The Office of the Privacy Commissioner of Canada (OPC) recently released official guidance for reporting data breaches pursuant to Canada’s new data breach reporting law. A change in Canada’s law, effective November 1st, requires companies subject to Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) to report data breaches in certain instances and keep records of all breaches. The guidance relates to how to determine what breaches must be reported to the OPC, and what kind of notice you need to give individuals. The guidance also relates to the obligation to keep records of breaches and what information needs to be included.
Qualifying a Reportable Breach
A “breach of security safeguards” refers to the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of a company’s security safeguards or a failure to establish security safeguards.
If the breach involves personal information under a company’s control and, after assessing the potential harm, it is determined that the breach creates a “real risk of significant harm” to the affected individuals, then the company must report the breach. The factors for determining whether a breach of security safeguards creates a real risk of significant harm to an individual include:
- the sensitivity of the personal information involved in the breach; and
- the probability that the personal information has been, is being, or will be, misused.
Affected companies should report the breach as soon as feasible to:
- Canada’s data privacy regulator, the OPC;
- Affected individuals; and
- Related Organizations (law enforcement, vendors such as payment processors).
- Organizations should create and maintain records of every breach for at least 24 months following discovery of a breach.
- Canadian regulators recommend keeping these records for up to 5 years.
Penalties for Failure to Report
Knowingly withholding information about a breach or failure to keep required records could result in fines up to $100,000 and public recognition for noncompliance, which could result in damage to the organization’s reputation.
With the addition of these data breach notification requirements, companies should review their data and determine whether they receive personal information of individuals in Canada.
You may also take additional proactive steps such as:
- Update your incident/breach response plan;
- Work with IT staff to identify potential risks and covered data; and
- Update and provide incident reporting training to staff so that any potential incidents are timely discovered.