set to take effect on November 1, 2018 underscore the importance of organizations being upfront with the public about data breaches that occur on their systems. Rather than waiting for data breaches to occur, organizations should be proactive in ensuring that their systems are adequately protected.