The federal privacy commissioner’s office hasn’t given up hope that Ottawa will make companies include more detail about data breaches when they report security incidents to it as required under new law.
In a response to the government’s proposed data breach reporting regulations, which were released last month, the office complains “a number of key issues” it recommended have been left out of rules. “We believe this may challenge the regulations’ ability to fully achieve the sought-after benefits to organizations, individuals and the Digital Economy,” the office says.
In particular the office says not requiring a company filing a breach report to the commissioner to include information on the state of its relevant safeguards “sends a signal that prevention of breaches is less important than mitigation of breach impact after the fact.
“Such information would give our office the opportunity to supplement information obtained through breach records, allowing us to develop a broad understanding of the overall challenges with respect to security safeguards and breaches in the marketplace,” says the submission. “In turn, this would support our ability to more effectively advise and guide organizations on how to improve their security practices and better protect Canadians’ personal information.”
In response to an ITWorldCanada.com request for more detail on what the commissioner’s office wants, a spokesperson said, a report could include “administrative, technical, and governance practices” relating to data security before and after the breach.
In addition, the commissioner says breach reports to should contain an organization’s assessment of the risk of harm to people or firms caused by the breach. This is a “crucial assessment requirement,” says the submission. Similar requirements are included in the breach notification rules of Alberta and the European Union, the submission points out.
Under the government’s proposed requirements in a breach notification to the privacy commissioner, companies would have to include “a description of the circumstances of the breach and, if known, the cause,” as well as “a description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm.” While these are minimum requirements, the commissioner wants companies to go beyond that.
For example, the report should include “a description of mitigation measures that have been or will be undertaken to contain the breach and reduce or control the risk of harm to affected individuals.”
Knowing what measures are being taken to prevent a further breach will be helpful to the privacy commissioner, the submission says.
If should also include “a description of the organization’s relevant security safeguards, taking into consideration any improvements made or committed to, to protect against the risk of a similar breach reoccurring in the future.”
Companies should also have to keep records relating to a breach for five years, not two years as the draft regulations recommend, the privacy commissioner says.
The government is considering responses to the draft regs. It hasn’t said when the final version will be proclaimed. Some companies have urged the government to give the private sector at least 18 months notice before the regulations come into effect, but the privacy commissioner says that’s too long.
The regulations are part of an update to the federal Personal Information Protection and Electronic Data Act (PIPEDA), requiring for the first time that companies coming under federal jurisdiction report to victims their personal information may be at risk from a data breach. A report also has to go to the Privacy Commissioner, which is now charged with giving effective data protection oversight of companies that have suffered a breach and verifying organizations are complying with the breach notification requirements.
As for what the commissioner will do with the breach report, a spokesperson says that under PIPEDA he/she may make breach information public if it is deemed to be in the public interest to do so. “This is something we consider on a case by case basis,” the spokesperson said.
