The Digital Privacy Act came into force in 2015, and made key changes to the Personal Information Protection and Electronic Documents Act (PIPEDA). Since then, private sector organizations subject to PIPEDA have known that mandatory privacy breach reporting would be available across Canada at the federal level; what they didn’t know was what they would be expected to disclose in the event of a breach.
Those questions were answered when the government released new provisions that will come into force on November 1, 2018, - a timeline that will require organizations to quickly and proactively prepare to in order to comply.
Here is a quick primer of what these changes mean for your business.
Which breaches must be disclosed?
The new rules will require organizations to notify both affected individuals and the privacy commissioner of data breaches when those breaches pose a “real risk of significant harm”. Significant harm is defined as a risk of bodily harm, humiliation, financial loss, identity theft, damage to reputation or relationships, loss of employment or professional opportunities, negative effects on their credit record, or damage to/loss of property. Early indications are that the privacy commissioner is taking an aggressive stance on what type of data loss meets this standard.
When must breaches be disclosed?
Once an organization determines that a breach has occurred, it must notify affected individuals “as soon as feasible”.
What should be included in the notifications?
According to the new rules, affected individuals must receive notifications that contain
- a description of the circumstances of the breach;
- the day on which, or the period during which, the breach occurred;
- a description of the personal information that was breached;
- a description of the steps the organization has taken to reduce or mitigate the risk of harm to the affected individual resulting from the breach;
- a description of the steps the affected individual can take to reduce or mitigate the risk of harm resulting from the breach;
- a toll-free number or email address the affected individual can use to learn more about the breach; and
- information about the organization’s internal complaint process and about the affected individual’s right to file a complaint with the privacy commissioner.
In addition to notifying affected consumers, organizations must provide the privacy commissioner with a written report of the breach that describes:
- the breach and its cause (if it is known)
- an estimate of the number of people at risk of significant harm
- a description of the personal information that was compromised
- details of how the organization is working to resolve the breach and reduce risk of harm
- a description of how the organization plans to reach each of the affected individuals and
- a contact person who can answer more questions about the breach.
How must individuals be notified?
Affected individuals are expected to receive notification directly by email, mail, phone or in person. That said, there are three cases where indirect notification is permitted:
- if issuing a direct notification is “cost prohibitive”,
- if the affected individual would suffer further harm or
- if the organization doesn’t have direct contact information for the affected individual.
Where direct notification is impossible, companies must still take steps to provide indirect notification—either by posting a “conspicuous message” on their website for 90 days or by placing an ad likely to reach the affected individuals.
What exposures do organizations face?
Subsequent to a reported breach, the privacy commissioner may choose to launch an investigation. Similarly, consumers may have the right to launch a civil lawsuit—which is why organizations are expected to keep records of the breach for a two-year period. Finally, organizations that fail to notify consumers following a breach could face financial penalties and legal action.
How can you prepare for these new rules?
As data security incidents continue to mount, organizations increasingly understand that the likelihood of privacy breaches will only rise. Although no organization is immune, robust incident response planning and processes can help you validate, assess, contain and remedy data breaches with minimal disruption, publicity and cost.