Security Breach Reporting in Canada: A Short Reference Guide for PIPEDA

by Amanda Spencer, Partner & Researcher

On November 1, 2018, changes to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will come into effect. On that date, organizations will be required to report any security breaches that “pose a real risk of significant harm” to an individual.

Disclaimer: This blog post is not a comprehensive review of PIPEDA. It is a summary of selected sections only. Seek professional advice about PIPEDA and the requirements regarding mandatory reporting of breaches. Information provided here is not legal advice.

Here are some key questions to consider:

What is a “real risk of significant harm”?

Significant harm can include damage to reputations, financial loss, identity theft, negative effects on credit, and damage to or loss of property. To determine whether there is a real risk of significant harm, organizations must consider the sensitivity of the personal information involved in the breach, as well as the likelihood that the personal information has been or will be misused.

Who is responsible for reporting a breach?

Any organization that has personal information “under its control” must report a breach. This means that more than one organization may be responsible for reporting a single breach. Consider this scenario: Company A gathers information, then hires Company B to process that information. If Company B experiences a breach, both A and B must report the breach.

When and how should individuals be notified?

If a breach posing a real risk of significant harm to an individual is identified, you must notify the individual as soon as is feasible, and the notification must be very clear and stand out. Notification must include information that allows individuals to understand how the breach may affect them and that enables them to take any possible steps to reduce the harm that may result from the breach. Notification must also include contact information that can be used to obtain further information about the breach.

Notification should be made directly (in person, by telephone, mail, or email). There are very few circumstances where indirect notification is possible: one of these is when direct notification is likely to cause further harm to the affected individuals.

Notification must also be made to any government institutions or other organizations (such as law enforcement or financial institutions) that may help reduce the risk of harm resulting from the breach.

What records need to be kept?

Organizations must keep records of every breach, even if they do not pose a real risk of significant harm. Records must be kept for two years.

What information should those records contain?

Records should contain the date of the breach, a general description of the circumstances, the nature of information involved, and whether any notification was made. If notification was not made, a brief explanation should be provided about why the breach did not pose a real risk of significant harm.

Records do not need to include personal details unless they are needed to explain the nature and sensitivity of the information.

Will there be penalties for not following these regulations?

Yes. PIPEDA has provisions for fines of up to C$100,000 for failing to report a breach or failing to maintain records, even if the breach isn’t judged to pose a real risk of significant harm.

How should organizations prepare?

The following actions will help your organization keep information secure:

• Determine what information might be at risk in a breach;
• Develop a framework for assessing whether a breach poses a real risk of significant harm;
• Perform an assessment of current cybersecurity capabilities, including drills to test responses;
• Establish tracking and reporting procedures to ensure that all breaches are recorded; and
• Consider working with a third-party security provider to assess current security assets and develop a breach response plan.

More detailed information about mandatory breach requirements is available at the Office of the Privacy Commissioner of Canada website.

photo credit: rawpixel.com via Pexels.