In April 2018, the Canadian government published an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA). The amendment, titled Breach of Security Safeguards Regulations, is effective November 1, 2018.
Private companies in Canada that collect, use or disclose personal information will be governed by the new rules for data breach record-keeping and notifications.
Strengthening PIPEDA will better protect the personal data of Canadians but in the event that a breach happens anyway, mitigate the harm with these 7 (effective) Steps to Address a Data Breach.
Why Amend PIPEDA?
The European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018, is likely the biggest motivator for creating this amendment.
The changes to PIPEDA will bring Canadian data privacy standards back up to par with the GDPR. This is important for Canada-EU trade since the EU has long recognized PIPEDA as providing adequate privacy protection.
Mandatory Data Breach Notifications
Organizations that experience a data breach and have reason to believe there’s a real risk of significant harm (RROSH) must notify the Office of the Privacy Commissioner, the affected individuals and any associated organizations.
To determine real risk, the organization must consider the sensitivity of the breached data and the likelihood that it will be misused. Significant harm, however, is defined as “bodily harm; humiliation; damage to reputation or relationships; loss of employment; business or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property”.
Notifications are to be provided a certain way and as soon as feasible (the amendment does not set a specific time limit for notifications). Violating this provision may result in a fine of up to $100,00 per offense (i.e., each person not notified).
Notify the OPC
The notification to the OPC must be made in writing and include information about:
- The circumstances of the breach and cause (including when it occurred)
- The affected personal information
- The number of affected individuals
- The steps the organization has taken to reduce the risk of harm or mitigate such harm
- The steps the organization has taken (or intends to take) to notify affected individuals of the breach
- The contact information of a person who can answer questions about the breach
Notifying the Individual
Affected individuals may be notified in person, by mail, by telephone or email. The notification must provide information about:
- The circumstances of the breach (including when it occurred)
- The affected personal information
- The steps the organization has taken to reduce the risks of harm
- The steps affected individuals can take to mitigate such harm
- The contact information to obtain further information about the breach
Notifying Other Organizations
The victim of a data breach must notify other public or private organizations if they believe the organization has the ability to reduce the risk of harm or mitigate the harm.
For example, if you believe your company has just suffered a data breach of your customers’ payment information, you must notify the organization that processes your payments if you believe they could reduce the level of harm caused by the breach.
Mandatory Data Breach Records
Private organizations will now also have to maintain a record of all security incidents involving personal data for 24 months after the date the breach is confirmed. Private companies that deal with cloud or service providers outside of Canada must contractually obligate the provider to maintain breach records.
Put your mandatory data breach records to good use by plugging them into a Risk Matrix Template and identifying your company’s biggest risk areas.
The OPC reserves the right to request these records and may publish them if it’s in the public’s best interest. The OPC may also launch an investigation based on the information in the records.
Unlike notifications, there is no minimum damage required for record-keeping. All breaches must be recorded. Not keeping proper records may also result in a penalty of up to $100,000.
Data breach records must include information regarding:
- The (estimated) date of the breach
- The circumstances around the breach
- The type of information involved
- Whether the OPC or affected individuals were notified or not
How to Be Data Breach Ready
- Assign responsibility for responding to incidents
- Identify stakeholders on the response team
- Clarify internal reporting and escalation structure
- Assess your insurance coverage
- Conduct data breach training
- Create a detailed plan with the key steps of your incident response