[BreachExchange] Ottawa’s draft PIPEDA amendments highlight the importance of security safeguards

[Inga Goddijn]

http://www.canadianlawyermag.com/author/lisa-r-lifshitz/ottawas-draft-pipeda-amendments-highlight-the-importance-of-security-safeguards-13673/

It’s been a long wait. More than two years have passed since Ottawa amended
Canada’s federal private sector privacy law, the Personal Information
Protection and Electronic Documents Act, by enacting Bill S-4, the Digital
Privacy Act, to establish mandatory data breach reporting requirements.
Yet, ss. 10.1 through 10.3, the provisions outlining the obligations for
breach reporting and notification, still are not in force pending the
creation of necessary regulations. On Sept. 2, the Department of Industry
finally revealed the proposed Breach of Security Safeguards Regulations,
along with a Regulatory Impact Analysis Statement, which can be found in
the Canada Gazette
<http://www.gazette.gc.ca/rp-pr/p1/2017/2017-09-02/html/reg1-eng.php>. The
proposed regulations will come into force at the same time as s. 10 of the
Digital Privacy Act and are open for comments from interested parties for a
period of 30 days.

By way of a refresher, following the implementation of the new data breach
sections of PIPEDA, organizations that experience a data breach (referred
to in PIPEDA as a “breach of security safeguards”) must determine whether
the breach poses a “real risk of significant harm” (which may include
bodily harm, humiliation, damage to reputation or relationships, loss of
employment, business or professional opportunities, financial loss,
identity theft, negative effects on the credit record and damage to or loss
of property) to any individual whose information was involved in the breach
by conducting a risk assessment. When conducting this risk assessment,
organizations must consider the sensitivity of the information involved and
the likelihood of whether it will be misused. If the answer is yes, the
organization is required to notify affected individuals and the privacy
commissioner of Canada as soon as “feasible.” Additionally, since the
primary objective of the new data breach reporting and notification
framework in PIPEDA is to prevent or mitigate the potential harm to
individuals resulting from a breach, the updated act requires organizations
that notify individuals of breaches to notify other third-party
organizations, government institutions (or part of a government
institution) of a potentially harmful data breach if the organization
making the notification concludes that such notification may reduce the
risk of harm that could result from the breach or mitigate the potential
harm.

Data breach report to the commissioner

The proposed regulations provide a list of requirements that must be
covered in any notice to the commissioner. The RIAS further notes that this
list is not intended to be exhaustive and there is nothing in the
regulations that precludes an organization from providing *additional*
information
to the commissioner should the organization believe that the information is
pertinent to the commissioner’s understanding of the incident.

At a minimum, the data breach report to the commissioner must be in writing
and must contain the following information:

(a) a description of the circumstances of the breach and, if known, the
cause;

(b) the day on which, or the period during which, the breach occurred;

(c) a description of the personal information that is the subject of the
breach;

(d) an estimate of the number of individuals in respect of whom the breach
creates a real risk of significant harm;

(e) a description of the steps that the organization has taken to reduce
the risk of harm to each affected individual resulting from the breach or
to mitigate that harm;

(f) a description of the steps that the organization has taken or intends
to take to notify each affected individual of the breach in accordance with
s. 10.1(3) of the act; and

(g) the name and contact information of a person who can answer, on behalf
of the organization, the commissioner’s questions about the breach.

Notifying the affected individual

Similarly, while the proposed regulations also list the requirements that
must be contained in any notification to affected individuals, the RIAS
states that companies can provide additional information and/or design the
notice to suit the intended audience. Minimally, the following information
is required in any notice to an affected individual:

(a) a description of the circumstances of the breach;

(b) the day on which, or period during which, the breach occurred;

(c) a description of the personal information that is the subject of the
breach;

(d) a description of the steps that the organization has taken to reduce
the risk of harm to the affected individual resulting from the breach or to
mitigate that harm;

(e) a description of the steps that the affected individual could take to
reduce the risk of harm resulting from the breach or to mitigate that harm;

(f) a toll-free number or email address that the affected individual can
use to obtain further information about the breach; and

(g) information about the organization’s internal complaint process and
about the affected individual’s right, under the act, to file a complaint
with the commissioner.

Direct notification/indirect notification

The regulations confirm that organizations can communicate with affected
individuals through a variety of channels, including: (a) by email or any
other secure form of communication if the affected individual has consented
to receiving information from the organization in that manner; (b) by
letter delivered to the last known home address of the affected individual;
(c) by telephone; or (d) in person.

However, the regulations also recognize that there might be circumstances
when “indirect” notification of affected individuals is acceptable.
Examples include: when (a) the giving of direct notification would cause
further harm to the affected individual; (b) the cost of giving of direct
notification is prohibitive for the organization; or even when (c) the
organization does not have contact information for the affected individual
or the information that it has is out of date. In these circumstances, the
proposed regulations suggest that a public announcement, i.e., a
“conspicuous message” posted on the organization’s website for at least 90
days, or the use of an advertisement that is “likely to reach the affected
individuals” would be acceptable. However, one may question whether this
carve-out, which clearly puts the onus on the aggrieved party to take
active steps to find out about the breach, is actually reasonable in most
circumstances as it may prove rather tempting to organizations that would
rather avoid the considerable cost of individual notification and instead
rely on digital publication.

Data breach record-keeping

Significantly, companies that experience data breaches will no longer have
the ability to hide them. Under the draft regulations, organizations must
maintain a record (the word is undefined and may arguably be broadly
interpreted) of *every breach of security safeguards* for a minimum of *24
months* after the day on which the organization determines that the breach
has occurred.  Ouch. Even worse, the “record” has to be sufficiently
detailed and must contain any information pertaining to the breach that
enables the commissioner to verify compliance with s. 10.1(1) and (3) of
the act. The regulations do confirm that the data breach report provided to
the commissioner as described above can also be considered a “record” of
the breach of security safeguards.

Next steps

What does this all mean for Canadian businesses?  For one thing,
organizations may wish to dust off and revisit their existing corporate
data breach/breach of security safeguards policies to ensure that they at
least minimally dovetail with the proposed regulations. If an organization
does not yet have a data breach/breach of security safeguards policy, then
it’s high time to consider putting one in place.

As the recent Equifax data breach earlier this month reminded us, no
company is immune to the threat of hackers and the loss of personal
information and organizations that are subject to PIPEDA will be obliged to
report such incidents. Once the mandatory provisions of PIPEDA dealing with
breach reporting, notification and recordkeeping come into force, any
organization that knowingly fails to report to the OPC or notify affected
individuals of a breach that poses a real risk of significant harm, or
knowingly fails to maintain a record of all such breaches, could face fines
of up to $100,000 per violation. Therefore, there is no time like the
present for smart companies to review their current practices and establish
those critical safeguards/methodologies to avoid these penalties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170918/0ce2ebcd/attachment.html>