Organizations following the federal privacy law would have to keep a record of every breach of security safeguards for no more than 24 months after the day the breach has occurred, according to new proposed regulations to Canadian law requiring firms to report breaches to customers and the privacy commissioner.
In addition, the proposed regulations wouldn’t impose a new method of record-keeping for those breach reports. A copy of the report as sent to the federal privacy commissioner would be sufficient, say the draft regulations released earlier this month, which means a paper copy in a file folder would do.
Many organizations will be familiar with the proposed format for notifying potential victims because it is similar to best practices already recommended by the federal privacy commissioner.
Those minimal requirements should come as a relief to businesses waiting for almost two years for clarification, says Montreal-based privacy lawyer Eloise Gratton of the Borden Ladner Gervais law firm.
“I don’t think these regulations come as a big surprise,” she said in an interview Tuesday. Many of the proposals are close to those suggested by federal privacy commissioner Daniel Therrien during a public consultation last year, she added.
“Some people have concerns with the two years [requirement]. I thought it was reducing the burden because we didn’t have a threshold. Now at least we know it’s two years.”
A lot of her firm’s clients feared being forced to set up a new – and potentially costly – records keeping system for data breaches involving personal information of customers and partners, she said. “The fact that they can keep the report that is filed with the OPC (office of the privacy commissioner) as record it removes the uncertainty, and its not very burdensome: You’ve already prepared the report.”
The only concern for Gratton is a proposal that for an email data breach notification to a potential victim to be legally acceptable the person has to previously have consented to receiving electronic communications from the company. Otherwise an acceptable alert would have to be sent by physical mail, which, she noted, could be expensive.
On the other hand John Lawford, executive director of the Public Interest Advocacy Centre (PIAC), said the proposed regulations don’t change what his organization feels is toothless legislation. “We think it leaves excessive discretion in the hands of companies to decide if something is a serious breach or not.”
Organizations have to report to the commissioner and victims only when there is a “real risk of significant harm,” he noted, which the company gets to decide.
However, the legislation defines significant harm to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft.
PIAC wanted Ottawa to follow Alberta law: First, any breach has to be reported to the provincial privacy commissioner, and that official makes the decision on whether the data breach is serious.
While organizations that fail to report breaches to victims or the OPC can be fined up to $100,000, Lawford considers that small.
Organizations have until Oct. 2 to file objections to the proposals to the department of Innovation, Science and Economic Development. The regulations will likely come into force sometime next year because the government wants to give organizations time to adjust their policies and procedures.
In the meantime the government will also work with the federal privacy commissioner’s office to provide guidance to organizations on how to conduct a risk assessment after detecting a data breach, which will be required to determine if customers, employees or partners are at a “real risk of significant harm” from the breach.
The proposals, released earlier this month, flesh out the new victim notification and reporting obligations organizations will have to obey when amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) come into force. Some of the amendments, formally called the Digital Privacy Act and passed in 2015, are already in effect but not the data breach notification sections.
The requirement to file a report with the privacy commissioner’s office gives heft to that body, which will gain the power to conduct an audit or launch an investigation based on a record or group of data breach records.
The commissioner can also use data breach information to increase awareness and understanding of the extent and nature of data breaches in Canada, the government says. It isn’t clear if the commissioner will publicly release every data breach notice received, or how much detail would be released.
Note also that while government records can be the subject of an access to information request – potentially a great source of information for competitors or criminals — under recent changes to the law there is an exemption to the disclosure of any data breach record or data breach report in response to an access to information request.
Under the proposed regulations organizations suffering a data breach would have to determine if the breach poses “real risk of significant harm” to an individual whose information was involved in the breach. If so, the individual and the privacy commissioner have to be notified.
The report to the commissioner has to include
a) a description of the circumstances of the breach and, if known, the cause;
(b) the day on which, or the period during which, the breach occurred;
(c) a description of the personal information that is the subject of the breach;
(d) an estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm;
(e) a description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm;
(f) a description of the steps that the organization has taken or intends to take to notify each affected individual of the breach in accordance with subsection 10.1(3) of the Act; and
(g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
Notification to possible victims has to include
– a description of the circumstances of the breach;
— the day on which, or period during which, the breach occurred;
— a description of the personal information that is the subject of the breach;
— a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
— a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
– a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
— information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner.
Notification could be given by email or any other secure form of communication if the affected individual has consented to receiving information from the organization that way. If not then notification could be by letter, phone or in person.
Under certain circumstances notification could also be given by a conspicuous message posted on the organization’s website for at least 90 days or an ad in a publication likely to be seen by the affected individuals. Those circumstances include if giving of direct notification would cause further harm to the affected individual, the cost of giving of direct notification is prohibitive for the organization or the organization does not have contact information for the affected individual or the information that it has is out of date.
In a statement accompanying the draft regulations the government says it expects business costs for complying with the obligations will be “nominal.”
The proposed regulations reflect in large part existing best practices that have been established under the voluntary reporting initiative of the federal privacy commissioner and under equivalent legislation in certain provinces, the government statement notes. “Given that these practices have been in place for several years, it is expected that many regulated organizations will have already incorporated them to some degree into their own policies and procedures.”
The government also believes the regulations will bring data breach reporting obligations in compliance with the European General Data Protection Regulation (GDPR), which comes into effect in May, 2018.