[BreachExchange] Canada Moves to Mandatory Breach Notification Guidelines

[Audrey McNeil]

https://www.lexology.com/library/detail.aspx?g=7c72920f-fe15-4f24-8b97-
6cc806b00c7c

Canadian privacy laws are about to change to require mandatory breach
notification. Draft regulations have been introduced to guide businesses on
when and how to notify consumers and the privacy commissioner if there has
been a security breach. The government has tried to strike a balance so
that consumers receive meaningful notification of breaches that rise to the
level of a “real risk of significant harm”. If the right balance is struck,
consumers will pay attention and take steps to protect themselves, and
mitigate further harm. If the wrong balance is struck, there will be an
influx of notices, and there is a real risk of notification fatigue.

Mandatory data breach reporting has been expected since 2015, with
amendments to the Personal Information Protection and Electronic Documents
Act (“PIPEDA”), Canada’s private sector privacy law; however, breach
notification is on hold until regulations come into force. Draft
regulations were released in September 2017 and they are expected to come
into force in 2018.

There is currently voluntary breach reporting throughout most of Canada,
with Alberta being the only province with private sector mandatory breach
notification.

Once the new law is in force, when an organization suffers a breach of
security safeguards that gives rise to a “real risk of significant harm”,
the organization must (i) report the incident to the Office of the Privacy
Commissioner of Canada; (ii) notify affected individuals; and (iii) notify
any other third party that is in a position to mitigate the risk of harm to
affected individuals. These notifications must be made as soon as feasible
after the organization determines that the breach has occurred.

When assessing risk, the regulations require businesses to consider, among
other things, the sensitivity of the information and the probability of the
information being misused. Under the legislation, “significant harm” goes
far beyond “identity theft” and is defined to include humiliation, damage
to reputation or relationships, loss of employment or other opportunities,
financial loss, identity theft, negative effects on the credit record and
damage to or loss of property. A “real risk” may even extend to a breach of
encrypted information, a position the government justified on the basis
that there remains a possibility that information could be decrypted.

Businesses will also be required to maintain records of all data breach
incidents for a minimum of 24 months (irrespective of whether the business
concludes the breach gives rise to a real risk of significant harm to
affected individuals) after the day on which the organization determines
that the breach has occurred. The Commissioner may request and review the
history of breaches experienced by a particular business within the prior
24-month window. Records must contain sufficient information to permit the
Commissioner to verify compliance with the breach reporting regime.

The implementation of mandatory breach notification is intended to
harmonize Canadian law with other jurisdictions, including the European
Union’s General Data Protection Regulation (GDRP), which comes into force
in 2018, and includes mandatory data breach reporting. Many businesses
already have systems and policies in place to monitor, track and report
breaches, for example, to comply with the laws in Alberta and/or those of
another country. If not, now is the time to start to do so. The regulations
provide for a delayed coming into force date after publication of the final
regulations, to ensure businesses have ample time to adjust their policies
and procedures to comply with the new law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180322/842ea548/attachment.html>