Related Posts
The Government of Canada announced on March 26, 2018 that the Canadian privacy breach notification rules would be changed. The announcement made in regards to the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force on November 1, 2018. These changes to PIPEDA will require domestic and foreign organizations to comply with the following:
- Notify individuals about privacy breaches
- Report privacy breaches to the Office of the Privacy Commissioner of Canada
- Keep certain records of privacy breaches
The provisions that came into force are a combination of statutory provisions in PIPEDA and a set of regulations which address matters such as the content of notices and breach record keeping. The new Canadian privacy breach notification rules have a far reach as it touches all industries with compliance and legal risk.
Breach of security safeguards
According to PIPEDA, a breach of security safeguards is defined as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.
The new Canadian privacy breach notification rules will apply to large, medium, and small businesses. Everyone will be subject to PIPEDA requirements. This will include mandatory reporting and notification of breaches regarding security safeguards that pose a real risk of significant harm. All organizations are expected to keep records of all breaches of security safeguards.
Financial penalties for Cyber Security Breaches
PIPEDA makes it an offence to knowingly avoid reporting, notification, and record-keeping requirements in relation to security breaches of safeguards. This can lead to fines based on an individual basis. The Office of the Privacy Commissioner of Canada (OPC) does not prosecute offences under PIPEDA or issue fines. What they can do is refer information relating to the possible commission of an offence to the Attorney General of Canada, who would be responsible for any ultimate prosecution of the organization regarding the data breach.
Responsibility for reporting the Cyber Security Breach
The Personal Information Protection and Electronic Documents Act requires an organization to report a cyber security breach involving personal information under its control. Your obligation to report the breach rests with an organization in control of the personal information implicated in the cyber security breach.
Organizations are encouraged to use the PIPEDA breach report form when reporting a data breach. Organizations can report in a format they see fit provided that the submission captures all the necessary information and they follow instructions on how to send in a report are included in the form. Reports can always be updated when you become aware of any new information regarding the data breach.
Principal organizations need to ensure there are enough contractual arrangements in place with the processor of information to address compliance with the data breach set out in PIPEDA. This would include notification and record-keeping obligations as part of the Act. Control of the information is important, and it can change depending on how the information is handled. Evolving business models and shifting roles may also impact an assessment of a cyber security breach.
What should be in a Cyber Security Breach record?
According to The Office of the Privacy Commissioner of Canada (OPC), cyber security breach records must contain all information that enables them to verify compliance with breach reporting and notification requirements including requirements to assess real risk of harm. At minimum include the following in your record:
- The date (or estimated) of the cyber security breach
- A description of he circumstances regarding the cyber security breach
- The nature of information involved in the cyber security breach
- If the breach was reported to the Privacy Commissioner of Canada as well as the individuals were notified
This must include enough details regarding the cyber security breach so the The Office of the Privacy Commissioner of Canada (OPC) can assess whether an organization has correctly applied the risk of significant harm standard. If the organizations feel there is no real risk, they would have to provide an explanation of why they determined there is no real risk in the case as to why the organization did not report the breach to the Privacy Commissioner as well as notify individuals.
What is the real risk of significant harm (RROSH)?
There are many factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm.
This does include the sensitivity of the personal information involved in the breach of security safeguards. This also includes the probability the personal information has been, is, and will be misused.
Evaluating the real risk of significant harm may include the following:
- The nature and sensitivity of the personal information involved in the cyber security breach
- The risk and probability that the personal information has been, is being, or will be, misused.
Notify individuals about the Cyber Security Breach
Notify individuals as soon as possible unless prohibited by law. If you determine that a breach has occurred, and it poses a real risk of significant harm to the individual, you must notify the individuals that are affected. The notification of the breach of personal information must be given directly to the individual. If permitted you can use indirect notifications.
The notification must be clear and provide enough information to allow the affected individuals to understand the significance of the cyber security breach as well as steps to reduce the risk of harm resulting from the breach.
The notifications to individuals should include:
- A brief description of the circumstances of the cyber security breach
- The specific or estimated date on which the breach occurred
- A detailed description of the personal information that was leaked in the cyber security breach
- A description of the steps that the organization has taken to reduce the risk of harm resulting from the breach
- Steps that should be taken by the affected individuals to reduce the risk of harm
- Full contact information for the affected individuals to use to obtain further information about the breach
Indirect Notifications
This is rare and very limited however there are times that you can indirectly notify people.
This includes the following:
- If direct notification would cause further harm to the affected individual of the cyber breach
- If direct notification would cause undue hardship for the organization of the cyber security breach
- If the organization does not have contact information for the affected individual of the cyber security breach
Indirect notification must be given using a public communication that could reasonably be expected to reach the affected individuals of the cyber security breach. This may include public announcements, advertisements including online or offline news media channels.
Recovery
If your organization believes you have been the victim of a cyber security breach or incident, please feel free to contact the following resources to manage your cyber security breach:
- Call your bank
- Fraud departments
- The police
- Service Canada (1-800-O-Canada)
- The Office of the Privacy Commissioner of Canada (OPC) (1-800-282-1376)
- The Canadian Anti-Fraud Centre (CAFC) (1-888-495-8501)
It is extremely important that you take time to record all details regarding a cyber security breach. If your organization is concerned with data security, BrickHost can help your organization reduce any cyber security risk and protect your data.
