Canada now follows the US trend to require reporting of personal data exposures. Beginning November 1, 2018, a change in the law will require companies subject to Canada’s federal data protection laws to report data breaches in certain instances.
What is the applicable law? The Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the Breach of Security Safeguards Regulations.
Who does this apply to? Companies doing business in the following Canadian provinces and territories: Manitoba, New Brunswick, Newfoundland and Labrador, Nova Scotia, Ontario, Prince Edward Island, Saskatchewan, Northwest Territories, Nunavut and Yukon. (Alberta, British Columbia and Quebec have separate data protection laws and PIPEDA does not apply there.)
What is a reportable breach? A “breach of security safeguards” means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of a company’s security safeguards or failure to establish security safeguards. If that breach involves personal information under a company’s control and, after a risk assessment, it is reasonable to believe that the breach creates a “real risk of significant harm” to the affected individuals, then the company must report the breach.
What are the requirements?
Breach reporting (as soon as possible) to:
- Canada’s data privacy regulator, the Privacy Commissioner of Canada
- Affected individuals
- Organizations (e.g., law enforcement, vendors such as payment processors)
- Create and maintain records of every breach for at least 24 months following discovery of a breach (but Canada regulators recommend 5 years)
What are the penalties for failure to report? Knowingly withholding information about a breach or failure to keep required records could result in fines up to $100,000 and public recognition for noncompliance (i.e., public opinion).
What now? If your company directly collects or receives personal information from other sources, remain vigilant against potential data breach threats. With the addition of these Canada data breach notification requirements, companies should review their data and determine whether they receive personal information of individuals in Canada. Companies can take other proactive steps such as: updating internal governance documents to reflect Canada breach notification requirements (e.g., update a checklist or breach response plan); working with IT unit to identify risk profile related to Canada individuals and breach of their personal information; updating and providing breach training to staff; and conducting a breach simulation with Canada individuals in the fact pattern. We can also look to Alberta, which may forecast how the Privacy Commissioner could approach data breach reporting requirements (Alberta’s data breach obligations have been in effect since 2010).