Cybersecurity threats defy national borders. Businesses offer goods and services to individuals worldwide, and the cyber attacks against those organizations is not limited geographically.
The recent introduction of mandatory breach reporting in Canada should be of interest to organizations worldwide. For example, a breach involving a U.S. based organization might give rise to reporting and notification obligations in Canada, as well as litigation (including class actions) in Canada. Beyond the potential regulatory fines (which are admittedly minor in comparison to other jurisdictions), a failure to comply with Canadian regulatory obligations could fuel costly litigation against the U.S. based organization.
This 10-step guide will walk you through the upcoming changes to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the factors to consider in being prepared and other related considerations.
The biggest changes, which came into force on November 1, 2018, are:
- Mandatory breach reporting to the Office of the Privacy Commissioner (OPC).
- Mandatory breach notification to impacted individuals.
- Mandatory breach record-keeping.
- Financial penalties of up to $100,000 for non-compliance with items 1 to 3.
PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity. Personal information includes any factual or subjective information about an identifiable individual. A commercial activity is conduct that is of a commercial character (including the selling, bartering or leasing of donor, membership or other fundraising lists).
Step 1: Identify What Information You Have
- Identify categories of personal information for which your organization is responsible and which of those fall within the scope of PIPEDA.
- Was the personal information collected by fair and lawful means?
- Consider whether you need the personal information you are gathering.
- Does your organization have any contractual obligations with third parties should there be any incident affecting any category of confidential information?
- If a consumer or individual calls and requests access to their information, can you give it to them in a timely manner?
- Is the personal information as accurate, complete, and up-to-date as possible?
Step 2: Understand How Information is Stored
- Understand where and how the personal information is stored and the means by which it could be accessed.
- Limit internal access to those employees who require access in order to carry out the purpose for which the information was collected.
Step 3: Implement Safeguards to Protect Your Information
- Implement safeguards appropriate to the sensitivity of the information, including:
- Physical measures (e.g., locked filing cabinets; restricted access to offices).
- Organizational measures (e.g., security clearances and limiting access on a “need to know” basis).
- Technological measures (e.g., use of passwords and encryption).
- Make employees aware of importance of maintaining confidentiality of personal information – develop, document and deliver appropriate and mandatory privacy training for all employees.
- Use care in disposal or destruction of personal information. For example, are your printers wiped before they are thrown out?
- Implement measures so that your organization can detect unauthorized access to or disclosure of personal information.
- Are your security measures regularly reviewed and updated?
Step 4: Ensure Third-Party Contracts Protect You
- Contracting third parties to process personal information on your behalf does not relieve you of responsibility under PIPEDA.
- Have a recorded basis for selecting the third-party vendor and for your satisfaction that they have appropriate safeguards in place.
- Ensure that contracts include key provisions to protect you in the event of an incident.
- Consider requiring certification of cyber hygiene from a third party.
- Consider requiring insurance for data breaches as part of any contract.
- If there is a data security incident, can your third party afford to deal with the resulting costs or will they fold and leave you hanging?
Step 5: Institute Breach Response Plan
- Who will be informed of a data security incident? Ensure security breach response team has representation from key areas.
- How will your team be informed of the breach and does everyone know their scope of responsibilities?
- Are there “understudies” available if one of your team is unavailable?
- Make sure your plan is a complete roadmap for addressing data security incidents.
- Are there backups of all of your business information?
- What if…
- You’re locked out of your email?
- The data security incident happens during off hours or on a holiday?
- You’re locked out of your network?
Step 6: Evaluate for a Real Risk of Significant Harm
Was there a breach of security safeguards?
- Breach of security safeguards means loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from failure to establish those safeguards (see Step 3).
If so, is there a real risk of significant harm?
- “Significant harm” includes: humiliation, damage to reputation or relationships and identity theft.
- When analyzing whether there is a real risk of significant harm, look at what personal information has been breached and the circumstance through the following factors:
- The sensitivity of the personal information involved in the breach.
- The probability that the personal information has been, is being, or will be, misused.
- Consult external legal counsel to determine if security incident needs to be reported if it is in grey zone.
- Consult external legal counsel on content of assessment as it may have legal implications for the organization.
Step 7: Maintain Privilege
- Your written assessment of whether the security incident gives rise to a real risk of significant harm can have legal implications for your organization, and may be producible in investigations or litigation concerning this event or future events.
- Maintain privilege through correspondence with external counsel.
- Correspondence with in-house counsel is not always protected by solicitor-client privilege.
Step 8: Record All Breaches
- You must maintain a record of every breach of security safeguard for at least 24 months after the date on which your organization learned of the breach. This record can be requested by the Office of the Privacy Commissioner.
- Record all breaches of personal information under your control – whether there is a real risk of significant harm or not.
- The record should include prescribed elements.
- Appoint one specific senior individual (e.g., CEO or privacy officer) to record the information and maintain the breach.
- Keep the board of directors apprised of management of security events.
- Consider issues of privilege when reporting to the board as the board minutes may be producible in litigation or investigations concerning this event or future events.
- If cybersecurity incidents or risks materially affect a company’s products, services, relationships or competitive conditions, publically traded companies must provide appropriate disclosure.
- The breach record may have legal implications as it may be producible in investigations or litigation concerning this event or future events. Consider consulting external counsel.
Step 9: Reporting and Notification Obligations
Non-compliance with the notification obligations listed below can result in:
- The court ordering an organization to correct its practices, pay damages to the complainant, including damages for humiliation; and publish a notice of any action taken to correct its practices.2
- Fines of up to $100,000.
Office of the Privacy Commissioner
- Report to the Office of the Privacy Commissioner as soon as feasible after you have determined a breach involving a real risk of significant harm has occurred.
- The report must contain prescribed elements.
- Consult external legal counsel on content of report as it may have legal implications for organization.
- Notify affected individuals. The notification must include certain prescribed elements.
- Consult external legal counsel on content of report as it may have legal implications for the organization.
- The organization is not required to notify the individual of a breach in some specific circumstances (e.g., if doing so is prohibited by law).
Organizations That Can Help Mitigate Harm
- Notify any institutions or organizations that you believe can reduce the risk of harm that could result from the breach or mitigate the harm.
- Consult external legal counsel on content of notification as it may have legal implications for organization.
Step 10: Review and Learn
Once the crisis is past, take this opportunity to review your operations. Look for areas of weakness and areas that can be improved for the next breach.
The Cybersecurity Team at Bennett Jones LLP is available to assist with any inquiries relating to PIPEDA or any other related privacy/cybersecurity matters. The full pdf version of this 10-Step Guide can be found here.
Compliments of Bennett Jones LLP, a member of the EACCNY