The re-posting of this article is part of a cross-posting agreement with CyberLex.
The Office of the Privacy Commissioner of Canada (“OPC“) has provided its views on the data breach reporting and notification requirements that are soon to be prescribed by regulation under the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA“).
On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) received Royal Assent in Canada’s Parliament. The Digital Privacy Act amended PIPEDA. Among other important changes, the Digital Privacy Act amended PIPEDA to require mandatory notification of both the OPC and affected indivdiuals, and introduced a record-keeping requirement (and fines for organizations which fail to meet either of these new requirements).
These new data breach requirements in PIPEDA will come into force once the Government passes regulations, and to that end, the Government has circulated a Discussion Paper and solicited comments.
The OPC has provided its Submission, and as body charged with administering and ultimately enforcing the resulting regulations, the OPC’s views are of significance (although they are not determinative of the final form of the regulations).
When Organizations Will Need to Report
A challenge organizations face when dealing with a breach affecting personal information is whether to report the breach to the OPC. Currently voluntary, this dilemma will not go away when it becomes mandatory – rather, the question will simply become one of how to determine whether the trigger (“real risk of significant harm”) has been met.
The OPC is of the view that the current set of factors enumerated in subsection 10.1(8) of PIPEDA are sufficient and any other further guidance on conducting a risk assessment could be provided by the OPC in due course. [1]
The Discussion Paper had also asked if encryption should provide a kind of “get out of jail free” card insofar as encrypted information that is lost or accessed would be presumed to present no or a low “real risk of significant harm”. The OPC was against equating encryption with a diminished risk of significant harm. This raises the question of why the OPC has regarded the use of encryption as an adequate security safeguard to be considered under Principle 4.7.3.
What the Report Should Look Like
The OPC is of the view that any new mandatory breach reports should be in written form (digital or paper) and require the following information:
- Name of responsible organization;
- Contact information of an individual who can answer questions on behalf of the organization;
- Description of the known circumstances of the breach, including:
- Estimated number of individuals affected by the breach;
- Description of the personal information involved in the breach;
- Date of the breach, if known, or alternatively estimated date or date range within which the breach is believed to have occurred;
- A list of other organizations involved in the breach, including affiliates or third party processors;
- An assessment of the risk of harm to individuals resulting from the breach;
- A description of any steps planned or already taken to notify affected individuals, including:
- date of notification or timing of planned notification;
- whether notification has been or will be undertaken directly or indirectly and, when applicable, rationale for indirect notification;
- a copy of the notification text or script;
- A list or description of third party organizations that were notified of the breach, pursuant to s. 10.2(1) of PIPEDA, as well as Privacy Enforcement Authorities from other jurisdictions;
- A description of mitigation measures that have been or will be undertaken to contain the breach and reduce or control the risk of harm to affected individuals,
- A description of the organization’s relevant security safeguards, taking into consideration any improvements made or committed to, to protect against the risk of a similar breach reoccurring in the future.
The information is not substantially different than that already required by Alberta, which already has a mandatory breach reporting regime, although the OPC’s proposed approach would require more detail. [2] Also, the proposal that organizations provide a “description of the organization’s relevant safeguards” is not found in the Alberta requirements and may give rise to privilege and litigation risk issues. As well, organizations are likely to balk at disclosing this information because it potentially telegraphs an organization’s security strategy and vulnerabilities to bad actors. This is particularly true since this information is at risk of public disclosure via the Access to Information regime.
The OPC believes organizations should have an ongoing obligation to provide updates “as soon as feasible”, a requirement also not found in the Alberta requirements.
What Notification to Individuals and Third Parties Should Look Like
The OPC essentially adopts its own document, “Key Steps for Organizations in Responding to Privacy Breaches” and proposes that the regulations require the following elements be included in notifications to affected persons:
- Description of the circumstances of the breach incident;
- Date of the breach, if known, or alternatively estimated date or date range within which the breach is believed to have occurred;
- Description of the personal information involved in the breach;
- Description of the steps taken by the organization to control or reduce the harm;
- Steps the individual can take to reduce the harm or further mitigate the risk of harm;
- Contact information of an individual who can answer questions about the breach on behalf of the organization;
- Information about right of recourse and complaint process under PIPEDA.
The OPC is of the view that direct notification should be required (e.g. direct communication with each affected individual) and that indirect notification (e.g. via newspaper ads, websites, etc.) should be allowed only with permission and only in certain circumstances. Organizations will be pleased to know that the OPC accepts that “prohibitive costs to the organization and [unreasonable interference] with its operations” are one of the circumstances in which the OPC would accept indirect notification. However, the OPC suggests that organizations must first “[demonstrate] that they may validly use indirect notifications”. It is unclear if to be “valid” an organization will have to demonstrate, for instance, prohibitive costs or other criteria, or that “validity” will be evaluated on the basis of likelihood of the message effectively reaching the target demographic.
On this latter point, the OPC is of the view that indirect notification would need to be to the appropriate geographic market, be relevant to the product or service and the type of customer interaction, be for an appropriate length of time and in plain English, and where appropriate, allow organizations to use third parties to conduct such notification
With respect to the notification of third parties (potentially vendors, industry organizations, other organizations in that sector), the OPC has sensibly supported a permissive approach to notifying third parties, instead of a mandatory one.
What an Organizations Record Keeping Obligations Would Be
The OPC appears to regard the new record-keeping requirements (which require organizations to keep a record of all breaches of security safeguards) as a mechanism for general oversight.
The OPC is of the view that such records should include “sufficient information to demonstrate compliance with PIPEDA’s new notification requirements and should contain sufficient information to enable the Office to effectively perform its oversight functions.” More significantly, “[t]he content of these records should also assist the OPC in understanding the process through which organizations determine whether or not to notify affected individuals.”
Relying on this, the OPC believes the following data elements should be included in records of breaches:
- Date or estimated date of the breach;
- General description of the circumstances of the breach;
- Nature of information involved in the breach;
- Summary and conclusion of the organization’s risk assessment leading to its decision whether to notify/report or not.
These are not particularly onerous, except that including a rationale as to whether to report or not to report such a breach introduces fertile ground for plaintiffs’ lawyers to explore as they make a case for negligence or breach of privacy. Organizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches could face fines of up to $100,000 per violation.
As a consequence of this, organizations will be torn between sufficiently documenting such breaches in order to demonstrate that they evaluated reporting the breach to the OPC and affected individuals (thereby avoiding “knowingly” failing to report) and not including so much information that it could be subsequently used against them.
The OPC would like to see all such incidents documented and recorded on an individual, non-aggregated basis. For organizations such as financial institutions or large retailers which face upwards of 200 threat incidents a week, this could be onerous.
With respect to retention the OPC suggests that records be maintained for a period of five years from the date of creation of the record, after which records could be destroyed.
An Organizations Obligations to non-Canadians
The OPC notes that organizations that are subject to PIPEDA may collect personal information which pertains to individuals who reside outside of Canada (for instance, residents of the U.S.). As such, the OPC is of the view the data breach notification and reporting requirements should consider the extent to which organizations may have to notify individuals outside of Canada who may be affected by a data breach undergone by an organization subject to PIPEDA. At a minimum, the OPC suggests that regulations should require organizations to consider the breach notification laws of those jurisdictions., as well as any local notification requirements.
Future OPC Guidance
The OPC clearly sees itself as playing an instrumental role in the future primacy landscape, and has indicated that once the Government passes final regulations it is prepared to develop guidelines that will complement the content of regulations and provide additional compliance assistance for organizations.
© McCarthy Tétrault LLP
Kirsten Thompson is Counsel in McCarthy Tétrault’s National Technology Group.
[1] Subsection 10.1(8) reads “The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include (a) the sensitivity of the personal information involved in the breach; (b) the probability that the personal information has been, is being or will be misused; and (c) any other prescribed factor.
[2] Section 19 of the Personal Information Protection Act Regulation, Alta Reg 366/2003