Is your firm not yet ready for the new mandatory breach recording and reporting obligations, which start today?
It isn’t too late but you’d better get going fast. The Office of the Privacy Commissioner of Canda has resources here. But to get up and running fast, a firm has to begin by documenting its safeguards over all the personal data it holds — those of employees as well as customers and partners. Safeguards can be technology (how a database is protected, only those with authorization can access these files) as well as policies (all documents shall be locked up at the end of the business day). Then a firm will know if a safeguard has been breached.
Appoint one person to handle a report of a possible breach of those safeguards. That person will have to get up to speed on what breach records have to be kept, and how to evaluate the standard of “real risk of significant harm” needed to determine if a breach has to be reported to victims and the privacy commissioner.
Put in place data protection policies and procedures appropriate to your business, and practice what the company will do in case of a breach and train employees.
Privacy lawyer David Fraser of the Halifax firm McInnes Cooper also offers these five tips:
1 — Understand the new obligations well. The definition of a breach of security safeguards that has some “quirks.” It includes losing data that might not have resulted in a disclosure of personal information, but wasn’t a breach. Think, for example, of an encrypted hard drive that accidentally went to a landfill. If the encryption was strong that might not have to be reported to victims, but it will have to be put into the company’s breach records.
2 — Deal with third-party risks to your firm from suppliers. Is your data held by a service provider? As the collector of personal data your firm is still responsible if there’s a breach. Make sure contracts third parties includes an obligation for them to notify you if there’s a breach of security safeguards. “I’ve seen contracts where it says they’ll tell you if there has been ‘unauthorized disclosure’,” said Fraser, “but that doesn’t cover the law’s requirement for any loss of data or access to the information.
3- Deal with employee risk. Every breach of security safeguards, no matter how trivial, has to be documented. Imagine a company policy is no documents can be kept on desks after hours. Imagine one is left on a desk and a cleaner sees it. That’s a breach of the safeguard. Do you have a policy that the employee has to reports the incident to a person in authority? Will the employee shrug and just quietly put the document in the desk? It’s sticky, says Fraser: If the employee is disciplined the next time a similar happens it might not be reported.
4—Understand the paper trail. The regulations don’t specify what information a breach record must contain. Likely it should include all the information a report to the privacy commissioner must have, plus a full analysis of how the organization concluded the particular breach doesn’t result in a “real risk of significant harm.” Creating a standardized template form will help.
5. — Protect your legal privilege. Remember if there’s a lawsuit over a breach one of the first demands will be to see those records, so you want to be careful what goes in. These records aren’t protected by solicitor-client privilege so check with a lawyer. Check with a lawyer as to how communications with a consultant that helps with a breach can be protected.
A firm can comply with the new law in a timely manner if the firm is ready, Fraser said.
“The number one advice I have for my clients is you’re not only going to want to have in place the procedures to deal with breaches when they happen, you’re going to want to reduce the risk of breaches happening in the first place.”