Data breaches: Remember to Notify!

As of November 1 2018, reporting data breaches to Canada’s Office of the Privacy Commissioner (“OPC”) and to the individuals whose data was compromised will be mandatory for organisations subject to the Personal Information Protection and Electronic Document Act (“PIPEDA“). Failure to comply can cost up to $100,000.

Hardly novel, mandatory data breach notification is already required by the European General Data Protection Regulation (“GDPR”) as well as by Alberta’s Personal Information Protection Act (“PIPA”). In the United States, forty seven states, the District of Columbia, Puerto Rico and the Virgin Islands have also taken breach notification initiatives.

What this means concretely is that, as of November 1, organisations will have to inform the OPC and affected individuals of “any breach of security safeguards involving personal information under [the organization’s] control if it is reasonable in the circumstances to believe the breach creates a real risk of significant harm to an individual”. Typically such breaches occur as a result of hacking, theft, loss or accidental disclosure of personal information to the wrong people.

Significant harm includes humiliation, bodily harm, financial loss, identity theft, damage to reputation or relationships, damage or loss of property and negative effects on credit records. Moreover, Alberta has provided guidelines on what constitutes a real risk of significant harm.

These include:

• the sensitivity of the information involved in the breach;
• the probability that the information has been, is being, or will be misused; and
• any other prescribed factors.

The notification must occur as soon as reasonably possible either directly:

• by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner;
• by letter delivered to the last know home address of the affected individual;
• by telephone; or
• in person.

Indirect notification is also permitted if:

• giving direct notification would cause harm to the affected individual;
• the cost of giving direct notification is prohibitive for the organization; and
• the organization does not have contact information for the affected individual or the information that it has is out of date.

Indirect notification can be provided by a conspicuous message posted on the organization’s website for at least 90 days or by means of an advertisement that is likely to reach the affected individuals.

Notification to the OPC must describe:

• the circumstances, and if known, the cause of the breach;
• the date on which and the period for which the breach occurred;
• the personal information concerned;
• the number of individuals concerned;
• the measures taken to mitigate the risk of harm to the individuals;
• the steps the organisation has taken to notify the individuals of the breach; and
• the name of a contact person appointed by the organisation to answer OPC questions on the breach;

The notification to the affected individuals must describe:

• the circumstances, and if known, the cause of the breach;
• the date on which and the period for which the breach occurred;
• the personal information concerned;
• the measures the organisation has taken to mitigate the risk of harm to the individuals;
• the measures the affected individuals could take to the reduce or mitigate the risk of harm; and
• the organisation’s internal complaints process and the individual’s right to file a complaint with the OPC.

The notice to the individual must also provide a toll-free number or email address the affected individuals can contact to obtain further information.

Finally, organizations are required to keep records of data breaches for 24 months Although this data breach notification provision may seem like yet another regulatory hoop through which organizations must jump, it is also an equaliser. Organisations that failed to report security breaches in the past to avoid poor press and potential market retaliation will now be forced to be transparent with respect to their data security.

For further information of data breach notification or any other privacy matter, please contact us at www.bcf.ca.