What do Canada’s New Data Breach Reporting Requirements mean for US-Based Businesses?

On November 1^st the data breach reporting requirements under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect. US companies should be aware of these requirements and evaluate their operations to determine the applicability as well as what adjustment may be required to ensure ongoing compliance.

Do the Rules apply to US Companies?

US companies that have operations in Canada are subject to PIPEDA. Companies that don’t have physical operations in Canada are still be subject to PIPEDA if they handle the personal information of Canadians.

What Do the Rules Require?

If a company suffers a data breach that could result in real risk of significant harm to the data subject the company must provide notice regarding the breach. Companies are required to provide notice to the data subjects, the Office of the Privacy Commissioner (OPC), and any organizations (e.g., law enforcement) that can help mitigate the impact of the breach.

Companies are required to maintain records of data breaches for two years.

What is Considered a Breach of Security Safeguards?

PIPEDA defines a breach of security safeguards as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards

How Do You Determine if the Breach May Result in Real Risk of Significant Harm?

According to the OPC:

“Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include the sensitivity of the personal information involved in the breach of security safeguards and the probability the personal information has been/is/will be misused.”

The OPC suggests companies create a consistent assessment framework that can be applied to each breach to determine if it may result in real risk of significant harm. The framework should evaluate the sensitivity of the data and the potential for misuse. Additional guidance is available here.

What Steps Should Companies Take to Reduce Their Risk?

Perform data mapping and create a data inventory

Know thy data environment. Companies that are unsure about what security safeguards are adequate should perform data mapping and create a data inventory. The results of this exercise should be evaluated to determine the sensitivity of the data and whether the appropriate safeguards are in place.

Implement Appropriate Security Safeguards

Companies must ensure the appropriate security safeguards are in place to protect the data controlled and/or processed by the company. This includes ensuring the appropriate policies, procedures, training, and monitoring are in place. Ongoing monitoring is where companies often struggle but it is strongly encouraged to ensure the security controls are functioning as designed.

The quality of the security safeguards employed by a company will likely be a key consideration when the OPC is evaluating breaches.

Create and Implement a Framework to Evaluate Breaches

The OPC encourages companies to ensure that all breaches are assessed consistently. This requires companies to create and implement a framework that can be leveraged to review each breach. Companies should maintain records of this evaluation process including records outlining why a company did or did not consider a breach to meet the ‘real risk’ threshold.

Provide Notification When Required

If a company suffers a failure of its security safeguards, and the failure poses a real risk of significant harm, it must notify the OPC and the impacted data subjects. PIPEDA does not specify exactly how this notice should be provided but says the notice must be conspicuous and given directly to the individuals except in a few instances where indirect notification is allowed.

Companies should prepare ahead of time by having a breach response plan in place and by testing that plan periodically. The plan should include the steps that will be followed when evaluating the breach and providing notices to the OPC and impacted individuals.

Maintain Records

PIPEDA requires companies to keep records of all data breaches, regardless if it is determined that a breach meets the ‘real risk’ threshold, for a period of 2 years.

The OPC suggests that, at a minimum, companies keep the following information related to each breach:

• Date or estimated date of the breach;
• general description of the circumstances of the breach; and
• nature of information involved in the breach;

Companies must also keep any records necessary to demonstrate whether the breach was reported to the Privacy Commissioner of Canada and whether individuals were notified.

Companies must also keep records to demonstrate compliance with the security safeguards.

Canada’s breach notification requirements are not dissimilar from what we’ve seen in the EU with the GDPR, in certain Canadian provinces (Alberta), and in many U.S. states. However, the trend is clear. Companies world-wide need to take steps to secure the data they control and/or process and must have a process in place to notify the regulators and impacted data subjects in the event those security safeguards fail.