Are You Required to Provide a Breach Notification?

This blog was written with the assistance of Geena Holding, summer law student.

Failure to comply with privacy laws can result in hefty penalties and reputational damage. That’s why it’s critical to develop appropriate policies and responses for a data breach.

As we discussed last week, most breaches have the potential to cause significant harm to individuals. This week, we’ll look at what constitutes a breach and when to report it.

What Constitutes a Breach?

The federal Personal Information Protection and Electronic Document Act (PIPEDA) and its provincial counterparts identify three categories of breaches:

  • Unauthorized loss of personal information
  • Unauthorized access to personal information
  • Unauthorized disclosure of personal information

If it is reasonable to believe a breach presents a real risk of significant harm (RROSH) to an individual, the law requires organizations to report the breach to the affected individuals and the Office of the Privacy Commissioner.

What is RROSH?

RROSH is the assessment test used by privacy commissioners to determine the risk level of a breach. Commissioners will consider the sensitivity of the personal information involved in a breach, along with its probability of misuse, to determine the risk.

Personal information includes any factual or subjective information about an identifiable individual. This includes an individual’s age, ethnicity, marital status and any other information that can be used to identify an individual – either on its own or when combined with other information.

Medical and financial information is almost always considered sensitive. However, any information can be sensitive, depending on the context. To determine sensitivity, you may want to consider questions such as:

  • Who accessed or could have accessed the information?
    • The involvement of unknown or unauthorized third parties increases the sensitivity of the information
  • Could the information be used for criminal purposes, such as identity theft or fraud?
    • Contact and identity information is considered particularly useful for identity theft, fraud and phishing
  • Are there any risks associated with the information?
    • Ethnic and racial origins, political opinions, genetic and biometric data, sexual orientation and religious beliefs are considered to have specific risks
  • How many individuals are affected by the breach?
    • A greater number indicates a greater potential for harm, although RROSH has been found where few individuals were affected
  • Are there vulnerable individuals, such as youth or seniors, involved?

The probability of misuse can be determined by examining the circumstances of the breach and how likely it is that someone would be harmed by the breach. When organizations are uncertain about the probability of misuse, privacy commissioners have assumed there is significant risk. You may want to consider questions such as:

  • Was the breach caused by an unauthorized third party?
    • RROSH is more likely if an unauthorized or unknown third party is involved
  • Is there any evidence of deliberate or malicious activity, such as ransomware or theft?
    • RROSH is more likely if a breach is associated with any deliberate or malicious activity
  • Is there any evidence of access to or exfiltration of information?
    • RROSH has been found where there is inconclusive evidence as to whether information was accessed or exfiltrated
  • How long was the information exposed?
    • RROSH has been found where information was exposed for several hours or more
  • Was the information recovered or destroyed?
    • RROSH may not be found if a business can prove that information has not been used, forwarded or retained. However, RROSH has been found in unauthorized access cases regardless of whether information was recovered or destroyed

Privacy commissioners have found RROSH even in cases where a cyber forensic investigation indicated a low likelihood of harm. Retaining a cyber forensic firm to investigate and help contain a breach is often required and considered a mitigating factor, but privacy commissioners are not bound by the results of such investigations.

When Is Notification Required?

Whether or not you are required to report a breach will depend on the jurisdiction in which your organization and your clients are based – this is a factual determination that breach counsel can assist you with.

For example, for organizations subject to PIPEDA, if a breach meets the RROSH test, you must notify affected individuals, the Office of the Privacy Commissioner and any other organizations that can reduce the risk of harm, such as law enforcement.

Ultimately, you are responsible for ensuring you are informed of relevant privacy laws and maintaining appropriate breach policies and response plans. The MLT Aikins Privacy, Data Protection & Cybersecurity team has extensive experience helping clients develop effective strategies to prevent and respond to privacy breaches and as breach counsel for clients. Download our cybersecurity checklist to assess your organization’s current cybersecurity strategy.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.