IN BRIEF
- The Government of Canada (Innovation, Science and Economic Development Canada) recently released the long-awaited proposed Breach of Security Safeguards Regulations, which outline the obligations for breach reporting and notification under Canada’s federal private sector privacy law.
- Under the regulations, an organization is required under certain circumstances to notify affected individuals, any other relevant organization or government institution and the Privacy Commissioner of Canada in a specified manner.
- Affected U.S. businesses should review their current practices and consider establishing the safeguards set forth in the proposed regulations to avoid monetary penalties.
It’s been a long wait. More than two years have passed since Ottawa amended Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA, or the Act) by enacting Bill S-4, the Digital Privacy Act, to establish mandatory data-breach reporting requirements. Yet, sections 10.1 through 10.3, the provisions outlining the obligations for breach reporting and notification, still are not yet in force pending the creation of necessary regulations. On September 2, 2017, Innovation, Science and Economic Development Canada finally revealed the proposed Breach of Security Safeguards Regulations (Regulations), along with a Regulatory Impact Analysis Statement (RIAS) which can be found in the Canada Gazette. The proposed Regulations will come into force at the same time as section 10 of the Digital Privacy Act and are open for comments from interested parties for a period of 30 days.
By way of refresher, following the implementation of the new data-breach sections of PIPEDA, organizations that experience a data breach (referred to in PIPEDA as a “breach of security safeguards”) must determine whether the breach poses a “real risk of significant harm” (which may include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property) to any individual whose information was involved in the breach by conducting a risk assessment. When conducting this risk assessment, organizations must consider the sensitivity of the information involved and the likelihood of whether it will be misused. If the answer is “yes,” the organization is required to notify affected individuals and the Privacy Commissioner of Canada (the Commissioner) as soon as “feasible.”
Additionally, because the primary objective of the new data-breach reporting and notification framework in PIPEDA is to prevent or mitigate the potential harm to individuals resulting from a breach, the updated Act requires organizations that notify individuals of breaches to notify other third-party organizations and government institutions (or part of government institution) of a potentially harmful data breach if the organization making the notification concludes that such notification may reduce the risk of harm that could result from the breach or mitigate the potential harm.
Data-Breach Report to the Commissioner
The proposed Regulations provide a list of requirements that must be covered in any notice to the Commissioner. The RIAS further notes that this list is not intended to be exhaustive, and there is nothing in the Regulations that precludes an organization from providing additional information to the Commissioner should the organization believe that the information is pertinent to the Commissioner’s understanding of the incident.
At a minimum, the data-breach report to the Commissioner must be in writing and must contain the following information:
(a) a description of the circumstances of the breach and, if known, the cause;
(b) the day on which, or the period during which, the breach occurred;
(c) a description of the personal information that is the subject of the breach;
(d) an estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm;
(e) a description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm;
(f) a description of the steps that the organization has taken or intends to take to notify each affected individual of the breach in accordance with subsection 10.1(3) of the Act; and
(g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
Notifying the Affected Individual
Similarly, although the proposed Regulations also list the requirements that must be contained in any notification to affected individuals, the RIAS provides that companies can provide additional information and/or design the notice to suit the intended audience. Minimally, the following information is required in any notice to an affected individual:
(a) a description of the circumstances of the breach;
(b) the day on which, or period during which, the breach occurred;
(c) a description of the personal information that is the subject of the breach;
(d) a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
(e) a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
(f) a toll-free number or e-mail address that the affected individual can use to obtain further information about the breach; and
(g) information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner.
Direct Notification/Indirect Notification
The Regulations confirm that organizations can communicate with affected individuals through a variety of channels, including: (a) by e-mail or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner; (b) by letter delivered to the last known home address of the affected individual; (c) by telephone; or (d) in person.
However, the Regulations also recognize that there might be circumstances when “indirect” notification of affected individuals is acceptable. Examples include when: (a) the giving of direct notification would cause further harm to the affected individual; (b) the cost of giving of direct notification is prohibitive for the organization; or even when (c) the organization does not have contact information for the affected individual or the information that it has is out of date. In these circumstances, the proposed Regulations suggest that a public announcement, i.e., a “conspicuous message” posted on the organization’s website for at least 90 days or the use of an advertisement that is “likely to reach the affected individuals” would be acceptable. However, one may question whether this carve-out, which clearly puts the onus on the aggrieved party to take active steps to find out about the breach, is actually reasonable in most circumstances, as it may prove tempting to organizations that would rather avoid the considerable cost of individual notification and instead rely on digital publication.
Data-Breach Recordkeeping
Significantly, companies that experience data breaches will no longer have the ability to hide them. Under the draft Regulations, organizations must maintain a “record” (the word is undefined and may arguably be broadly interpreted) of every breach of security safeguards for a minimum of 24 months after the day on which the organization determines that the breach has occurred. Ouch. Even worse, the record must be sufficiently detailed and must contain any information pertaining to the breach that enables the Commissioner to verify compliance with subsections 10.1(1) and (3) of the Act. The Regulations do confirm that the data-breach report provided to the Commissioner as described above can also be considered a record of the breach of security safeguards.
Next Steps
What does this all mean for Canadian and U.S. businesses?
Certainly, U.S. organizations that have a real and substantial connection to Canada and that collect, use, and disclose the personal information of Canadians in the course of their commercial activities should dust off and revisit their existing corporate data-breach/breach of security safeguards policies to ensure that they at least minimally dovetail with the proposed Regulations, which are expected to come into force in 2018. It is important to know that Canadian courts have held that PIPEDA has extraterritorial application to foreign organizations involved in the collection, use or disclosure of personal information in Canada including through the offer and provision of services to Canadians (see Lawson v. Accusearch Inc. (c.o.b. Akiba.com) [2007] F.C.J. No. 164 and more recently, T.(A.) v. Globe24h.com [2017] F.C.J. No. 96).
If an organization does not yet have a data-breach/breach of security safeguards policy, then it’s high time to consider putting one in place. As the recent Equifax and other data breaches have reminded us, no company is immune to the threat of hackers, and the loss of personal information and organizations that are subject to PIPEDA will be obliged, under Canadian law, to report such incidents. Once the mandatory provisions of PIPEDA dealing with breach reporting, notification, and recordkeeping come into force, any affected U.S. organization that knowingly fails to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fails to maintain a record of all such breaches, could face fines of up to $100,000 per violation. Therefore, there is no time like the present for smart companies to review their current practices and establish those critical safeguards/methodologies to avoid these penalties.