With Canada’s mandatory breach reporting requirements coming into force as per the updated Personal Information Protection and Electronic Documents Act (PIPEDA) on November 1, 2018, all domestic and foreign organizations subject to the PIPEDA (i.e any organization that collects, uses, or shares the personal information of consumers in Canada) will now have to fulfill three herculean requirements[1]:
- They will have to report all their data breaches to the Office of the Privacy Commissioner of Canada.
- They will have to notify individuals affected by such breaches. This applies when the breach causes “risk of significant harm“ such as bodily harm, mutilation, damage to reputation, relationships or property, negative effects on credit identity theft, and loss of professional opportunities.
- They will need to maintain records of data breaches for up to two years.
Vice-President of Compliance for Box, Crispen Maung, says “In addition to being able to demonstrate that they have an effective data protection program in place, organizations will have to prove that they have done everything practical to restrict the access to data and also to manage and control that data while it’s in their custody.” The new PIPEDA update also demands that organizations improve their data security and due diligence initiatives. They must have suitable digital safeguards[2] and establish “a comprehensive cybersecurity program, with risk assessment tools, breach response protocols, server provider management, and continuous updates to the inventory of personal information”[3]. Failure to meet PIPEDA’s new requirements will result in fines up to $100,000 per violation. This large penalty, along with the nebulous nature of the Act, has Canadian organizations anxious about the measures they must take to comply. The Canadian Press wrote[4], “since PIPEDA is full of imprecise language that require notifications “as soon as feasible” after a “real risk” of “significant harm” has been detected, there’s a danger that some incidents will be reported too slowly or not at all.” Data Protection Report proposes three immediate steps to successfully approach the challenging PIPEDA update[5]:
1. Implement response and reporting protocols.
Organizations must have effective due diligence systems in place. Employees must understand the organization’s breach reporting procedures in order to handle information in case of a breach. For this, they must have undergone training pertaining to breaches that need reporting as well as the PIPEDA update. They must be able to identify breaches immediately and escalate issues as soon as they occur. It is also important to review all breaches on a case-by-case basis[6].
2. Review and update third party agreements.
PIPEDA applies to all the personal information that your organization handles, and this includes the information managed by your vendors and service providers. It is advised not to rely on third party diligence and instead ensure there are no gaps in your agreements and that all contractual obligations are in place.
3. Create a plan for keeping records.
Since data breach records need to be maintained for up to two years, organizations must devise concrete maintenance plans. According to the regulations, the records must contain information that enables verification of compliance with the reporting requirements. This calls for a general description of the circumstances of the breach, and if the breach has gone unreported, why so.
As SBALawyers aptly put it, “Realistically, risk cannot be reduced to zero without reducing the usefulness of the asset – the goal is to find an acceptable balance between protection and usability.” It is advised to involve your legal counsel is involved during the formulation of comprehensive breach reporting, recording, and business continuity plans. These plans should cover “tiered impact analysis; automated backups; load balancing and IT-focused forensics procedures focusing on determining affected areas and containing damage; escalation and notification practices; mitigation steps; lessons learned; high-level financial and technical reporting; recovery procedures; designated first responders; loss control; and, reputation management”[7].
There is a colorful history of optional data security plans jeopardizing consumer data; this can no longer be so. With mandatory breach reporting coming into effect, organizations will have to guarantee utmost security for their client information, as per the standards of the data security industry. Organizations should work unitedly with cybersecurity agencies and expert attorneys to minimize their cyber liability with intelligent cyber security solutions.
At LegalEase Solutions, we take cybersecurity seriously. We have strict privacy policies, and strive to keep our clients’ personal and financial information secure. We make certain that our servers and connections incorporate the latest encryption and security devices. To prevent unauthorized access, we implement physical, electronic, and managerial procedures to safeguard the information we collect. While your projects are with us, you can rest assured that your information is in safe hands. If you have a project you need assistance with, feel free to reach out to us at contact@legaleasesolutions.com. Our attorneys are happy to help.
References
[2] https://www.cbc.ca/news/business/pipeda-privacy-data-1.4886061