Canada’s long-awaited federal private-sector data breach notification and reporting requirements came into force on November 1, 2018.
Back in June 2015, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was amended (via the Digital Privacy Act) to include, among other things, an obligation for organizations to notify affected individuals and report to the Office of the Privacy Commissioner of Canada (OPC) about any data breach posing a “real risk of significant harm” to affected individuals. The amendment did not come into force immediately, however, due to the need for PIPEDA regulations to be developed (via a government consultation process), in order to provide more detailed direction to organizations.
The notification, reporting and record-keeping obligations are now in force and it is important for organizations to be aware of the requirements, including the detailed PIPEDA regulations relating to breach notification and reporting.
US organizations need to know that PIPEDA may apply to their collection, use or disclosure of “personal information” in connection with commercial activities where there is a “real and substantial connection” with Canada. (This may include situations involving the collection and use of Canadian consumer information by US-based organizations, depending on the circumstances – for example, where a US corporation routinely collects and uses personal information about Canadians).
Risk threshold for reporting/notification
PIPEDA’s data breach obligation applies only where there is “a real risk of significant harm to an individual.” The relevant PIPEDA provisions require organizations to assess a number of factors in determining whether any breach of security safeguards is reasonably believed to meet this threshold. Organizations must consider the sensitivity of the information involved, the probability that the information will be misused and the potential for “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property” when assessing risks.
The data breach reporting regulations require an organization to submit a written report to the OPC that includes:
- a description of the circumstances of the breach and, if known, its cause
- the day or period during which the breach occurred or, if neither is known, the approximate period
- a description of the personal information that is the subject of the breach (to the extent known)
- the number of individuals affected by the breach if known (or approximate number)
- a description of the steps taken to reduce the risk of harm to affected individuals or to mitigate that harm
- a description of the steps that the organization has taken or intends to take to notify affected individuals
- the name and contract information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
Very similar information must be provided in the organization’s notification to affected individuals other than the cause of the breach and the number of affected individuals.
While some breach notification laws require providing updated information to the regulator as it becomes known, Canada’s regulations state that an organization “may” submit to the Commissioner any new information about the breach that comes to light after the initial report.
Notification to individuals must be “conspicuous,” given as soon as feasible after the organization determines that the breach has occurred, and generally must be given directly to the affected individuals. Indirect notification must be given where:
- direct notification would be likely to cause further harm to the affected individual
- direct notification would be likely to cause undue hardship for the organization or
- the organization does not have contact information for the affected individual.
It remains to be seen what circumstances will be accepted as giving rise to “undue hardship” for an organization in providing direct notification, and whether the cost of providing direct notification will be considered a valid basis for an organization to opt for indirect notification.
Indirect notification must be given by “public communication” (like substitute notice in the United States) or a similar method that could reasonably be expected to reach the affected individuals.
PIPEDA’s security breach provisions also require an organization to keep a record of every breach of security safeguards as stipulated in the regulations, whether or not notice is required, This means that records must be kept of all breaches, whether there is a real risk of significant harm or not.
The regulations require an organization’s breach records to contain any information that enables the Commissioner to verify compliance with the reporting and notification obligations. While this wording may be seen as lacking in direction, it does provide helpful flexibility and allows an organization’s management to exercise their own good judgement in determining how best to document security breaches. OPC Guidance documents indicate that the OPC will expect, at minimum, that an organization’s internal breach records include:
- date or estimated date of the breach
- general description of the circumstances of the breach
- nature of information involved in the breach
- whether or not the breach was reported to the OPC and
- whether individuals were notified.
It would be prudent for organizations to also include in their records an analysis of whether the risk threshold of a “real risk of significant harm” was considered to be met and the reasoning behind the organization’s conclusion on this point.
Breach records must be retained for at least 24 months, running from the day on which the organization determines that the breach has occurred.
In addition to the potential reputational risk involved in failing to report/notify when required to do so under PIPEDA, organizations that knowingly violate the breach notification requirements may face fines of up to CA$100,000 per violation.
Class actions for information security and other privacy breaches are becoming more prevalent in Canada, and the mandatory breach reporting obligations will likely lead to increased class actions in response to breaches.
Pro-active steps for organizations
Organizations that take pro-active steps now will be much better equipped to respond effectively and efficiently in the event of an information security breach. Such steps may include, for example, developing or revising your organization’s security breach response plan; appropriate staff training; and conducting one or more data breach tabletop exercises.
By Tamara Hunter, David Spratley and Jim Halpert, DLA Piper