Canada’s new data breach law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), became effective on November 1, 2018. The Office of the Privacy Commissioner of Canada released new guidance providing explanations of the breach reporting requirements for private-sector businesses that operate in Canada or do business with Canadian customers. The new requirements of this law, particularly the breach notification requirements, should be on the radar of any United States-based businesses that also do business in Canada.
Under PIPEDA, organizations must report security incidents to the Privacy Commission of Canada if an incident carries “a real risk of significant harm” to consumers.[1] Regardless of the size of the breach or number of affected persons, the breach must be reported if the business determines that there is a real risk of significant harm resulting from the breach. The guidance provided by the Privacy Commissioner clarifies that the organization that controls the data is the organization required to report and notify individuals of a breach. Even when an organization has transferred the data to a third party processor, the organization is still responsible for reporting and notification.
Naturally, a standard such as “real risk of significant harm” is a standard that is open to some level of subjectivity and interpretation; however, the Privacy Commissioner has offered guidance to assist businesses in their review. Significant harm is defined as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record and damage or loss of property.” Factors to be considered in determining whether the breach creates a real risk of significant harm include: (1) the sensitivity of the personal information involved in the breach; and (2) the probability the personal information has been/is/will be misused. “Sensitivity” is not defined by PIPED, but the concept is discussed in Principle 4.3.4 and provides some general considerations:
Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
Notification must be given “as soon as feasible” after the organization has determined a breach occurred. The notification must be conspicuous, understandable, given directly to the individual, and include several pieces of information including:
- A description of the breach circumstance and, if known, its cause
- The day or time period when the breach occurred
- A description of the personal information subject to the breach
- A description of the organization’s risk mitigation measures
- A point of contact
- The number of individuals affected
- A description of how the organization will notify individuals
Organizations are required to maintain records of each data breach for at least 24 months after the date on which the breach was discovered. The records must contain sufficient information to allow the Office of the Privacy Commissioner to confirm that the organization has complied with the law.
The new law, which has been in the works for quite some time, includes extensive requirements and regulations in the event of a breach. In the event that a business determines that the sensitive information of a Canadian customer has been breached, the business would be well advised to consult with an attorney knowledgeable about PIPEDA and Canada’s data security laws.
***********************************************
[1] “What you need to know about the mandatory reporting of breaches of security safeguards”, Office of the Privacy Commissioner of Canada (available at https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/#_Part_1).