Companies covered under federal law will have to report data breaches to customers, affected third parties and the federal privacy commissioner starting November 1, the government has decided. However, Ottawa still hasn’t proclaimed the regulations that firms will have to follow, which is puzzling privacy law experts.
The proclamation of the implementation date for the long-awaited mandatory breach notification regime was made quietly March 26 by the cabinet in an order-in-council.
That gives companies seven months to prepare internal processes to comply with the regulations, including creating a record of any data breach. They have a rough idea of what’s coming because draft regulations were released last September. But until they are proclaimed details of exactly what companies have to do to comply are still unknown.
A news story Tuesday on the site iPolitics.ca, which discovered the March 26 announcement, appears to have caught everyone off guard. Some privacy experts thought that any data breach notification news would be tied in with the expected announcement of the government’s updated cyber security strategy. No data for that has been set.
“I’m surprised,” said Halifax privacy lawyer David Fraser of the firm McInnes Cooper, said in an interview today of the quiet announcement. “Given that this is one of the most significant amendments to our privacy law in years, and its something the government could easily spin as a good news story to consumers I would have thought the government would have wanted a little bit of traction around it.”
“It is a bit of a head-scratcher.”
At press time request this morning to the press spokespersons for the Industry Minister (now the ministry for Innovation, Science and Economic Development) had not replied to a question on when regulations wiill be proclaimed.
UPDATE: In a email Karl Sasseville, press secretary to Innovation Minister Navdeep Bains, said the final regulations will come into force “in the coming months.”
Under the data breach notification obligations companies
- Must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach by conducting a risk assessment. The assessment of risk must consider the sensitivity of the information involved, and the probability that the information will be misused. The law defines significant harm to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft;
- When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada as soon as feasible;
- The company must notify any other organization that may be able to mitigate harm to affected individuals.
Companies in all provinces except British Columbia, Alberta and Quebec — which have their own privacy laws — as well as federally-regulated firms including banks, telecom companies and transporation firms, will be covered by the federal data breach notification obligations.
Firms have long known this was coming. The implementation of the data breach notification regime has been hanging around since June, 2015 and the passage of the Digital Rights Act, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). The breach notification section was suspended to give companies time to comment.
The draft regulations suggest organizations would have to keep a record of every breach of security safeguards for no more than 24 months after the day the breach has occurred. That time-line is only firm when the regulations are proclaimed.
Similarly, the proposed regulations wouldn’t impose a new method of record-keeping for breach reports. A copy of the report as sent to the federal privacy commissioner would be sufficient. Again, the record-keeping obligation is only set when the regulations are final.
The regulations also will set out exactly what information has to be sent to affected parties. The proposed regs say notification to possible victims has to include
– a description of the circumstances of the breach;
— the day on which, or period during which, the breach occurred;
— a description of the personal information that is the subject of the breach;
— a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
— a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
– a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
— information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner.
