Mandatory Data Breach Notification Rules Now in Effect

As a valued business partner, your Cowan team is here to ensure you have the information you need to protect your business. We want to make you aware of changes to the Privacy Act which recently took effect, to give you the opportunity to discuss how these amendments might impact your business.

The Digital Privacy Act (Bill S-4) has amended the Personal Information Protection and Electronic Documents Act (PIPEDA) effective November 1, 2018. The new rules govern the recording and reporting of data breaches and apply to all organizations and businesses, regardless of size, which hold individuals’ personally identifying information. Any breach of an organization’s security that poses a “real risk of significant harm” to individuals must now be reported to affected individuals and to The Office of the Privacy Commissioner of Canada. Organizations that knowingly fail to report or maintain a record of all breaches could face fines of up to $100,000 per offence.

When to report.

Reporting is mandatory when it is reasonable to believe that a material data breach has created a real risk of significant harm to an individual—including bodily harm, humiliation, damage to reputation, financial loss and identity theft. Reporting must be made “as soon as feasible after an organization determines that a breach has occurred.” Data breach notification and record-keeping requirements are outlined in Breach of Security Safeguards Regulations, found on the Government of Canada’s website.

What and to whom to report.

Reporting includes circumstances of the breach, the date and duration, the information that was breached, what steps have been taken to reduce the risk of harm, what steps individuals can take to reduce risk and contact information for details about the breach. Organizations must notify affected individuals and third parties who “may be able to reduce the risk of harm.” The breach must also be reported to The Office of the Privacy Commissioner of Canada (OPCC).

Recordkeeping requirements.

The new legislation requires businesses to maintain a “record of every breach of security safeguards involving personal information under its control.” The record must be ready and available to be shown to the Privacy Commissioner upon request. A record of every breach must be maintained for at least 24 months after the day on which an organization determines that a breach occurred. OPCC is requesting this be amended to five years.

Penalties.

Organizations that knowingly fail to report or maintain a record of all breaches could face fines of up to $100,000 per offence.

Is your organization ready?

To comply with new requirements, organizations should:

  • create or update breach response protocols
  • establish legal frameworks
  • create a breach response team
  • design templates for data breach reports
  • create a system for retaining data breach records
  • update internal policies and training materials

Notification obligations and the obligation to report is a result of “significant harm” to personal information your organization is required to protect. Significant harm is a broad definition, left up to you to determine, and using cloud services does not eliminate reporting. Would you know what information was accessed in a breach situation, and be able to determine if you have caused significant harm?

Are you protected?

Commercial property and liability policies often do not cover data breach costs. Cyber Liability Insurance is fundamental to managing your organization’s risk and having the resources needed to meet legislative requirements. In the event of a data breach, Cyber Insurance not only includes coverage for costs arising from the breach—it also gives your organization access to data breach consultants and a panel of financial, legal and public relations experts, ready to assist you when you need them most.

The level of cyber coverage your organization needs is based on your unique needs and can vary depending on the range of exposure.

Please talk to Cowan to ensure your current coverage meets your insurance and risk management needs.

Visit cowangroup.ca for more information.

The Office of the Privacy Commissioner of Canada has resources to help businesses understand their obligations under PIPEDA. For more information, visit The Office of the Privacy Commissioner of Canada.

Download a shareable PDF version of this content here.