Federal Government Publishes Data Breach Reporting Requirements Draft

OVERVIEW

Last month the Canadian government published proposed regulations relating to the mandatory reporting of privacy breaches under Canada’s federal data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA).

While the regulations put forth by the government are simply proposed rules, they do provide an indication of what will likely be included in the final regulations. The regulations are expected to be finalized in the coming months.

This Compliance Bulletin examines the relevant PIPEDA provisions, the proposed data breach regulations and the potential implications for organizations subject to PIPEDA.

BACKGROUND

In June 2015, Canada passed into law the Digital Privacy Act (DPA), a law that made a number of important changes to PIPEDA. While most of the amendments contained in the DPA came into force in 2015, the provisions of the law relating to mandatory data breach reporting and record-keeping have not yet come into force.

Once in force, the data breach provisions of PIPEDA and corresponding regulations will require organizations to report to the Office of the Privacy Commissioner of Canada (Commissioner) any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to an individual. Organizations will also be required to notify any affected individuals and any other organization or government institution that may be able to mitigate the harm to affected individuals. The report and notification must occur as soon as feasible after the organization determines that a breach has occurred.

Under that law, “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. Factors organizations must consider when assessing whether a breach creates a real risk of significant harm to an individual include the sensitivity of the personal information involved and the probability that the personal information has been, is being or will be misused.

Draft Regulations

Reports to the Commissioner: Content, Form and Manner

According to the draft regulation, a report to the Commissioner must be made in writing and contain the following information:

  • A description of the circumstances of the breach and, if known, the cause;
  • The day on which, or the period during which, the breach occurred;
  • A description of the personal information that is the subject of the breach;
  • An estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm;
  • A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm;
  • A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach; and
  • The name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

Under the proposed regulations, data breach reports can be submitted with the best information available to the organization at the time. This allows organizations to report breaches quickly and take the appropriate actions, even when key information regarding the incident is not yet available.

Requirements for Notifying Affected Individuals of a Data Breach

Under PIPEDA, notification to an affected individual must contain sufficient information to allow the individual to understand the significance of the breach and to take steps, if possible, to reduce or mitigate the risk of harm that could result. According to the draft regulations, a notification to an affected individual, at a minimum, must contain:

  • A description of the circumstances of the breach;
  • The day or time frame the breach occurred;
  • Descriptions of the type of personal information that was compromised during the breach;
  • A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
  • A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
  • A toll-free number or email address impacted individuals can use to obtain further information regarding the breach; and
  • Information about the organization’s internal complaint process and about the affected individual’s right, under the PIPEDA, to file a complaint with the Commissioner.

Notifications must be given directly to impacted individuals through an email, letter (delivered to the last known home address of the affected individual), telephone call, in-person conversation or other secure form of communication if the affected individual consented to receiving information from the organization in that manner.

Indirect Notification

Under limited circumstances, organizations will be allowed to provide affected individuals with indirect notification of a data breach. According to the draft regulations, organizations will be able to provide indirect notification only if:

  • A direct notification would cause further harm to the affected individual;
  • The cost of giving a direct notification is prohibitive for the organization; or
  • The organization does not have contact information for the affected individual or the information that it has is out of date.

The draft regulations indicate that indirect notification may be given only by either a conspicuous message, posted on the organization’s website for at least 90 days, or by means of an advertisement that is likely to reach the affected individuals.

Record-keeping Requirements

Once in force, the data breach provisions of PIPEDA and the regulations will require organizations to maintain a record of every breach of security safeguards. The draft regulations state that organizations must maintain these records for a minimum of 24 months after the day on which the organization determines that the breach has occurred, and provide them to the Commissioner upon request. The record must contain sufficient information to enable the Commissioner to verify compliance with the data breach reporting and notification requirements above.

NEXT STEPS

While the regulations are not finalized and an enforcement date has not yet been announced, organizations should take the proper steps to ensure they are PIPEDA compliant. While the new reporting and record-keeping requirements appear to place an administrate burden on organizations, companies that already have cyber security protocols in place will likely experience minimal impact.

To learn more about the regulations, you can read a detailed impact analysis statement and the regulation’s text through the Canada Gazette.

© Zywave, Inc. All rights reserved

Equifax Hit by New Cyber Scare

Source: Insurance Business Canada

Equifax Inc. is reporting that a third-party vendor the credit rating agency uses to collect performance data on its US Equifax website was serving malicious content.

“Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis,” an Equifax spokesperson said in an emailed statement Thursday.

“Equifax can confirm that its systems were not compromised and that the reported issue did not affect our customer dispute portal.”

Search and compare product listings for insurance against a Data Breach from specialty market providers here

Earlier Thursday, Equifax Canada said its US parent company was temporarily taking down one of its customer services pages amid reports that hackers had allegedly altered Equifax’s credit report assistance page so that it would send users malicious software disguised as Adobe Flash.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax Canada spokesman Tom Carroll said in an emailed statement.

“Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

Carroll did not respond to direct questions about any potential breach to Equifax Canada’s website.
The news comes as Equifax Inc. continues to deal with the aftermath of a cyber breach earlier this year which allowed the personal information of 145.5 million Americans, and 8,000 Canadians, to be accessed or stolen.

Since news of Equifax’s massive data breach broke last month, the company is facing investigations in Canada and the US, as well as at least two proposed class actions filed in Canada.

The massive data breach has also led to a number of high-profile departures at the Atlanta-based consumer credit reporting agency, including its chief executive, chief information officer and chief security officer.

In early October, Equifax revised the number of consumers potentially impacted in the breach _ bumping up the total in the US to 145.5 million and reducing the number in Canada from an estimated 100,000 to 8,000.

For these Canadian consumers, Equifax says the information that may have been accessed includes name, address, social insurance number and, in “limited cases” credit card numbers.
On its website, Equifax’s Canadian division says it has not yet mailed out any notices and made clear it would not be making any unsolicited calls or emails about the issue.

In September, Equifax reported that its investigation had shown that hackers had unauthorized access to its files from May 13 to July 30. Equifax Canada said at the time it was working closely with its parent company Equifax Inc. and an unnamed, independent cybersecurity firm conducting the ongoing investigation.

The cyberattack occurred through a vulnerability in an open-source application framework it uses called Apache Struts. The United States Computer Readiness team detected and disclosed the vulnerability in March, and Equifax “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”

Canadian Press