Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was recently amended. Most of the amendments came into force on June 18; we discussed those amendments in a previous Tracker post. One set of amendments that are not yet in force are the new breach reporting and notification provisions. The Canadian government will need to enact regulations to address some aspects of the new federal breach reporting law before it comes into effect. This post summarizes what we know already about how those provisions will work when they come into force and what we can expect.

Breach Logs

What we know

Organizations must keep and maintain a record of every breach of security safeguards involving personal information under the organization’s control (s. 10.3(1)). Copies of these records must be provided to the Office of the Privacy Commissioner of Canada (OPC) upon request (s. 10.3(2)). A “breach of security safeguards” is defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in cl. 4.7 of Schedule 1 or from a failure to establish those safeguards” (s. 2(1)). Clause 4.7 is the provision in PIPEDA that states (among other things) that an organization must establish safeguards appropriate to the sensitivity of the information including:

ADVERTISEMENT

Syrenis data privacy metrics ad
  1. Physical measures: for example, locked filing cabinets and restricted access to offices;
  2. Organizational measures: for example, security clearances and limiting access on a “need-to-know” basis, and
  3. Technological measures: for example, the use of passwords and encryption.

The obligation to keep and maintain these records appears to be limited to an actual loss, unauthorized access to or unauthorized disclosure of personal information resulting from the breach. The mere fact that there has been a lapse of security that did not result in a breach would not need to be recorded on the plain wording of the provision.

What we can expect

We don’t yet know what the required content of these breach logs will look like. However, organizations should expect that the OPC may want to see the government require that the breach log includes information that is relevant to the OPC’s recommended four-part approach to breaches. This would include:

  1. Breach containment: for example, how was the breach identified, how long did it last, what were the vulnerabilities, how was the breach contained, and was law enforcement engaged?
  2. Evaluation of the risks associated with the breach: For example, was it criminally motivated, was the personal information sensitive, was the personal information encrypted, what harm could be done with the information, who and how many people are affected, and what harm mitigation steps were taken?
  3. Reporting and Individual Notification: For example, was the test for reporting to the OPC and to individuals met, when was reporting and notification made, by what means, were other agencies or organizations notified to assist in mitigation of harm, and what was the content of the reporting and notifications?
  4. Prevention: For example, what are the “learnings” and remediation plans, what revisions are necessary to safeguards, policies, procedures, training, or supplier oversight, and how have these revisions been implemented?

Breach Reporting and Notifications

What we know

Under the new law, several different reports and notifications are required for breaches:

  1. Report to the OPC: An organization is required to report to the OPC any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm (s. 10.1(1)). A report to the OPC must be made as soon as feasible after the organization determines that the breach has occurred (s. 10.1(2)).
  2. Individual Notification: The new provisions require mandatory notification to individuals “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual” unless prohibited by law (s. 10.1(3)). The notification must contain sufficient information to allow the individual to understand the significance of the breach and to take steps to reduce the risk of harm that could result from it or to mitigate the harm (s. 10.1(4)). The notification to the individual must be conspicuous and be given directly to the individual except in prescribed circumstances (s. 10.1(5)).
  3. Third-Party Notifications: Organizations must notify other organizations and government organizations if the other organization may be able to reduce the risk of harm that could result from the breach (s. 10.2(1)). The notification must be as soon as feasible after the breach is discovered (s. 10.2(2)). This third-party notification may occur pre-emptively and without the consent of the affected individual provided that it is made solely for the purposes of reducing the risk of harm (s. 10.2(3).

“Significant harm” is defined to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property (s. 10.1(7)). This list is open-ended.

The new provisions also contain a list of factors that are relevant to determining whether there is a “real risk” of significant harm. These include the sensitivity of the affected personal information, the probability that the personal information has been, is being or will be misused and any other factor prescribed by regulation (s. 10.1(8)).

What we can expect

Regulations are expected to be enacted to establish the form of the report and the information to be included in the report to the OPC and to the individuals. Alberta has similar reporting obligations and it is expected that the information that must be included in the reports to the OPC and the individual notifications will be at least as comprehensive as that in Alberta. In Alberta, the following information must be included in a report to the Alberta Commissioner:

  • A description of the circumstances of the loss or unauthorized access or disclosure;
  • The date on which or time period during which the loss or unauthorized access or disclosure occurred;
  • A description of the personal information involved in the loss or unauthorized access or disclosure;
  • An assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure;
  • An estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure;
  • A description of any steps the organization has taken to reduce the risk of harm to individuals;
  • Adescription of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure;
  • The name of and contact information for a person who can answer, on behalf of the organization, the commissioner’s questions about the loss or unauthorized access or disclosure.

The following information must be included in an individual notification that is ordered by the Alberta commissioner:

  • A description of the circumstances of the breach;
  • The date of the breach or the time period during which the breach occurred;
  • A description of the affected personal information;
  • A description of any steps that the organization has taken to reduce the risk of harm, and
  • Contact information for a person who can answer questions on behalf of the organization about the breach.

In terms of timing of reports, it is not certain how the OPC would interpret “as soon as feasible.” Since a breach of safeguards involves the loss of, or unauthorized access to or unauthorized disclosure of personal information, an organization might argue that the threshold is not triggered if the loss, access or disclosure is merely suspected but cannot be confirmed. This is more common than might be thought. It is frequently the case that information security professionals are able to establish that security systems have been breached but cannot tell with certainty whether specific data has been accessed. It is likely that the threshold will be reached when the organization reaches a stage in its investigation where it has sufficient information to conclude that it is probable that the breach has occurred, at which point the organization is likely obligated to report the breach.

In many instances, law enforcement may request (but not order) a delay in notification in order to support an investigation. Public disclosure could prejudice communications with the hacker or make the investigation more difficult by tipping the hacker that he or she has been detected. It is hoped that the OPC will recognize that in these circumstances a delay to notification is reasonable.

Hope for Harmonization

A significant difference between the Alberta and the federal regimes for breach notification is that in Alberta it is the Commissioner who decides whether the statutory test for individual notification has been met. Although Canada’s Parliament opted to leave the decision to the organization as to whether the statutory test for individual notification is met, this is a distinction without much practical difference since a prudent organization under the Alberta regime would commence individual notifications prior to the commissioner’s order if it was likely that the test for notification would be met. What remains to be seen, however, is whether the government will ensure that the content of notifications remains harmonized to avoid the fractured approach in the United States with different state residents receiving different types of notices. Watch this space for more updates as we learn more.