[BreachExchange] Upcoming Canadian Breach Notification Requirements Still in Flux

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 1 20:20:08 EDT 2018


Canada’s national breach notification requirements are coming online
November 1st, meaning companies experiencing a data breach will soon have
new reporting obligations.  These requirements were created in 2015 by the
Digital Privacy Act, which amended the Personal Information Protection and
Electronic Documents Act (PIPEDA), Canada’s main privacy statute.  In April
2018, in preparation for the national implementation of the new law, the
Office of the Privacy Commissioner of Canada (OPC), with authority to issue
promulgating regulations under PIPEDA, issued Regulations that establish
detailed requirements regarding the content and methodology of breach
notifications to the OPC and affected individuals.  After issuing those
Regulations, the OPC continued to receive requests for further clarity and
guidance regarding the breach notification requirements under PIPEDA and
the OPC Breach Regulations.  In response to those further requests for
guidance, the OPC announced that it would issue further guidance (“What You
Need To Know About Mandatory Reporting Of Breaches Of Security Safeguards”)
on breach notification and reporting.  On September 17th, the OPC invited
public feedback on the draft guidance.  The OPC will accept feedback until
October 2, 2018.  Comments can be sent to OPC-CPVPconsult2 at priv.gc.ca and
must be either in the body of the email or attached as a Word or PDF
document.  The OPC will publish the final guidance soon after the October
2nd deadline to ensure guidance is in place when the amendment becomes
effective in November.

Under the current draft guidance, the OPC confirms that as amended PIPEDA
requires companies to notify individuals and the OPC if the breach creates
a “real risk of significant harm”.  Whether a real risk of significant harm
exists is determined by the sensitivity of the information involved and the
probability of its misuse.  To assist practitioners in making those
assessments, the OPC offers further guidance regarding how to determine if
information is sensitive (i.e., do the circumstances of the breach make the
information more or less sensitive) and how to assess the probability of
misuse (i.e., was the information expose to individuals who have a low
likelihood of sharing the information in a way that could cause harm, such
as in the case of an accidental disclosure to unintended recipients).  In
cases where there is no real risk of significant harm, notification is not
required irrespective of how many peoples’ information is involved in the

Under PIPEDA, as amended, if notification to individuals is required, it
must be done “as soon as feasible” after the company determines a breach
has occurred, and must be conspicuous and contain sufficient information to
allow the individual to understand the significance of the breach and take
steps to mitigate the harm.  The OPC’s draft guidance explains that such
written notification should avoid legalese and be easy to read.  Under the
OPC’s regulations, the notification must also include an explanation of
what happened and when it happened, what personal information was involved,
what the organization has done in response to the breach, and provide
contact information where people can get more information.

In addition to notifying the impacted individuals, under PIPEDA (as
amended), organizations will also have to notify the OPC and any other
organization (governmental and private) that could help minimize the risk
of harm.  In its draft guidance, the OPC explains that these other
organizations could include law enforcement, banks, and credit card
processors.  Like notification to impacted individuals, notification to the
OPC must occur as soon as feasible after the breach.  The OPC’s draft
guidance explains that such notice should occur “as soon as feasible” even
if not all the information (e.g., the cause or planned mitigation measures)
is known or confirmed.  The OPC guidance further clarifies that
organizations may add or correct information as it becomes available.
Under PIPEDA, the obligation to notify the OPC extends to a breach
involving any personal information that an organization has “under its
control,” which means that in cases where a company’s information is
breached while in the hands of a vendor, both the vendor and the company
would need to notify the OPC.  To make notification to the OPC easier and
uniform, the OPC guidance attaches a breach reporting form to be used when
reporting breaches to the OPC.

Finally, under PIPEDA, regardless of whether an incident is reportable, an
organization must document the breach and analysis and keep the record for
two years.  The record must include a description of the incident,
including when it happened and what information was involved.  It must also
document whether notification was made, and if not, why it was determined
that there was not a real risk of serious harm.

Putting it Into Practice: While the PIPEDA amendments have been pending for
three years, and the OPC has offered further promulgating regulations, the
OPC’s September 17th announcement indicates there is still uncertainty
around what exactly will be required of companies that experience a
breach.  Companies that hold or control information on Canadian residents
have one more opportunity to impact the final requirements or pose
questions for clarity in the OPC’s guidance, and should submit their views
before the October 2nd deadline.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181001/428ddb71/attachment.html>

More information about the BreachExchange mailing list