Countdown to Nov. 1, 2018: Enforcement Date of Canada’s Mandatory Data Breach Reporting Law
November 1, 2018 marks the enforcement date of the Canadian law that requires organizations in the private sector to report data breaches.
The Canadian Governmentofficially set November 1, 2018 as the enforcement date of the mandatory data breach reporting obligation of organizations in the private sector in line with the Digital Privacy Act, a law that amended the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA is a Canadian privacy law for private sector organizations which came into force in January 2001. This law sets out rules that organizations in the private sector must follow whenever they collect, use or disclose personal information in the course of their commercial activities.
Canada’s Digital Privacy Act, which received a Royal Assent in June 2015, sets out the general rules that private sector organizations must follow in case of a data breach.
Under the Digital Privacy Act, deliberate failure to report a data breach to the Privacy Commissioner of Canada and deliberate failure to notify the affected individual are considered as separate offenses and subject to separate fines of up to $100,000. The Digital Privacy Act also consider the deliberate failure to keep, or the destruction of data breach records as an offense and subject to a fine of up to $100,000.
On April 18, 2018, the Government of Canada published on Canada Gazette the “Breach of Security Safeguards Regulations”, the Digital Privacy Act’s regulations that set out the specific rules that private sector organizations must follow in case of a data breach.
On April 18, 2018 also, the Government of Canada published on Canada Gazette the order setting November 1, 2018 as the enforcement date of the mandatory data breach reportingunder the Digital Privacy Act. Organizations in the private sector then have a lag period between April 18, 2018 and November 1, 2018 to prepare for the mandatory data breach reporting. During the regulations’ consultations, business representatives stated that they need time to adjust their information systems, procedures, practices and to train employees.
Mandatory Data Breach Reporting Rules
The Digital Privacy Act’s Breach of Security Safeguards Regulations require private sector organizations to determine if the data breach poses a “real risk of significant harm” to any individual by conducting a risk assessment, taking into consideration the sensitivity of the information involved and the probability that the information will be misused.
Here are 3 important rules under the Digital Privacy Act’s Breach of Security Safeguards Regulations that must be followed by private sector organizations once it’s determined that the data breach poses a “real risk of significant harm” to any individual:
1. Data Breach Report to the Privacy Commissioner of Canada
The Digital Privacy Act’s regulations mandate that any data breach that poses a “real risk of significant harm” to any individual must be reported to the Privacy Commissioner of Canada “as soon as feasible”, specifying the following:
- a) Description of the circumstances of the data breach and the cause, if known
- b) Day or the period during which the data breach happened or, if neither is known, the approximate period
- c) Description of the personal information that was breached
(d) Specific number of people affected by the breach or, if unknown, the approximate number;
- e) Description of the measures that the organization has undertaken to lessen or mitigate the risk of harm to the affected individuals
- f) Description of the steps that the organization has undertaken or intends to undertake to notify the affected individuals
- g) Name and contact information of a person who can answer, on behalf of the organization, to the Privacy Commissioner of Canada about the breach.
Under the Digital Privacy Act’s regulations, report may be sent to the Privacy Commissioner of Canada by any secure means of communication.
2. Notification to Affected Individual
The Digital Privacy Act’s regulations mandate that affected individual or individuals must be notified about the breach “as soon as feasible”. In terms of content, the required notification to affected individual or individuals is similar to the content of the data breach report to the Privacy Commissioner of Canada.
Under the Digital Privacy Act’s regulations, notifying the affected individual can be done through direct or indirect means. Direct notification under the regulations refers to telephone, mail, email or in-person communication; while indirect notification refers to public announcements that could reasonably be expected to reach the affected individual or individuals.
Indirect notification is allowed under the regulations when any of the following condition is present:
- a) Direct notification would likely result in further harm to the affected individual
- b) Direct notification would likely result in undue hardship to the organization
- c) Organization has no contact details for the affected individual
3. Data Breach Record-Keeping Requirements
The Digital Privacy Act’s regulations mandate that an organization that suffered data breach must maintain a record for 24 months, starting from the day the organization found out that the breach has occurred.
The Government of Canada, in a statement, said that the mandatory data breach reporting has social, economic and public security benefits.
The Canadian Government said that in terms of social benefits, the mandatory breach reporting allows affected individuals to take immediate action to protect themselves; in terms of economic benefits, the mandatory breach reporting creates certainty across the marketplace about how organizations notify affected individuals; and in terms of public security benefits, the mandatory breach reporting contributes positively to the security of individuals and the cybersecurity readiness of businesses in Canada.
Speak with our security experts today to better understand and prepare for the mandatory data breach disclosure. Call 416-920-3000to schedule a consultation.