It’s long been known that for many pieces of federal and provincial legislation, the regulations cabinet approves — but the wording of the law can have as much if not more impact on organizations.
That’s because the regulations have the real nitty-gritty that C-level executives have to deal with by defining terms and conditions.
It’s particularly true with the mandatory data breach notification and reporting regulations Ottawa is about to write for organizations that fall under the Personal Information Protection and Electronic Documents Act (PIPEDA).
Last year’s Digital Privacy Act changed the current voluntary breach notification regime to one that forces organizations to be more transparent. But that part of the law doesn’t kick in until the regulations are set.
Now the work on the nitty-gritty — when organizations have to notify customers and partners of a breach involving personal records, what they have to be told, when and what the federal privacy commissioner has to be told and how much breach information organizations have to keep track of — has begun.
Last month Innovation, Science and Economic Development Canada issued a 26-page discussion paper outlining issues and asking for answers to 26 questions that will help the government frame the regulations.
Organizations have until the end of May to reply.
That won’t be the end of things. Ottawa has promised there will be another opportunity for comment when a full set of draft regulations are published, likely this year, before being finalized.
Still, it’s important chief security and privacy officers get their opinions to the national capital before the regulations are cast in stone.
“There should be a huge interest in people commenting on this,” says IT and privacy lawyer Barry Sookman of the firm McCarthy Tetrault.
Since the Digital Privacy Act was passed eight months ago the broad strokes of the legislation’s notification requirements have been known:
–As set out in section 10.1 organizations will have to notify the federal privacy commissioner and affected individuals and relevant third parties (in certain circumstances) about “breaches of security safeguards” that pose a “real risk of significant harm” to affected individuals;
–“significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft among others. Factors that organizations will need to consider when assessing the presence of a real risk of significant harm include the sensitivity of the information involved and probability that the information was or will be misused (or any other prescribed factor);
–the notification has to contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. It shall also contain any other prescribed information set out in the regulations;
–organizations will have to keep a record of all breaches involving personal information and provide a copy to the privacy commissioner on request;
–Failure to report to the commissioner or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches could cost an organization up to $100,000.
That’s a lot, but privacy experts zoom into two areas organizations may worry about the most and want Ottawa to clarify in the regulations: The record keeping and how corporate officials will define risk to affected individuals.
“The part I think that is going to be the greatest consternation to everybody is … record keeping,” said Sookman.
Organizations have to keep a record of every breach of their security safeguards or safeguards they should have had — regardless of whether there’s a risk of significant harm to individuals, he notes.
That means, for example, if the infosec team discovers an intrusion but no deletion or copying of data the incident still has to be recorded.
The provision, the discussion paper explains, gives the organization — and the privacy commissioner — an idea if there’s a pattern to breaches. But, as Sookman points out, the law leaves it up to the regulations to spell out what details have to be recorded.
To help CISOs/CPOs offer an opinion the discussion paper notes the European Union requires organizations to record “the facts surrounding the breach, its effects and the remedial action taken.”
“Because there’s no materiality standard (in the Digital Privacy Act), too much, probably has to be recorded,” says Sookman. “There should be some kind of materiality standard so there’s not too much that has to be recorded for no good reason.”
The other major area of concern the regulations should clarify is the law’s requirement that organizations notify affected people and the privacy commissioner of a breach of security safeguards when it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual,” said.Ann Cavoukian, the former Ontario privacy commissioner who now heads Ryerson University’s Privacy and Big Data Institute.
“That’s really tough,” she said, for it’s a subjective test: What’s a real risk of significant harm?
To help, the law itself identifies two factors for an organization to consider: the sensitivity of the information (for example, is it health or financial data, or merely a street address) and “the probability the information will be misused.”
Is that obvious, or should the regulations be more specific? These days arguably any information can be misused. On the other hand, if there’s a breach but no evidence personal data has been read or exfiltrated should the organization have to give notification?
“The situational analysis (organizations will) have do to I think is extremely difficult,” said Cavoukian.
The discussion paper asks readers if the regulations should specify additional risk assessment factors.
It also asks if the regs should state that if personal data is appropriately encrypted the risk to individuals should be assumed to be low. (Cavoukian says yes, if strong encryption is used).
Other questions the discussion paper raises include whether organizations should report more or less information to the privacy commissioner than they already do, including an assessment of the type and likelihood of harm to an individual from a breach, whether all elements of a report to the commissioner should be completed before a report is filed (or whether a partial report is OK until more details are available), and how the report should be filed (electronic or paper).
For notification to individuals, the paper asks if the regs should spell out what should be sent or is the law clear enough, and when direct or indirect notification (like a notice on a Web page or a press release that would get widespread viewing) is appropriate.
For each of these and other questions the discussion paper includes background material and references legislation in other jurisdictions to help readers.
Finally, there is the possibility that the legislation is so full of holes organizations won’t have to do very much. That’s the opinion of John Lawford, executive director of the Public Interest Advocacy Centre (PIAC).
“We believe the underlying act isn’t strong enough and not much will be reported.” he said.
“The way the act is worded they’re leaving companies to decide what’s real risk of significant harm, and the companies, if they have a data breach that they don’t feel like reporting just have to keep a record in the back room.”
“It’s like the Scarlet Letter: You do something bad, you keep a record, you put it in a vault and nobody knows. How good is that to consumers?” Instead, he said, organizations should have to report every breach to the commissioner, who — as in Alberta, can order individuals have to also be notified.
“There’s going to be no more data breach reporting than there was before. In fact there probably will be less.”
Sookman has a different view. The way it is written “this act will prompt organizations to-over report,” he predicts.