Mandatory Data Breach Notification in Canada
Bill S-4, commonly known as the Digital Privacy Act, was passed on June 18, 2015, amending the Personal Information Protection and Electronic Documents Act (PIPEDA).
On September 1, 2017, the Federal government put forth proposed regulations with respect to mandatory breach notification and record keeping under PIPEDA. The final regulations of the Digital Privacy Act were published on April 18, 2018, and will come into effect on November 1, 2018.
To Whom Do the New Regulations Apply?
The new regulations apply to all organizations that collect, use, and disclose personal information in the course of any commercial activity, except in some cases where provincial laws apply.
Under What Circumstances is Notification Required?
The regulations stipulate that notification is required where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual.”
- PIPEDA defines “significant harm” as including, among other harms, humiliation, damage to reputation or relationships, and identity theft.
- A “real risk” requires consideration of the sensitivity of the information, the probability of misuse, and any other prescribed factor.
Reporting Privacy Breaches
Notice to affected individuals and the report to the Commissioner must be given in the prescribed form "as soon as feasible" after it is determined that a breach occurred.
Mandatory Record Keeping of All Breaches
Organizations will be required to keep and maintain a record of every breach of safeguards involving personal information under their control for a minimum of 24 months after the date they became aware of the breach, irrespective of whether the breach triggered the above notification and reporting requirements.
Financial Implications of Non-Compliance
Under the new regulations, those organizations that fail to comply with the above notification, reporting, and record keeping requirements will be subject to fines up to $100,000 per offence, e.g. potentially up to that amount per individual not notified.
Practical Considerations of Mandatory Notification and Record Keeping
The introduction of the new regulations raises a number of new considerations for management and the boards of organizations of all sizes. For example, upon request, organizations must provide the Privacy Commissioner with breach log records. The Privacy Commissioner may then publish information from such records if they deem that it would be in the public interest.
If the organization is publically traded, what does this signal to the market and how does it react? What happens to the share price?
Non-compliance with the notification requirement is likely to trigger civil litigation, or at least be a key consideration.
Operationally, the costs arising out of complying with the new regulations could be significant. In addition to the costs associated with the notification process, organizations need to consider how they will deal with inquiries from affected individuals and other stakeholders, and anticipate what assistance and information will be required to deal with the fallout of a data breach.
Examples of costs incurred arising out of a privacy breach might include employing a crisis communication team, including legal counsel, information security professionals, public relations consultants, and accountants to provide guidance on:
- Determining the scope of the breach.
- Drafting accurate messages for key internal/external stakeholders (where appropriate).
- Frequency and timing of updates to such stakeholders regarding rectification of the breach.
- Determining cross border requirements if the organization has global operations, e.g. has customers who are residents of different geographies.
- IT assistance to create a contact database of affected individuals.
- Establishing a call centre to communicate with affected individuals.
- Providing credit monitoring and/or identity theft assistance for affected individuals.
- Determining an appropriate legal strategy in anticipation of litigation.
Organizations will benefit from creating a cyber incident response team (if they do not have one already) in conjunction with testing their cyber incident response plan in light of these regulations, as well as others , such as the European General Data Protection Regulation (GDPR).
Marsh offers the following questions for consideration:
- Are all key internal stakeholders aware of the requirements within the new regulations?
- Do your current breach procedures, protocols and systems adequately address these requirements?
- Where gaps exist, do you have a plan and timeline to address the same?
- Are you in a position to monitor compliance with the new regulations on an ongoing basis?
- Have you considered the financial impact to the balance sheet, i.e. has your organization quantified the relevant/material cyber risks facing your operations?
- Have you explored if cyber insurance can offer utility via competitively priced contingent capital and expert vendor assistance if you suffer a breach (or other cyber events)?
Cyber Insurance: An Element of Effective Cyber Risk Management
The costs involved in investigating and responding to a breach, including notifying affected individuals, paying for legal counsel, employing a crisis communication team, establishing a call centre, and providing credit monitoring can be substantial.
Additional costs may also be realized from third party claims, including regulatory actions and class action litigation following a breach.
Marsh has developed a range of risk assessment and quantification tools and cyber insurance products to help our clients identify, manage, and transfer the risk associated with various cyber events.