[BreachExchange] Update on Canadian Data Breach Regulations

Mon Mar 7 19:58:20 EST 2016

http://www.jdsupra.com/legalnews/update-on-canadian-data-breach-36125/

Innovations, Science and Economic Development Canada has issued a
consultation paper asking Canadians what should be included in new data
breach regulations that will be made under thePersonal Information
Protection and Electronic Documents Act (PIPEDA). The consultation will
close on May 31, 2016. Following this consultation process, the Canadian
Government will publish draft regulations for public comment and further
consultation. It is unlikely, therefore, that we would see breach reporting
come into force in Canada before the last quarter of the year.

Why are regulations required?

Canada’s Parliament enacted the Digital Privacy Act in 2015. The Act
included amendments to PIPEDA that will introduce new provisions relating
to breaches of security safeguards. These provisions include mandatory
breach reporting to the Office of the Privacy Commissioner of Canada (OPC)
and to individuals and, in some cases, third parties. The provisions also
contain controversial record-keeping requirements. These new data breach
provisions will not come into force until the Government passes regulations
regarding the form and content of the required notices. The Government may
also supplement certain provisions in the legislation by way of regulation.

What are the key data breach obligations?

Once the amendments to PIPEDA come into force, organizations will have four
new obligations regarding data breaches:

- Organizations will need to keep records of breaches of security
safeguards;
- Organizations will be required to report a breach of security safeguards
to the OPC if it is reasonable to believe that the breach creates a real
risk of significant harm to an individual.
- Organizations will be required to notify affected individuals about a
breach that it is reasonable to believe creates a real risk of significant
harm to the individual.
- Organizations will be obligated to notify third parties if the third
party could mitigate the risk of harm to the affected individual.

A “breach of security safeguards” is defined as “the loss of, unauthorized
access to or unauthorized disclosure of personal information resulting from
a breach of an organization’s safeguards that are referred to in Clause 4.7
of Schedule 1 or from a failure to establish those safeguards.” Clause 4.7
of Schedule 1 of PIPEDA is the principle that requires an organization to
protect personal information by physical, organizational, and technological
measures that are proportional to the sensitivity of the personal
information.

What is the consultation about?

The consultation relates to five key issues.

- Record keeping: The Government wants to know what records organizations
should be required to keep and for how long.
- Risk assessment: The Digital Privacy Act provides that an organization
assessing whether there is a “real risk” of significant harm should
consider the sensitivity of the personal information involved in the
breach, the probability that it will be misused and other factors that
could be prescribed by regulation. The Government wants to know whether
further factors should be specified and whether the risk of harm should be
presumed to be low for data that was encrypted.
- Reports to the OPC: The Government has asked what should be included in
reports to the OPC about a breach of safeguards that poses a real risk of
significant harm to the individual. The Government has asked whether
reports should be made through an electronic secure tool developed by the
OPC.
- Notices to Individuals: The Government is considering a number of issues
relating to individual notices. What should the content of the notices be?
How much detail should be required? How should notices be delivered? Do the
notices need to be separate from other communications by the organization?
When should organizations be able to give notice indirectly, such as
through posts on the organization’s website?
- Notices to Third Parties: The Government is mindful that third-parties
such as law enforcement and consumer (credit) reporting agencies have a
role to play in the protection of individuals from fraud and identity
theft. The Government is asking whether there are circumstances that should
be enumerated where reporting to third parties should be required.

What about the Province of Alberta’s regime?

The Government acknowledged that the Alberta regime for mandatory breach
reporting has been in place for several years and that lessons could be
learned from that province’s approach. However, the Government does not
seem to be focused on ensuring that there is a harmonized system. It is
possible, therefore, that we could see different types of reports and
notices being required under PIPEDA than under Alberta’s law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160307/943ed672/attachment.html>