Data Breach Reporting Now Required by Law in Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) was amended under the Digital Privacy Act last June 18, 2015 to include provisions requiring mandatory data breach reporting and notification. On April 18, 2018, the Canadian federal government released the Breach of Security Safeguards Regulations which outlines the rules and requirements applicable in the event of a breach of security safeguards affecting personal information. The “breach of security safeguards,” is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.
What the Law Requires
If it is reasonable to believe the breach of security safeguards creates a real risk of significant harm to the individual:
Organizations will be required to report to the privacy commissioner of Canada any breach of security safeguards involving personal information under its control, if it is reasonable to believe the breach creates a real risk of significant harm to an individual; Organizations will be required to notify individuals of any breach of security safeguards involving personal information under its control, if it is reasonable to believe the breach creates a real risk of significant harm to an individual, unless such notification is prohibited by law; and Organizations may have to notify other organizations if they may be able to reduce the risk of harm.
These provisions, along with the accompanying Breach of Security Safeguards Regulations, which include fines up to CAD$100,000 (per offense). will be in force as of 1 November 2018. This follows Alberta's Personal Information Protection Act (PIPA) which has had such a law since 2010.
Organizational Impact of PIPEDA
Risk assessment determining whether the breach poses “real risk of significant harm” to affected individuals, considering both the sensitivity of the compromised information and the probability that it will be misused. Notice to affected individuals and to other companies if they can take steps to reduce harm to affected individuals Notice to the Privacy Commissioner “as soon as feasible” Maintain a record of every security incident for 24 months after the day organization has determined that breach has occurred. The records which contain details that would allow the Commissioner to verify the organization’s compliance with applicable requirements. Notice to the Commissioner in writing, and must include: description of the circumstances of the breach and the cause; when the breach occurred; a description of the affected personal information; the number of affected individuals; a description of the steps that the organization has taken to reduce the risk of harm to affected individuals or mitigate such harm; a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach; and the name and contact information of a person who can answer the Commissioner’s questions about the breach. Notification to individuals may be made “in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances” and must include: a description of the circumstances of the breach; when the breach occurred; a description of the affected personal information; a description of the steps the organization has taken to reduce the risk of harm that could result; a description of the steps affected individuals could take to reduce the risk of harm or to mitigate such harm; and contact information that the affected individual can use to obtain further information about the breach.
Three years since PIPEDA’s amendment, organizations are expected to have reviewed their readiness and response processes and procedures in monitoring, recording and reporting security or data breaches for compliance. Mature organizations with an Information Security Management System in place, this is something that they are prepared for. However this poses a huge challenge for startups, fintechs, and any small or medium enterprises that process personally identifiable information (PII), given their limited security expertise and resources.
The Tugboat Logic Solution
Tugboat Logic, the Virtual CISO platform, can help prepare you for these regulatory changes by providing a simple wizard to quickly define which security policies you need to comply, Tugboat Logic then helps guide you to the what controls your organization needs to have in place in order to comply with these recommended policies, and tracks the implementation of appropriate controls to help prove you are compliant to regulators and clients..
Tugboat Logic Turnkey Policies Map to PIPEDA’s Notification Requirements:
Information classification policy- to make sure appropriate technical and procedural controls are enforced to ensure information is secured. Risk assessments policy- to identify and address security vulnerabilities Customer Information policy- implementation of controls for customer information stored and processed; customer notification process in the event of security incidents. Incident response policy- appropriate organization response in the event of a security breach
Tugboat Logic provides organizations with an automated framework to demystify the process of setting up a security program that builds their credibility with clients quickly and simply and lets them focus on selling more, and reduces their risk of regulatory fines.
You can find additional resources here: OIPC breach report guidance PIPEDA Breach Report Form Alberta breach report form (.doc) Canadian federally regulated businesses and industries