The Digital Privacy Act (previously known as Bill S-4), came into law in June 2015, resulting in a number of significant amendments to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
While many amendments came into force upon Royal Assent, those relating to “breach reporting, notification and recordkeeping” (which generally include incidents commonly referred to as data breaches) will come into force later this year, following associated regulations being developed and put into place by the federal government.
There are a number of recent cases which highlight the need for the reporting of data breaches including:
- The Deloitte Hack: Deloitte failed to protect Administrator passwords to their Cloud email system, leaving about six months where they saw an unauthorized third-party gain access to confidential client emails and records. Deloitte notified six of their clients that their data may have been “impacted” but there are still no firm rules relating to the notifying of Ontario clients and disclosure until the changes come into effect
- Equifax/Apache Struts Vulnerability: The Apache Struts Vulnerability leaves systems out on the web open for an attacker to compromise. Equifax saw an exploit of this vulnerability that led to the loss of millions of records containing the personal information of many North Americans. The current lack of legal requirements to disclose a breach such as this meant that Equifax was under no obligation to notify affected customers or report to the OPC.
Here are some key facts about the upcoming amendments and what they mean for your organization:
What is changing and who does it apply to?
A major change to the previous Act is the new requirement for organizations to report to the Office of the Privacy Commissioner (OPC) of Canada and to also notify affected individuals and associated third parties about any breaches of security safeguards (which generally includes what is commonly known as a data breach) that may pose a risk of significant harm to affected individuals.
What constitutes significant harm?
The concept of “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft among others.
Factors that organizations will need to consider when assessing the presence of a real risk of significant harm include the sensitivity of the information involved and probability that the information was or will be misused (or any other prescribed factor).
How do I know if my company has been breached?
Knowing if your company data has been breached is difficult if there are no systems in place for detecting potential breaches or those that have already happened without your knowledge.
A smart cyber security provider, such as IntelliGO, can protect your systems from unauthorized access and will continuously test your defenses. IntelliGO’s system helps to manage, detect and respond more effectively when your organization is subject to a breach of security.
When do affected individuals and the OPC need to be notified?
An organization is required to notify the affected individuals and the OPC as soon as is feasible once it has been established that a breach has occurred. An organization will also be required to notify any other organization or government institution if it believes the other body may be able to reduce the risk of or mitigate the harm.
What will happen if I fail to comply?
A record of all breaches involving personal information must be kept by organizations and provided to the OPC upon request. An organization that knowingly fails to notify those individuals affected by a breach that poses a severe risk of significant harm or to report to the OPC could be subject to fines of up to $100,000.
Who do I contact if I think my organization has been breached?
To report a privacy breach in your organization's data security, you can visit the OPC website for more information or you can call the OPC information center on 1-800-282-1376.
Although breach reporting will remain voluntary until such time as the new provisions come into effect, organizations are advised to report breaches to the OPC and notify affected customers if it knows or has reason to believe that a breach has occurred.