Canadian government consults on data breach regulation

On March 4, Innovation, Science and Economic Development Canada commenced a consultation process on new data breach regulations for Canada. The consultation will close on May 31. The new regulations are the next step in the process of bringing Canada’s federal breach reporting law into force. The new law was enacted as part of the Digital Privacy Act last year.

Digital Privacy Act

The Digital Privacy Act amended the Personal Information Protection and Electronic Documents Act (PIPEDA) to include, among other things, new provisions relating to breaches of security safeguards.

A “breach of security safeguards” is defined in section 2(1) of PIPEDA as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s safeguards that are referred to in Clause 4.7 of Schedule 1 or from a failure to establish those safeguards.”

Clause 4.7 of Schedule 1 of PIPEDA is the principle that requires an organization to protect personal information by physical, organizational, and technological measures that are proportional to the sensitivity of the personal information.

The new breach of safeguards obligations that were introduced by the Digital Privacy Act include:

• logging any breach of security safeguards;
• reporting a breach of security safeguards to the Office of the Privacy Commissioner if it is reasonable to believe that the breach creates a real risk of significant harm to an individual;
• notifying affected individuals about a breach that it is reasonable to believe creates a real risk of significant harm to the individual; and
• notifying third parties where appropriate if the third party could mitigate the risk of harm.

“Significant harm” could mean a broad array of financial and non-financial harm, including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit records and damage to or loss of property.”

When evaluating whether there is a “real risk,” an organization must consider the sensitivity of the personal information involved in the breach, the probability that it will be misused, and any other factors that are prescribed by government regulations.

Need for regulations

The provisions relating to breach logging, reporting and notification will not come into force until the government passes regulations. These regulations would set out:

• recordkeeping requirements for the logging of breaches of security safeguards;
• the form and content of the report to the Office of the Privacy Commissioner of Canada;
• the form and content of notifications to affected individuals; and
• other factors relating to the determination of whether there is a “real risk” of significant harm.

Consultation topics

The government has concluded that a consultation process is appropriate prior to developing regulations and is seeking the input of Canadians. Once the regulations are drafted they will be published and there will be a further opportunity for comments. Here is a brief overview of the issues and some of the more interesting consultation questions.

1. Record keeping

The requirement to log breaches is perhaps the most controversial aspect of the breach reporting provisions enacted by the Digital Privacy Act. The failure to maintain these logs and to produce them on demand to the OPC is one of the few prosecutable offences under PIPEDA. Moreover, there is significant concern that these records could be produced in litigation.

The government is asking whether the regulations should be prescriptive regarding the information that must be included in a record or simply permit organizations to record “sufficient information to indicate the breach does not pose a real risk of significant harm.” In addition, the government is asking whether:

• there should be a retention period for data breach records and, if so, what the retention period should be;
• the privacy officer should be held accountable for maintaining the data breach records;
• the obligation to create a record should be clarified as only applying to breaches for which the organization has actual knowledge; and
• a separate record should be required for every breach.

2. Risk assessment

The risk assessment process can be complex. The purpose of a risk assessment is to limit the types of breaches that need to be reported. However the government’s view is that the risk assessment process should be contextual, which makes designing bright line tests difficult. However, the government has asked whether some additional factors may be useful to organizations. For example, the government has asked whether the risk of harm should be presumed to be low in circumstances where encryption has been used. Another scenario not addressed by the government but that might be of interest to organizations is how to handle inadvertent breaches in which the records have been recovered. If a misdirected document is recovered and the unintended recipient has undertaken confidentiality, is there really a real risk of significant harm?

3. Reports to the commissioner

In Alberta, the information and privacy commissioner must make a determination as to whether an individual should be notified about the breach. In that context, a requirement to provide a significant amount of information to the commissioner makes sense. However, the OPC has no such role under the amendments to PIPEDA. It is entirely unclear why reports to the OPC are being required. If every breach report is going to turn into an investigation, the OPC will be paralyzed or the OPC will need to develop criteria for when it asks additional questions. If the purpose of the reports is to enable the OPC to watch trends, such as the types of breaches that are occurring, industries that seem affected most by certain issues, or even whether there are multiple offenders, then the information provided to the OPC could be standardized and basic.

However, under the current voluntary reporting system described in the consultation paper, the OPC asks organizations to divulge basic details of breaches, such as:

• the data and location of the breach;
• the type of incident and its cause;
• the type of personal information;
• the number of affected individuals and their location (in Canada and outside of Canada);
• mitigation efforts; and
• whether individuals, law enforcement and others have been notified.

In practice, however, the OPC frequently follows up with detailed questions relating to the breach. These supplementary questions frequently include requests to describe:

• the precise vulnerability that was exploited in the breach;
• the relevant organizational, physical and technological security safeguards in place at the time of the incident;
• if an electronic system was hacked, the type of vulnerability scanning that was performed at the time of the breach;
• if third-party service providers were involved, the privacy and security service-level agreements with those providers; and
• subsequent improvements to the security safeguards of the organization and its service providers.

The government has requested advice regarding what information should be required in reports to the OPC and whether organizations should be required to update the OPC when information is determined to be inaccurate, incomplete or has changed. The government is also seeking advice on whether the OPC should be required to establish a secure, electronic means of reporting and whether reports should be in writing only.

4. Notification to individuals

The amendments to PIPEDA state that the notice to affected individuals must contain sufficient information to allow the individual to understand the significance to the individual of the breach and to take steps, if any are possible, to reduce the risk of the harm that could result from it or to mitigate that harm. The government wants to know whether there is specific information that should be included in notices that should be prescribed by regulations.

Under the OPC’s voluntary system, the types of information that the OPC wants to see in a notice include:

• General information about the nature of the incident, including when it occurred;
• The type of information affected and mitigation efforts to reduce harm;
• Any assistance being offered to individuals;
• Contact information for a person who can answer questions about the incident;
• Contact information for the OPC;
• Contact information for organizations that could help individuals with credit monitoring or situations like identity theft.

An important issue for organizations is clarity regarding the means by which they can give notice. The government is seeking advice on the methods of communication that should be permitted for direct notification. Many organizations will want to provide notice by email where possible. The government is also concerned about organizations obscuring notification and has asked whether the regulations should require that notices be conspicuous and distinct from other communications. Finally, the government has requested advice on whether cost should be a consideration in deciding whether direct notification should be required.

5. Third-Party notifications

The government has noted that in the U.S. many state laws require reports to law enforcement when financial information is involved and to credit reporting agencies depending on the number of affected individuals.

Currently, the OPC’s voluntary program encourages reports to:

• police, in the case of theft or other crime;
• credit card companies, financial institutions and credit reporting agencies if it would assist in the mitigation of harm;
• unions, if the breach involves their members; and
• insurers, professional or regulatory bodies, and others where required.

Broadening third-party notifications beyond these categories is controversial. A fundamental principle of personal information protection legislation is ensuring the individual is in control. It is not at all clear that reports about an affected individual should be made without the knowledge and consent of the individual, irrespective of whether the organization or the OPC think that it would be “good” for the individual.

Next Steps

If you are interested in participating in the consultation, you can find out more information here. Consultation responses are due by May 31. Following this consultation process, the government will publish draft regulations for public comment and consultation. It is unlikely, therefore, that we would see breach reporting come into force in Canada before the last quarter of the year and possibly not until the beginning of 2017.