First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

You are here: Home / Business / It’s official: Mandatory data breach notification coming on November 1, 2018

By | 4 Minutes Read

It’s official: Mandatory data breach notification coming on November 1, 2018

breach notification
G7CLAS_TI

Last week, the Government of Canada published an Order in Council that will bring into force, as of November 1, 2018, the much anticipated mandatory breach notification and record-keeping requirements under the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Once implemented, these changes will align the Canadian breach reporting regime with those in the United State and Europe.

Background

In June 2015, the federal government passed the Digital Privacy Act (the “DPA”), which modified PIPEDA in several key ways. While most of the amendments came into force when the DPA was passed, provisions relating to mandatory breach notification and record-keeping did not.
On September 2, 2017, after much delay, the federal government published proposed Breach of Security Safeguards Regulations (“Breach Regulations”) to bring those provisions into force. These regulations will impose significant new obligations on organizations, should they become subject to a data breach.
Note that this is not entirely new to Canada. Alberta’s Personal Information Protection Act brought in similar, but not identical, provisions in May 2010. Those already complying with PIPA will still need to be mindful of the differences between the federal and provincial regimes.
Notification requirements
Under the new provisions of PIPEDA, a data breach, or “breach of security safeguards”, is defined as a loss or unauthorized access or disclosure of personal information resulting from a breach of the organization’s security safeguards. Organizations that experience a data breach must report the incident to the Office of the Privacy Commissioner of Canada (“OPC”) and notify affected individuals where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual.” The term “significant harm” includes, among other things, bodily harm, humiliation, damage to reputation or relationships, financial loss, identity theft, negative effects on the credit record and damage to, or loss of, property.
Report to the OPC
Under subsections 10.1(1) and (2) of PIPEDA and the Breach Regulations, specific information must be included in an organization’s report to the OPC. The report must include the following items:

  • a description of the circumstances and cause of the breach;
  • the date or period of the breach;
  • a description of the personal information that is the subject of the breach;
  • an estimate of how many individuals are exposed to a “real risk of significant harm”;
  • a description of what the organization has done to reduce or mitigate harm;
  • a description of what the organization has or intends to do to notify each individual; and
  • contact information of a person who can answer the Commissioner’s questions about the breach.

Notification to affected individuals
Under subsections 10.1(3) to 10.1(8) of PIPEDA and the Breach Regulations, notification to affected individuals must also be provided in a prescribed form and include the following:

  • a description of the circumstances of the breach;
  • the day on which, or the period during which, the breach occurred;
  • a description of the personal information that is the subject of the breach;
  • a description of the steps taken by the organization to reduce or mitigate the risk of harm to the affected individual resulting from the breach;
  • a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
  • a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
  • information about the organization’s internal complaint process and about the affected individual’s right, under PIPEDA, to file a complaint with the Commissioner.

Record-keeping requirements
Under section 10.3 of PIPEDA and the Breach Regulations, organizations will be required to maintain a record of every breach of security safeguards for a minimum of 24 months after the organization has determined that a breach has occurred. These records should be sufficiently detailed and include, among other things, the methodology undertaken and factors considered in determining whether a particular breach met the threshold of “real risk of significant harm.” These records will be used by the Commissioner as a means to verify compliance and inform further enforcement action, if required.

Key takeaways

The coming into force of mandatory breach notification and record-keeping requirements on November 1, 2018 should be viewed by organizations as an effort to align Canadian legal and regulatory requirements with those in the United States and Europe (especially with the General Data Protection Regulations – or GDPR – coming into force in May 2018).
In order to comply with these requirements, organizations should take the following steps:

  • First, ensure that the organization has written policies and systems in place allowing for internal monitoring, tracking and reporting of data breaches.
  • Second, ensure that organizational policies address containment, investigation, notification and remediation of data breaches and reflect the new requirements. This may include the development of a “matrix” allowing the organization to quickly determine whether the “real risk of significant harm” threshold has been met for notification purposes.
  • Third, assume that notifications to the OPC and affected individuals may result in scrutiny of the organization’s security safeguards and overall response to a data breach. This may come in the form of regulatory investigations, legal actions launched by affected individuals (including class actions) or queries from the media.
  • Fourth, have a written “game plan” that takes into account key factors that matter to the organization (e.g., impact on the brand, operational disruption, etc.) and that outlines the organization’s response strategy.

By Imran Ahmad, Catherine Bate, Kathryn M. Frelick, James T. Swanson, Miller Thomson

Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Latest posts by Occasional Contributors (see all)

Share with a friend or colleague

Learn the 10 essential HR policies in the time of COVID-19

Get the Latest Posts in your Inbox for Free!

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference provides organizations with practical and authoritative resources to help ensure compliance with constantly changing Canadian legislation and best practice

Main Menu

Stay Connected