PROCESSING...

Breach of Security Safeguards Regulations

Back in June of 2015, the Digital Privacy Act, received royal assent resulting in amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Most amendments came into force at that time, except for the much-anticipated requirements related to breach notification. These requirements will come into force once regulations have been developed and put into place and will affect any organization that collects, uses or discloses personal information in the course of commercial activities.

On September 2, 2017, a draft of those regulations was published in the Canada Gazette. The draft regulations will require organizations to report, to the privacy commissioner, any breach of security safeguards involving personal information under its control if it is reasonable to believe the breach creates a real risk of significant harm. The draft regulations state that such a report would have to contain the following:

  • a description of the circumstances of the breach and, if known, the cause;
  • the day or the period in which the breach occurred;
  • a description of the personal information that was involved in the breach;
  • an estimate of the number of individuals impacted – were the breach creates a real risk of significant harm;
  • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
  • he steps that the organization has taken or will take to notify impacted individuals; and
  • the name and contact information of a person who can answer, on behalf of the organization, the Privacy Commissioner’s questions about the breach.

Organizations that experience such a breach will have also have to do the  following:

  • Determining if the breach poses a “real risk of significant harm” to any individual whose personal information was involved in the breach by conducting a risk assessment;
  • Notifying affected individuals if it is determined that there is a real risk of significant harm. How the notification will take place depends on serval factors such as if contact information of the impacted individuals is known, cost, and if the method chosen to deliver such a notification will cause further harm;
  • Issuing notification that contains:
    • a description of the circumstances of the breach;
    • the day or period during which the breach occurred;
    • a description of the personal information that was involved in the breach;
    • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
    • the steps that the impacted individuals could take to reduce the risk of harm resulting from the breach;
    • a toll-free number or email address that the impacted individuals can use to obtain further information about the breach; and
    • information about the organization’s internal complaint process and about the individual’s right, under PIPEDA and that they can make a complaint with the privacy commissioner;
  • Notifying other organizations or government institution if they believe the they may be able to reduce the risk of harm to the impacted individuals.  (i.e. law enforcement agencies). If this is the case, consent of individuals is not required for such disclosures; and
  • Keeping records of any data breach for a minimum of 24 months.

The determination if there is a real risk of significant harm to an individual, and reporting “as soon as feasible” requirements are likely to be the most challenging for organizations.

In determining if there is a “real risk of significant harm”, the assessment of risk conducted must consider factors such as the sensitivity of the personal information involved, whether or not the data was data encrypted, whether the personal information be misused, if the information has been recovered, etc. The true risk of such factors may not always be known at the time that the risk assessment is first conducted. If not known it may be best to use a worse case scenarios in the assessment.

In reporting “as soon as feasible” after an organization determines that the breach has occurred, to both the Privacy Commissioner and impacted individuals, organizations may be hesitant to provide specific information. Reasons why organizations may be hesitant may include details and information may change as further investigating of the breach is conducted or for fear of litigation risk down the road. Additionally, there is reputational risk that organizations will be concerned about.   When notifying the Privacy Commissioner organizations may want to state that the investigation is ongoing and that updates will be provided in a timely manner. When notifying impacted individuals, organizations should ensure that all required information is contained in the notification. It is best to be transparent and truthful in such notifications as not doing so may cause even greater litigation and reputational risk.

Regulatory Impact Analysis and Regulations

The draft regulations are open for a comment period, to read full details of the draft and the accompanying regulatory impact analysis statement please visit the Canada Gazette.

We’re Here To Help

If you have questions regarding this or any questions related to privacy legislation in general, please contact us.

Return to Blog Listing