Private sector organizations following federal privacy law will have to provide breach notifications to customers and the privacy commissioner where it is reasonable to believe that the breach creates a “real risk of significant harm,” under long-awaited proposed regulations to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
The draft regulations, if and when they come in force, are expected to provide Canadians with better protection while providing organizations with yet another compelling incentive to adopt better security practices to thwart a phenomenon that is occurring with alarming frequency, according to privacy experts.
Early this month, a security breach at credit-monitoring company Equifax Inc., one of three major credit bureaus in the United States, could affect up to 143 million Americans and an undisclosed number of Canadians. More recently still, the personal information of some one million users from the news and entertainment website Canoe.ca were exposed after some of its databases were hacked.
“When a data breach takes place it places the individuals whose personal information has been breached at considerable harm at times, depending on the scope of the breach and the sensitivity of the information,” noted Ann Cavoukian, one of the world’s leading privacy experts who served three terms as the Information and Privacy Commissioner of Ontario. “So individuals have a right to know that their information has been breached and what measures they can take to hopefully minimize the harm and take collective action. This is why the proposed regulations are so important.”
The projected changes flesh out the Digital Privacy Act (also known as Bill S-4) which amended PIPEDA, Canada’s privacy law, on June 2015. While the Bill S-4 introduced an explicit obligation to notify individuals and report to the Office of the Privacy Commissioner of Canada (OPC) in cases of breaches, the amendments have not come into force. Published on September 2nd the draft regulations are open for comments for a period of 30 days.
The draft regulations, while widely lauded by privacy experts, also raises questions. Under the proposed regulations, organizations who have been the target of a “breach of security safeguards” have to conduct a risk assessment to determine if the breach poses “a real risk of significant harm” to any individual whose information was involved in the breach. The assessment must consider the sensitivity of the information that was breached, and the probability that the information will be misused.
“That concerns me a little,” said Cavoukian, who is leading the Privacy by Design Centre of Excellence at Ryerson University. “It has to be a real risk, whatever that means, and must cause significant harm, whatever that means. If I was the Commissioner I would urge organizations to err on the side of caution because you don’t know what risks may arise in the future. Guidance will need to be provided so that people just don’t sweep it under the cover.”
When an organization determines that a breach poses real risk of significant harm, they must notify affected individuals either directly or indirectly as well as report to the federal privacy commissioner. The contents of what is expected to be contained in the notifications are “rather standard,” said Eloïse Gratton, the national co-leader of the privacy and data protection practice group with Borden Ladner Gervais LLP.
Besides providing a description of the circumstances of the breach, the day or period in which it occurred, the organization is expected to provide a description of the steps it is has taken to reduce the risk of harm to the affected individual and steps that the affected individual can take to reduce the risk of harm resulting from the breach or to mitigate the harm.
“It would appear to be good business practice for organizations affected by a breach to follow this section of the proposed regulations if they choose to notify affected individuals until the new sections come into force,” said Gratton. These requirements, added Gratton, echo those recommended by the OPC in a document entitled “Key Steps for Organizations in Responding to Privacy Breaches.”
Though it is widely expected that the majority of organizations will provide direct notification such as by emails, the proposed regulations does allow organizations — under certain circumstances — to inform clients indirectly such as by posting information on their website. Under section 5 of the proposed regulations, organizations can provide indirect notification if giving direct notification will cause further harm to the affected individual, if the organization does not have the contact information of the affected individual or if the cost of giving direct notification is “prohibitive” for the organization. “Basically you are going to do an email blast to all of your customers or whoever is implicated and say that we would like to notify you of this breach that happened on this day so how is the cost of that prohibitive,” rhetorically asked Cavoukian.
But according to privacy expert Daniel Michaluk, the regulations “make it clear” that direct notification will be the “default way” that organizations will be expected to inform affected individuals of a data breach. “When a corporation wants to provide indirect notification in lieu of direct notification, they will need to meet this prohibitive cost standard,” said Michaluk, a Toronto lawyer whose practice with Hicks Morley Hamilton Stewart Storie LLP focuses on information security and data management, anti-spam, privacy and freedom of information matters.
The draft regulations also introduces requirements over the content, form and manner to report a breach to the OPC. Organizations will have to keep a record of the breach for 24 months after the incident occurred. It also compels organizations to provide, in writing, a description of the circumstances of the breach and, if known, the cause as well as the day or period in which the breach occurred, a description of the personal information that was the subject of the breach and an estimate of the number of individuals that now face a real risk of significant harm following the breach.
Some have speculated whether the record of the breach in the hands of the OPC could be used against organizations before the courts, but Michaluk dismisses that contention. He points out that the reporting and record-keeping obligations under the draft regulations are geared towards the collection and conveyance of facts and not an analysis of those facts or legal or risk-related conclusions about those facts. “That type of information which is far more sensitive can be kept out of these records that are very open to disclosure in any kind of fora,” said Michaluk. “That’s a good thing. That’s done in a manner that respects the kind of difficult issues companies face that have to respond to incidents.”
This article originally appeared in The Lawyer’s Daily, published by LexisNexis Canada Inc.