[BreachExchange] Draft mandatory data breach reporting regulations released for comment

[Audrey McNeil]

http://www.nortonrosefulbright.com/knowledge/publications/156143/
draft-mandatory-data-breach-reporting-regulations-released-for-comment

The Regulations set out the proposed requirements for the reporting of
breaches of security safeguards (each, a Breach). Under the PIPEDA
Amendments, a report to the Privacy Commissioner of Canada (Commissioner)
is required if it is reasonable in the circumstances to believe that the
Breach poses a “real risk of significant harm” to any individual.  The
Regulations include specifics of (i) the contents of a Breach report
addressed to the Commissioner; (ii) the contents of a notice to an
individual affected by a Breach; (iii) how notices must be provided; and
(iii) record-keeping requirements.

Alberta is currently the only Canadian jurisdiction in which data breach
reporting is mandatory. The “real risk of significant harm” threshold in
the PIPEDA Amendments and the reporting requirements under the Regulations
are substantially similar to the requirements under Alberta’s private
sector privacy legislation, the Personal Information Protection Act
(AlbertaPIPA). The practice and experience in Alberta may therefore be
considered when interpreting the new federal requirements.

Notices to the Commissioner

A report of a Breach made to the Commissioner must be in writing and must
contain the specific content set out in the Regulations. There are no
surprises in connection with the required content for a report to the
Commissioner, which mirrors the current form provided by the Commissioner
for voluntary reporting and is similar to the requirements of the Alberta
PIPA.

The Office of the Information and Privacy Commissioner of Alberta (Alberta
OIPC) currently publishes breach notification decisions where a real risk
of significant harm was identified and notification to affected individuals
was required. These decisions include the name of the organization that
suffered the breach and include the Alberta OIPC’s analysis of harm to
individuals. It remains to be seen whether the Commissioner will adopt this
practice.  If it does, organizations should be prepared for a Breach to be
made public when it is reported to the Commissioner.

Notices to affected individuals

Under the PIPEDA Amendments, organizations must notify an individual
affected by a Breach when it is reasonable to believe that the Breach
creates a real risk of significant harm to the individual.

Most of the content of these required notices mirrors the requirements
under the Alberta PIPA for mandatory breach reporting and the Commissioner
for voluntary notification to individuals with some additions. In
particular, there is a proposed requirement to include a description of the
steps that the individual could take to reduce the risk of harm.

The Regulations set out the manner of providing direct notification to
individuals. Notification by “email or another secure form of
communication” appears to be permitted only if the affected individual has
consented to receiving information from the organization in that manner. As
drafted, it is not entirely clear if consent would be needed for email
notice or just for notice sent by “any other secure form of communication.”
Paper (delivered or sent by “snail mail”), telephone and in-person notices
may be used without consent. In our view, the consent requirement should be
eliminated in favour of allowing notification by electronic means where
such means have been used previously by the organization to communicate
with the individuals. Furthermore, a preference for personal over
electronic communication is outdated.

The Regulations also set out the circumstances when notification to
affected individuals may be given indirectly, which include when the cost
of giving direct notification is prohibitive to the organization. This may
be welcomed by businesses in some circumstances, especially by smaller and
mid-sized businesses involved in Breaches that affect many individuals.
However, in order to provide indirect notice, an organization would have to
publish information about the Breach conspicuously on its website or
publish an advertisement that is likely to reach the affected individuals.

Record-keeping requirements

The Regulations require organizations to maintain a record of every Breach
for 24 months after the date of determination that it has occurred. This
record-keeping requirement has been criticized as being overly broad in
that it requires record-keeping in respect of all Breaches, including those
that that do not involve a “risk of significant harm” to individuals and
would not be required to be reported to the Commissioner.

These records must include information that enables the Commissioner to
verify compliance with the reporting and notification requirements under
PIPEDA. Where a report to the Commissioner has been made, such report may
be used as a record to satisfy the record-keeping requirement.

Next steps

Members of the public may make representations regarding the Regulations
until October 2, 2017.1

It is expected that once the final version of the Regulations is published,
there will be a transition period before the PIPEDA Amendments are
introduced and also prior to the Regulations being brought into force. The
government did not indicate the duration of the transition period, although
the regulatory impact statement notes that stakeholders proposed transition
periods ranging from six to eighteen months. As there was a previous
consultation on this topic in 2016, the PIPEDA Amendments and the
Regulations may be finalized relatively quickly.  Organizations should
therefore be prepared to update their breach response plans to address the
requirements of the PIPEDA Amendments and the Regulations once they are
finalized.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170914/f3e73879/attachment.html>