[BreachExchange] Mandatory Breach Notification Across Canada

[Audrey McNeil]

https://www.jdsupra.com/legalnews/mandatory-breach-
notification-across-51671/

By Order in Council 2018-0369 on March 26, 2018, mandatory breach
notification under the federal Personal Information Protection and
Electronic Documents Act (PIPEDA), comes in force November 1, 2018, for all
entities subject to its jurisdiction.

The PIPEDA rules follow Alberta’s leadership, which has had mandatory
breach notification for eight years. In Canada, provincial health privacy
laws in Ontario, New Brunswick and Newfoundland and Labrador also contain
reporting requirements. Most U.S. states have mandatory breach notification
requirements. It is recognized that notification of the affected
individuals is a key factor in mitigation of risk in instances of cyber
breach.

The national mandatory breach notification rules includes a mandatory
requirement for organizations to give notice to affected individuals and to
the Office of the Federal Privacy Commissioner about data breaches where it
is reasonable to believe that the breach creates a "real risk of
significant harm to the individual." Unlike Alberta’s law, PIPEDA provides
for some factors relevant to consider in determining whether there is a
"real risk of significant harm", and what constitutes "significant harm".
Under PIPEDA "significant harm" includes, among other things, humiliation,
damage to reputation or relationships and identity theft. A "real risk"
requires consideration of the sensitivity of the information, the
probability of misuse and other factors.

The notification under PIPEDA is to be given "as soon as possible" after
the breach has occurred. Under regulation, the specific content required of
both a breach notification to the Federal Privacy Commissioner and to
affected individuals has been specified.

Unlike the Alberta law, PIPEDA also requires where notification has been
provided to individuals that the organization may be required to notify
other organizations and the government where such notifications may reduce
risks or mitigate harm. PIPEDA will also require organizations to keep and
maintain records of every breach of safeguards involving personal
information under their control. The Federal Commission can require an
organization to provide a copy of such records to the Commissioner.

Organizations preparing for cyber breaches should contemplate that breach
notification can be risk mitigating and will as of November 1, 2018, be
mandatory for many organizations in Canada.

Notification responsibilities will arise under law and under many other
relationships, for example, with insurers and under financing covenants.
Evidence from a study of cyber breaches show that time and money can be
saved if an organization has assessed its notification responsibilities
before an incident has occurred. Now is the time to consider your
notification plan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180405/bb1b38c9/attachment.html>