Written by Martin P.J. Kratz, QC
By Order in Council 2018-0369 on March 26, 2018, mandatory breach notification under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), comes in force November 1, 2018, for all entities subject to its jurisdiction.
The PIPEDA rules follow Alberta’s leadership, which has had mandatory breach notification for eight years. In Canada, provincial health privacy laws in Ontario, New Brunswick and Newfoundland and Labrador also contain reporting requirements. Most U.S. states have mandatory breach notification requirements. It is recognized that notification of the affected individuals is a key factor in mitigation of risk in instances of cyber breach.
The national mandatory breach notification rules includes a mandatory requirement for organizations to give notice to affected individuals and to the Office of the Federal Privacy Commissioner about data breaches where it is reasonable to believe that the breach creates a "real risk of significant harm to the individual." Unlike Alberta’s law, PIPEDA provides for some factors relevant to consider in determining whether there is a "real risk of significant harm", and what constitutes "significant harm". Under PIPEDA "significant harm" includes, among other things, humiliation, damage to reputation or relationships and identity theft. A "real risk" requires consideration of the sensitivity of the information, the probability of misuse and other factors.
The notification under PIPEDA is to be given "as soon as possible" after the breach has occurred. Under regulation, the specific content required of both a breach notification to the Federal Privacy Commissioner and to affected individuals has been specified.
Unlike the Alberta law, PIPEDA also requires where notification has been provided to individuals that the organization may be required to notify other organizations and the government where such notifications may reduce risks or mitigate harm. PIPEDA will also require organizations to keep and maintain records of every breach of safeguards involving personal information under their control. The Federal Commission can require an organization to provide a copy of such records to the Commissioner.
Organizations preparing for cyber breaches should contemplate that breach notification can be risk mitigating and will as of November 1, 2018, be mandatory for many organizations in Canada.
Notification responsibilities will arise under law and under many other relationships, for example, with insurers and under financing covenants. Evidence from a study of cyber breaches show that time and money can be saved if an organization has assessed its notification responsibilities before an incident has occurred. Now is the time to consider your notification plan.