[BreachExchange] O’ Really, Canada? Data Breach Log Rules Underway

Tue Apr 19 22:03:11 EDT 2016

http://www.jdsupra.com/legalnews/o-really-canada-data-breach-log-rules-73678/

In June 2015, Canada made significant amendments to its data privacy law,
the Personal Information Protection and Electronic Documents Act (PIPEDA).
These amendments to PIPEDA will require businesses to inform the Canadian
Privacy Commissioner of certain data breaches, provide notice to affected
individuals and maintain a log of any breaches of their cybersecurity
safeguards.  Regulations implementing the amendments are being developed
and we expect, with a new government in place, to see something soon.

We have written in detail about a key provision of this new law in our
article “Data Breach Logs: The New ‘Hot’ Document.” For U.S. businesses
with Canadian contacts, one of the more troubling amendments to PIPEDA
requires companies to maintain “a record of every breach of security
safeguards involving personal information under its control.”  While
companies will be required to publicly report breaches that the company
“reasonably believes” pose a “real risk of significant harm to the
individual,” they will nonetheless need to record breaches that fall below
that threshold. They will now need to create a breach log that could
include information about a wide array of cybersecurity incidents and data
breaches.  And which companies remains unclear.  Will it be just
Canadian-based and multi-national companies with operations in Canada?
Will it also apply to companies with Canadian customers or those that
maintain Canadian consumer personal information?  These are critical
questions that remain unanswered.

For companies subject to this requirement, this raises huge risks.
Maintaining a comprehensive breach log that will be readily available to
regulators and class action plaintiffs seeking to sue a company over a data
breach is akin to handing over one’s wallet.  A summary of the company’s
breach history is a litigation tool with lots of potential for mischief.
Class action plaintiffs will be able to use the breach log to call into
question the company’s cybersecurity measures and, if there is more than
one breach on the report, to argue that the company has not learned from
its earlier mistakes and therefore must be punished more severely.
Regulators can also draw conclusions from these reports that may or may not
be warranted.  In all cases, these reports risk simplifying a more complex
and nuanced reality regarding a company’s vulnerabilities and defenses.
Nor will companies be able to distance themselves from these reports –
which are unlikely to be privileged or protectable under current law – as
the companies themselves will have prepared them.

>From a purely logistical point of view, given the sheer number of
cybersecurity events that companies suffer, these reports may also be
time-consuming to prepare. There will surely be uncertainty as to whether a
particular event needs to be logged and in what level of detail.

The law as drafted, requiring a log entry for “every breach of security
safeguards involving personal information under [the company’s] control,”
is potentially very broad in its application.  It is possible, however,
that the forthcoming regulations may narrow the law’s application in the
following ways:

- from all breaches to breaches that led to exfiltration of data or
exfiltration of unencrypted data;
- from all of a company’s breaches worldwide to only those that occur on
servers or other hardware located in Canada; or
- from breaches of any personal information to breaches that directly
impact Canadian residents’ personal information.

The Canadian government is currently soliciting comments on various
provisions of PIPEDA, including these record-keeping provisions.  We are
interested in hearing from our readers so that their comments and concerns
may influence the drafting of the upcoming regulations.  The Canadian
government will be accepting comments until May 31.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160419/7a2e81fd/attachment.html>