Canada’s Breach Notification Rules Go Into Effect Nov. 1

Written by: Anthony E. Stewart, Esq.

Any organization subject to Canada’s Personal Information Protection and Electronic Document Act (PIPEDA) will have new data breach notification rules to follow starting tomorrow. This change will affect businesses of all sizes and may affect U.S. companies that process Canadians’ personal information even if their operations are solely on the U.S. side of the border.

PIPEDA requires organizations to protect personal information by security safeguards appropriate to the sensitivity of the information they process.  A “breach of security safeguards” is the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.

As of November 1, 2018, organizations will be required to:

• report certain breaches to the Office of the Privacy Commissioner of Canada (OPC);
• report certain breaches to the affected individuals; and
• keep records of all breaches.

Reporting Breaches to OPC

Organizations must conduct a risk assessment of each breach of security safeguards involving personal information under their control to determine whether it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm to one or more individuals.  The factors that are relevant for determining whether a breach of security safeguards creates a real risk of significant harm to an individual include:

• the sensitivity of the personal information involved in the breach; and
• the probability that the personal information has been, is being or will be, misused.

If an organization’s risk assessment indicates there is a real risk of significant harm resulting from the breach, it must report the breach to the OPC as soon as feasible.  The OPC encourages organizations to use the PIPEDA breach report form when reporting a breach to its office.

Reporting Breaches to Affected Individuals

Generally, an organization must also notify the individuals affected by the breach of security safeguards anytime an organization determines that the breach poses a real risk of significant harm to an individual.  The notification must be given as soon as feasible and must include the following information:

• a description of the circumstances of the breach;
• the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
• a description of the personal information that is the subject of the breach to the extent that the information is known;
• a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
• a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
• contact information that the affected individual can use to obtain further information about the breach.

Recordkeeping

An organization must keep and maintain a record of every breach of security safeguards involving personal information under its control – regardless of the outcome of the organization’s risk assessment.  The record must contain any information that enables the OPC to verify compliance with breach of security safeguards reporting and notification requirements.  OPC requires that the record includes, at a minimum:

• date or estimated date of the breach;
• general description of the circumstances of the breach;
• nature of the information involved in the breach;
• whether or not the breach was reported to the OPC and/or individuals were notified; and
• sufficient details for the OPC to assess whether an organization has correctly applied the real risk of significant harm standard and otherwise met its obligations to report and notify in respect of breaches that pose a real risk of significant harm.

The law requires an organization to keep breach records for two years; however, the organization may have other legal requirements that require a more extended retention period.