[BreachExchange] Canada: Are You Ready for Mandatory Breach Reporting and Notification?

Mon Apr 23 19:42:14 EDT 2018

https://www.jdsupra.com/legalnews/are-you-ready-for-mandatory-breach-85878/

Almost three years after the Digital Privacy Act was passed, the federal
government has finalized regulations on mandatory breach notification,
reporting, and recordkeeping for the private sector in Canada. The
regulations were published yesterday and by separate Order in Council will
come into force November 1, 2018, under the Personal Information Protection
and Electronic Documents Act (PIPEDA).

PIPEDA applies to the collection, use, or disclosure of personal
information during the course of a commercial activity and across borders
and is applicable to the federally regulated private sector as well as most
provinces where PIPEDA applies to the provincially regulated private
sector.1 A breach under PIPEDA requires three elements: (1) the collection
of personal information; (2) a violation or breach of the obligation to
maintain adequate security for that personal information (security
safeguards); and (3) where the breach results in the loss of, unauthorized
access to or unauthorized disclosure of personal information.

Mandatory reporting will be required where there is a "real risk of
significant harm" due to the breach. PIPEDA defines "significant harm" as
including: humiliation, damage to reputation or relationships and identity
theft.

If there is a breach with a real risk of significant harm, the following
three obligations on the part of the breached organization will come into
play: (1) notification of the impacted individuals; (2) a written report to
the Office of the Privacy Commissioner (OPC); and (3) retention of a breach
record. Organizations may also be required to notify third parties if they
are able to mitigate harm to affected individuals.

1. Notification of the Impacted Individuals

Direct notification must be provided to the impacted individuals "as soon
as feasible". The notification must include certain prescribed elements,
including: a description of the breach and the information compromised, the
steps the organization has taken to reduce harm, a description of steps the
impacted individuals can take to reduce harm, and contact information for
further information. The notification can be provided in any "reasonable"
manner, including in person, by email, or by telephone.

There is also an option to provide indirect notification if direct
notification would cause further harm to the individual, cause undue
hardship to the organization, or is not possible.

A deliberate failure to notify the affected individuals can be considered
an offence under the new regulations, leading to a fine of up to $100,000.

2. Written Report to the OPC

A written report of a breach must be made in writing "as soon as feasible"
to the OPC. The report must contain prescribed elements such as: a
description of the breach, the date, the number of individuals impacted,
the type of personal information that has been compromised, and a
description of the steps taken to reduce the risk of harm.

A deliberate failure to report to the OPC can be considered an offence
under the new regulations, leading to a fine of up to $100,000.

3. Recordkeeping

The organization must maintain a record of every breach and security
safeguard for at least 24 months after the date on which the organization
learned of the breach. That record can be requested by the OPC.

A deliberate failure to record the breach can be considered an offence
under the new regulations, leading to a fine of up to $100,000.

Having an incident response plan is an integral part of ensuring compliance
with your organization's obligations under PIPEDA and other law.

________________________________

1 Certain Provinces, such as Alberta, British Columbia and Quebec, have
provincial private sector privacy legislation that has been declared
substantially similar to PIPEDA. Of those Alberta’s Personal Information
Protection Act has had mandatory private sector breach reporting since 2010
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180423/623a5278/attachment.html>