Cyber Risk Management: Mandatory Breach Reporting & Record Keeping

We previously wrote about the Digital Privacy Act and its various changes to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Read about the general changes to PIPEDA.

One of the most significant changes to PIPEDA included the introduction of mandatory breach notification obligations and record-keeping requirements for organizations.

As these changes are expected to come into force in the coming months, this blog is intended to provide an overview of what organizations can expect when they do.

PIPEDA requires organizations to protect personal information by “security safeguards” appropriate to the sensitivity of the information. This is generally understood to include physical, organizational and technological methods of protecting personal information.

While the changes to PIPEDA will impact almost all security safeguards that an organization has put in place to protect personal information (and will extend well beyond technological breaches of digital information), all organizations are well advised to review and update their cyber risk preparedness strategy to ensure that they meet these new legislative requirements.

Who is required to comply with the breach reporting and record-keeping obligations?

Organizations subject to PIPEDA will be directly impacted by the mandatory breach notification and record keeping requirements. This generally includes organizations that collect, use or disclose personal information in the course of commercial activities in most Canadian jurisdictions, organizations that transfer such information across domestic or international borders, or federal works, undertakings or businesses (such as banks, radio and television stations, or airports and airlines).

Mandatory breach reporting obligations already exist under the provincial private sector legislation in Alberta, and similar obligations have been proposed under various other privacy regimes, including in British Columbia, Saskatchewan and Manitoba. In addition, regulators in many jurisdictions already recommend at least some form of voluntary reporting and record keeping requirements.

As such, although the changes discussed in this blog will mainly impact organizations that are subject to PIPEDA, it is expected that most organizations handling personal information in Canada are currently or will in the near future be required to comply with at some form of breach reporting and record keeping requirements.

What are the obligations?

  1. Breach Reporting

    The PIPEDA amendments will require organizations to provide notice of a breach to security safeguards that results in a loss, unauthorized access to or disclosure of personal information, where such breach results in a “real risk of significant harm” to an individual. The notice must be provided to the Office of the Privacy Commissioner and, with some limited exceptions, to the individuals whose personal information is involved. The amendments will require organizations to assess breaches on a case-by-case basis to determine whether breach notifications are required.
    The existing or proposed breach reporting obligations under other privacy regimes are generally similar to what is contemplated under PIPEDA. However, specific jurisdictional differences exist and organizations will need to review and take such differences into account.

  2. Record Keeping

    The amendments will also create an additional obligation for organizations to maintain records of a breach even if notification of the breach is not required. More specifically, organizations are required to maintain a record of every breach of security safeguards involving personal information and to provide this record to the Commissioner upon request. It is important to note that this obligation will extend to every breach of security safeguards involving personal information that is under the control of the organization and not just breaches that might result in a real risk of significant harm to an individual. The change to the legislation aims to provide a mechanism for the Commissioner to oversee the breach reporting requirements and to require organizations to systematically document breaches regardless of their risk and severity. As such, all organizations that are subject to PIPEDA will need to carefully consider the information that should be included in these records.

It is expected that regulations to PIPEDA will be put into place to prescribe the mandatory breach notification and record-keeping obligations in further detail. The regulations may include, for example, further factors to determine when a real risk of significant harm exists, the required form and contents of breach notifications, and the associated record-keeping requirements.

When will the breach notification and record-keeping obligations be in force?

Although the proposed amendments to PIPEDA relating to these obligations are not yet in force (and are thus not law), it is expected that draft regulations prescribing the details of the notification and record-keeping requirements will be published for public consultation in the coming weeks. It is further expected that the proposed amendments will come into force at the same time as the related regulations – likely in late 2017.

As noted above, obligations under other regimes have been proposed or are already in force.

How should organizations prepare for their new obligations?

Preparation is one of the most effective ways that organizations can mitigate the risks associated with data and privacy breaches. All organizations impacted by the changes should review and update existing documentation and practices to ensure that they address the breach notification and record-keeping obligations.

Among other things, organizations should consider the following steps:

  • Determine and understand the organization’s specific obligations under the legislation and regulations.
  • Review and update or develop policies and procedures to enable the organization to meet the various components of these obligations, including those relating to risk assessment, notification to individuals, reports to regulatory bodies, notices to third parties, and record keeping.
  • Review and update or develop incident response plans which identify the steps to take when breaches occur. Such plans should address a clear and easy to use framework and guidelines for the organization to respond to breaches, including meeting mandatory breach reporting and record-keeping obligations.
  • Review and update any contractual agreements involving personal information to ensure that the organization is able to meet its obligations.
  • Appoint individuals responsible for assisting the organization to prepare for and respond to breaches, including meeting the organization’s breach reporting obligations and record-keeping requirements.
  • Implement appropriate training and awareness programs for all individuals who handle personal information on behalf of the organization.

Organizations should consult experienced legal counsel to assist them in determining how the breach notification and record keeping obligations will impact them, and to review and update or develop appropriate strategies to meet these obligations. Organizations should also consider consulting legal counsel regarding the implementation of data protection strategies and other compliance tools to ensure their information is protected to the extent possible in the event of a breach.

 Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.