The Breach of Security Safeguards Regulations (“BSSR”), issued under the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA“), come into force November 1, 2018, including the new mandatory breach notification (“MBN”) requirements.
Hefty fines, federalism, and boring, unreadable legislation and regulations abound! Don’t worry, we’re here to help you out. If your private-sector organization deals with personal information, ask yourself these questions to ensure compliance:
- Does PIPEDA apply to us?
- When do MBN requirements apply?
- What the %$#* do we do next?
- What are the consequences of non-compliance with MBN requirements?
- How does my organization avoid non-compliance with MBN requirements?
1. Who is governed by PIPEDA?
“But my organization only operates in BC!” “But I’m just a sole proprietor!”
Not so fast. Even if you operate exclusively in BC, you may be subject to PIPEDA. PIPEDA applies:
- to private sector organizations (corporations, associations, unions, partnerships, individuals acting in a corporate capacity) that are (i) federally regulated; (ii) regulated in a province that does not have legislation substantially similar to PIPEDA (BC and Alberta do have substantially similar legislation); or (iii) any organization that is transmitting personal information over inter-provincial or federal borders;
- to private sector organizations that collect, use or disclose personal information (data which may identify you as an individual that is not readily available to the public, such as race, religion, age, marital status, medical history, DNA, social insurance number, driver’s license, or views or opinions about you as an employee);
- in the course of commercial activity, meaning any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
MBN is also required under the European Union’s General Data Protection Regulation (“GDPR”), but is not required under the British Columbia Personal Information Protection and Electronic Documents Act.
2. When does MBN apply?
This one’s a three-parter. MBN requirements apply if:
a. a data breach occurred, meaning: (i) personal information has been collected and (ii) the subject organization has failed to institute or has had a breach in the safeguards required under PIPEDA ;
b. the breach results in the loss of, unauthorized access to, or unauthorized disclosure of personal information; and
c. the breach results in a real risk of significant harm, which includes humiliation, damage to reputation or relationships, or identity theft.
3. What are the MBN requirements?
MBN requires subject organizations to:
a. notify impacted individuals directly (by phone, email, mail, or another reasonably acceptable form of communication) as soon as feasible of the:
i. circumstances of the breach and details of personal information that was compromised;
ii. steps taken by the organization to reduce potential harm caused by the breach;
iii. steps the impacted individual can take to reduce the potential harm caused by the breach; and
iv. contact information at the organization for the impacted individual to seek additional information;
b. notify individuals indirectly with the same information (by public communication or another reasonably acceptable form of notification that could reasonably be expected to reach the affected individual) as soon as feasible if:
i. direct notification would likely cause further harm to the impacted individual;
ii. direct notification would likely cause undue hardship for the subject organization; or
iii. the organization does not have contact information of the affected individual;
c. deliver a written report to the Office of the Privacy Commissioner of Canada (“OPC”) as soon as feasible of the:
i. circumstances of the breach;
ii. date of the breach;
iii. number of individuals impacted;
iv. type of personal information compromised; and
v. steps taken by the subject organization to mitigate harm;
d. maintain a record of every breach of security safeguards for 24 months from discovery, which the OPC may request.
4. What are the consequences of non-compliance with MBN?
Less moolah in the coolah. Fines for deliberate failure to report or record a breach can reach $100,000. Aside from regulatory fines, the reputational risks to your business can be immense. These risks grow with non-disclosure (which may lead to increased harm to individuals affected by the breach) as well. Responding quickly and appropriately to breaches is incredibly important. The loss of trust and reputation for an organization resulting from the mishandling of a data breach, and worse yet a deliberate failure leading to regulatory fines, can be a silver bullet to future growth and even continued existence. Also, there are other potential liabilities that may arise if an organization experiences a breach due to a failure to exercise due care amounting to negligence (by not implementing appropriate security measures for example) or for knowingly ignoring or covering up a breach, especially if this leads to damages to individuals whose information has been breached (such as identity theft for example).
5. How does my organization avoid non-compliance with MBN?
Organizations subject to PIPEDA can ensure compliance by:
a. having a cybersecurity plan and appropriate measures in place for their business and industry (it’s much easier to keep the genie in the bottle);
b. having a data-breach response plan in place, and a response team to implement and apply the plan (you can hire service providers for these purposes); and
c. for organizations using third-parties for certain data collection and storage practices, ensure service agreements include contractual safeguards that confirm each party’s obligations with respect to the collected personal information.