Canada’s
Breach Reporting Law
What you need to know
Timothy M. Banks, CIPP/C
Dentons Canada LLP
July 21, 2015
Quick facts
• Canada’s Digital Privacy Act received Royal Assent on June 18, 2015
• The Digital Privacy Act makes the first major amendments to Canada’s
Personal Information Protection and Electronic Documents Act (PIPEDA)
since it was enacted
• Four key amendments discussed in this slide deck
• Breach logs
• Breach reports to the Office of the Privacy Commissioner of Canada
• Breach notifications to individuals
• Breach notifications to third parties
July 2015
2
Not yet in force
• Some of the amendments to PIPEDA contained in the Digital Privacy Act
went into force immediately
• See the summary here: http://privacyanddatasecuritylaw.com/pipedaamendments-in-force
• However, regulations are still required setting out the content of breach
logs and breach reports and notifications so the breach provisions are
not yet in force
July 2015
3
Safeguards refresher
• What is clause 4.7?
• That’s the provision that says that an organization must establish
safeguards appropriate to the sensitivity of the information including:
• Physical measures: for example, locked filing cabinets and restricted access to
offices;
• Organizational measures: for example, security clearances and limiting access
on a “need-to-know” basis; and
• Technological measures: for example, the use of passwords and encryption.
July 2015
4
Key term: “breach of security safeguards”
• “Breach of security safeguards” is the key term
• It is “the loss of, unauthorized access to or unauthorized disclosure of personal
information resulting from a breach of an organization’s security safeguards
that are referred to in cl. 4.7 of Schedule 1 or from a failure to establish those
safeguards” (s. 2(1))
July 2015
5
New obligations
• New breach of security safeguards obligations:
• Maintain records of breach of security safeguards (no harm test/threshold)
• If the harm test is met: (a) report a breach of security safeguards to the OPC
and (b) notify affected individuals
• Also must notify third parties in certain circumstances
July 2015
6
Breach logs
• Organizations must keep and maintain a record of every breach of
security safeguards involving personal information under the
organization’s control (s. 10.3(1))
• Regulations to come addressing content of the logs
• Copies of these records must be provided to the OPC upon request
(s. 10.3(2))
• Appears to be limited to an actual loss, unauthorized access to or
unauthorized disclosure of personal information resulting from the breach
• No harm test
July 2015
7
What can we expect the regulations to say?
• Expect that the breach logs will be required to contain the following types
of information:
• Containment
• How the breach occurred
• How it was detected
• How it was contained
• Evaluation
• Type of personal information in issue and what can be done with it
• Evidence of criminal motivation
• What harm mitigation steps in place
• Reporting / Individual Notification
• Who was notified? How? What was the content of the notification?
• Lessons
• Remediation plan for avoiding further breaches
July 2015
8
Key concept: “real risk of significant harm”
• “Significant harm” includes:
• bodily harm, humiliation, damage to reputation or relationships, loss of
employment, business or professional opportunities, financial loss, identity
theft, negative effects on the credit record and damage to or loss of property
(s. 10.1(7))
• This list is open-ended
• “Real risk”
• Factors include the sensitivity of the affected personal information, the
probability that the personal information has been, is being or will be misused
and any other factor prescribed by regulation (s. 10.1(8))
July 2015
9
Reporting to the OPC
• Report to the OPC any breach of security safeguards involving personal
information under its control if it is reasonable in the circumstances to
believe that the breach creates a real risk of significant harm (s. 10.1(1))
• Report must be made as soon as feasible after the organization
determines that the breach has occurred (s. 10.1(2))
July 2015
10
Notification of affected individuals
• Notification of affected individuals if it is reasonable in the circumstances
to believe that the breach creates a real risk of significant harm to the
individual unless notification is prohibited by law (s. 10.1(3))
• Notification must contain sufficient information to allow the individual to
understand the significance of the breach and to take steps to reduce the
risk of harm that could result from it or to mitigate the harm (s. 10.1(4))
• Notification must be conspicuous and be given directly to the individual
except in prescribed circumstances (s. 10.1(5))
July 2015
11
Third-party notification
• Notify other organizations and government organizations if the other
organization may be able to reduce the risk of harm that could result from
the breach (s. 10.2(1))
• Notification must be made as soon as feasible after the breach is
discovered (s. 10.2(2))
• Notification may occur pre-emptively and without the consent of the
affected individual provided that it is made solely for the purposes of
reducing the risk of harm (s. 10.2(3))
July 2015
12
What may we expect in the regulations?
• Reports to the OPC likely to require at least the following information:
• a description of the circumstances of the breach
• time period of the breach
• description of the personal information affected
• number of individuals affected
• assessment of the risk of harm
• harm mitigation efforts
• notification steps to affected individuals and third parties
• contact information for the organization
July 2015
13
What else can we expect in the regulations?
• Individual notification may require at least the following:
• A description of the circumstances of the breach
• The date of the breach or the time period during which the breach occurred
• A description of the affected personal information
• A description of any steps that the organization has taken to reduce the risk of
harm (including any third parties that have been notified)
• Contact information for a person who can answer questions on behalf of the
organization about the breach
July 2015
14
Questions?
Timothy M. Banks
Dentons Canada LLP
[email protected]
416-863-4424
© 2015 Dentons. Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking,
action based on its content. Please see dentons.com for Legal Notices.