Upcoming Canadian Breach Notification Requirements Still in Flux
Canada’s national breach notification requirements are coming online November 1st, meaning companies experiencing a data breach will soon have new reporting obligations. These requirements were created in 2015 by the Digital Privacy Act, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s main privacy statute. In April 2018, in preparation for the national implementation of the new law, the Office of the Privacy Commissioner of Canada (OPC), with authority to issue promulgating regulations under PIPEDA, issued Regulations that establish detailed requirements regarding the content and methodology of breach notifications to the OPC and affected individuals. After issuing those Regulations, the OPC continued to receive requests for further clarity and guidance regarding the breach notification requirements under PIPEDA and the OPC Breach Regulations. In response to those further requests for guidance, the OPC announced that it would issue further guidance (“What You Need To Know About Mandatory Reporting Of Breaches Of Security Safeguards”) on breach notification and reporting. On September 17th, the OPC invited public feedback on the draft guidance. The OPC will accept feedback until October 2, 2018. Comments can be sent to OPC-CPVPconsult2@priv.gc.ca and must be either in the body of the email or attached as a Word or PDF document. The OPC will publish the final guidance soon after the October 2nd deadline to ensure guidance is in place when the amendment becomes effective in November.
Under the current draft guidance, the OPC confirms that as amended PIPEDA requires companies to notify individuals and the OPC if the breach creates a “real risk of significant harm”. Whether a real risk of significant harm exists is determined by the sensitivity of the information involved and the probability of its misuse. To assist practitioners in making those assessments, the OPC offers further guidance regarding how to determine if information is sensitive (i.e., do the circumstances of the breach make the information more or less sensitive) and how to assess the probability of misuse (i.e., was the information expose to individuals who have a low likelihood of sharing the information in a way that could cause harm, such as in the case of an accidental disclosure to unintended recipients). In cases where there is no real risk of significant harm, notification is not required irrespective of how many peoples’ information is involved in the incident.
Under PIPEDA, as amended, if notification to individuals is required, it must be done “as soon as feasible” after the company determines a breach has occurred, and must be conspicuous and contain sufficient information to allow the individual to understand the significance of the breach and take steps to mitigate the harm. The OPC’s draft guidance explains that such written notification should avoid legalese and be easy to read. Under the OPC’s regulations, the notification must also include an explanation of what happened and when it happened, what personal information was involved, what the organization has done in response to the breach, and provide contact information where people can get more information.
In addition to notifying the impacted individuals, under PIPEDA (as amended), organizations will also have to notify the OPC and any other organization (governmental and private) that could help minimize the risk of harm. In its draft guidance, the OPC explains that these other organizations could include law enforcement, banks, and credit card processors. Like notification to impacted individuals, notification to the OPC must occur as soon as feasible after the breach. The OPC’s draft guidance explains that such notice should occur “as soon as feasible” even if not all the information (e.g., the cause or planned mitigation measures) is known or confirmed. The OPC guidance further clarifies that organizations may add or correct information as it becomes available. Under PIPEDA, the obligation to notify the OPC extends to a breach involving any personal information that an organization has “under its control,” which means that in cases where a company’s information is breached while in the hands of a vendor, both the vendor and the company would need to notify the OPC. To make notification to the OPC easier and uniform, the OPC guidance attaches a breach reporting form to be used when reporting breaches to the OPC.
Finally, under PIPEDA, regardless of whether an incident is reportable, an organization must document the breach and analysis and keep the record for two years. The record must include a description of the incident, including when it happened and what information was involved. It must also document whether notification was made, and if not, why it was determined that there was not a real risk of serious harm.
Putting it Into Practice: While the PIPEDA amendments have been pending for three years, and the OPC has offered further promulgating regulations, the OPC’s September 17th announcement indicates there is still uncertainty around what exactly will be required of companies that experience a breach. Companies that hold or control information on Canadian residents have one more opportunity to impact the final requirements or pose questions for clarity in the OPC’s guidance, and should submit their views before the October 2nd deadline.