We have previously advised here and here that Canada is implementing new security breach notification requirements pursuant to the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5, as amended) (“PIPEDA”), Canada’s federal private sector privacy law.
These requirements come into force on November 1, 2018.
In 2015, the Canadian government enacted the Digital Privacy Act (S.C. 2015, c. 32, as amended) (the “Digital Privacy Act”) to address, in part, the concern that PIPEDA did not contain security breach notification requirements. On March 26, 2018, the Government of Canada set November 1, 2018 as the date upon which the security breach notification requirements under the Digital Privacy Act will come into force.
It is important for organizations to put into place strategies, policies, protocols and procedures so compliance with the new security breach notification requirements (the “Breach Notification Requirements”) can be achieved.
Organizations will be required to report to the Office of the Privacy Commissioner of Canada (the “Commissioner”) any “breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” (the “Reports to the Commissioner“).
A “breach of security safeguards” has been defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 [to PIPEDA] or from a failure to establish those safeguards.”
“Significant harm” has been defined to include “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
In determining whether a breach of security safeguards creates a real risk of significant harm to an individual, the following factors must be considered: (i) the sensitivity of the personal information involved in the breach; (ii) the probability that the personal information has been, is being or will be misused; and (iii) any other prescribed factors. No other prescribed factors have been established at this time.
Reports to the Commissioner must be made as soon as feasible after an organization determines that a breach of security safeguards has occurred. Reports to the Commissioner must be in writing and they must contain certain information, including the following:
(i) a description of the circumstances of the breach and, if known, the cause;
(ii) the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
(iii) a description of the personal information that is the subject of the breach to the extent that the information is known;
(iv) the number of individuals affected by the breach or, if unknown, the approximate number;
(v) a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
(vi) a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of PIPEDA; and
(vii) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
Organizations are also required to notify individuals of any breach of security safeguards involving their personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individuals, unless an organization is otherwise prohibited by law from doing so.
Notifications to individuals must contain sufficient information to allow individuals to understand the significance to them of the breach of security safeguards and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm.
Notifications to individuals must contain certain information, including:
(i) a description of the circumstances of the breach;
(ii) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
(iii) a description of the personal information that is the subject of the breach to the extent that the information is known;
(iv) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
(v) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
(vi) contact information that the affected individual can use to obtain further information about the breach.
Notifications must be conspicuous, must be given as soon as feasible after an organization determines that a breach has occurred, and must be given directly to individuals in the prescribed form and manner. Under certain situations, notification to individuals can be given indirectly.
Organizations are required to keep and maintain a record of every breach of security safeguards involving personal information under its control (collectively, “Records“), and are required to provide the Commissioner with access to, and a copy of, the Records.
These Records must be maintained for 24 months after the day on which an organization determines that a breach has occurred.
As of November 1, 2018:
(1) Individuals will be able to file, with the Commissioner, written complaints against organizations for not complying with the Breach Notification Requirements;
(2) the Federal Court of Canada will be able to order organizations to correct their practices in order to comply with the Breach Notification Requirements;
(3) the Commissioner is mandated, under PIPEDA, to encourage organizations to develop detailed policies and practices, including organizational codes of practice, to comply with the Breach Notification Requirements;
(4) Whistleblowing protections come into force in respect of the Breach Notification Requirements; and
(5) Failing to report to the Commissioner certain types of security breaches, or to maintain appropriate records of certain types of security breaches, will become punishable offences under PIPEDA.
The Breach Notification Requirements may not be the only security breach requirements that an organization has to take into consideration.
Organizations should be considering whether the Breach Notification Requirements, or other requirements, are applicable in the provinces of Alberta, British Columbia and Quebec, which have their own privacy legislation which has been deemed substantially similar to PIPEDA and which apply, in many cases, instead of PIPEDA.
Furthermore, organizations should be considering how industry specific, and foreign, security breach notification rules may apply to an organization (e.g. the European Union (EU)’s General Data Protection Regulation (GDPR)).
Contributors: Randeep Nijjar and J.Andrew Sprague
