The Canadian government recently published a cabinet order laying out federal data breach reporting regulations through the Personal Information Protection and Electronic Documents Act (PIPEDA) and amendments. Similar to other breach notification requirements, these new regulations mandate that organizations that experience a “breach of security safeguards” notify all affected individuals, as well as the Privacy Commissioner and any other related organizations and governmental institutions. The order also includes fines of up to $100,000 (CAD) for noncompliance. These regulations will go into effect starting on November 1, 2018.
Furthermore, in a separate cabinet order, the Canadian government communicated its intent to finalize the September 2017 draft of the Breach of Security Safeguards Regulations.
Several of Canada’s Provinces already have mandatory breach notification regulations, which work in tandem with organizations who voluntarily report breaches to the federal Privacy Commissioner. This will help to ensure a smooth transition to the November 1st compliance deadline.
Defining a Breach
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), there are no specific time requirements to give notice, however, an organization must notify all parties “as soon as feasible” once the breach has occurred. A “breach of security safeguards” is defined as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from: a) a breach of an organization’s security safeguards or b) a failure to establish those safeguards.
Risk of Harm Threshold
PIPEDA will require organizations to provide certain notifications of a breach when it is reasonable to believe that the breach creates a real risk of significant harm to the individual. Whereas the term “significant harm” includes, among other harms, humiliation, damage to reputation or relations, and identity theft. A “real risk” requires the consideration of the sensitivity of the information and the probability of misuse.
Notification to the Privacy Commissioner
Notification to the Privacy Commissioner must be in writing and be submitted by any secure means of communication. The regulations require that the report contain specific information including the description of the circumstances of the breach and, if known, the cause; a description of the steps the organization has taken to mitigate and reduce the risk of harm and a description of the steps the organization has taken or intends to take to notify all affected individuals.
Other Significant Impacts:
An important change to the legislation since the September 2017 draft is the consideration that an organization may not have all the required information by the time the report is made.
In addition to the form and content requirements, the draft regulations also purport to require organizations to maintain certain records of every beach. This is a broad requirement which may extend beyond those breaches which create a real risk of significant harm.
Key Takeaways for Your Organization
- If you are an organization in Canada, subject to PIPEDA, this regulation enforcement will add to your compliance requirements.
- Create or update your breach response plan to take into consideration new notification procedures and templates for communicating to external parties.
- Efficient record keeping is essential to ensuring that all breaches of security safeguards are recorded in a proper manner. Make sure documentation is part of your regular security practices!