Federal Government Publishes Data Breach Reporting Requirements Draft

OVERVIEW

Last month the Canadian government published proposed regulations relating to the mandatory reporting of privacy breaches under Canada’s federal data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA).

While the regulations put forth by the government are simply proposed rules, they do provide an indication of what will likely be included in the final regulations. The regulations are expected to be finalized in the coming months.

This Compliance Bulletin examines the relevant PIPEDA provisions, the proposed data breach regulations and the potential implications for organizations subject to PIPEDA.

BACKGROUND

In June 2015, Canada passed into law the Digital Privacy Act (DPA), a law that made a number of important changes to PIPEDA. While most of the amendments contained in the DPA came into force in 2015, the provisions of the law relating to mandatory data breach reporting and record-keeping have not yet come into force.

Once in force, the data breach provisions of PIPEDA and corresponding regulations will require organizations to report to the Office of the Privacy Commissioner of Canada (Commissioner) any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to an individual. Organizations will also be required to notify any affected individuals and any other organization or government institution that may be able to mitigate the harm to affected individuals. The report and notification must occur as soon as feasible after the organization determines that a breach has occurred.

Under that law, “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. Factors organizations must consider when assessing whether a breach creates a real risk of significant harm to an individual include the sensitivity of the personal information involved and the probability that the personal information has been, is being or will be misused.

Draft Regulations

Reports to the Commissioner: Content, Form and Manner

According to the draft regulation, a report to the Commissioner must be made in writing and contain the following information:

  • A description of the circumstances of the breach and, if known, the cause;
  • The day on which, or the period during which, the breach occurred;
  • A description of the personal information that is the subject of the breach;
  • An estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm;
  • A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm;
  • A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach; and
  • The name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

Under the proposed regulations, data breach reports can be submitted with the best information available to the organization at the time. This allows organizations to report breaches quickly and take the appropriate actions, even when key information regarding the incident is not yet available.

Requirements for Notifying Affected Individuals of a Data Breach

Under PIPEDA, notification to an affected individual must contain sufficient information to allow the individual to understand the significance of the breach and to take steps, if possible, to reduce or mitigate the risk of harm that could result. According to the draft regulations, a notification to an affected individual, at a minimum, must contain:

  • A description of the circumstances of the breach;
  • The day or time frame the breach occurred;
  • Descriptions of the type of personal information that was compromised during the breach;
  • A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
  • A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
  • A toll-free number or email address impacted individuals can use to obtain further information regarding the breach; and
  • Information about the organization’s internal complaint process and about the affected individual’s right, under the PIPEDA, to file a complaint with the Commissioner.

Notifications must be given directly to impacted individuals through an email, letter (delivered to the last known home address of the affected individual), telephone call, in-person conversation or other secure form of communication if the affected individual consented to receiving information from the organization in that manner.

Indirect Notification

Under limited circumstances, organizations will be allowed to provide affected individuals with indirect notification of a data breach. According to the draft regulations, organizations will be able to provide indirect notification only if:

  • A direct notification would cause further harm to the affected individual;
  • The cost of giving a direct notification is prohibitive for the organization; or
  • The organization does not have contact information for the affected individual or the information that it has is out of date.

The draft regulations indicate that indirect notification may be given only by either a conspicuous message, posted on the organization’s website for at least 90 days, or by means of an advertisement that is likely to reach the affected individuals.

Record-keeping Requirements

Once in force, the data breach provisions of PIPEDA and the regulations will require organizations to maintain a record of every breach of security safeguards. The draft regulations state that organizations must maintain these records for a minimum of 24 months after the day on which the organization determines that the breach has occurred, and provide them to the Commissioner upon request. The record must contain sufficient information to enable the Commissioner to verify compliance with the data breach reporting and notification requirements above.

NEXT STEPS

While the regulations are not finalized and an enforcement date has not yet been announced, organizations should take the proper steps to ensure they are PIPEDA compliant. While the new reporting and record-keeping requirements appear to place an administrate burden on organizations, companies that already have cyber security protocols in place will likely experience minimal impact.

To learn more about the regulations, you can read a detailed impact analysis statement and the regulation’s text through the Canada Gazette.

© Zywave, Inc. All rights reserved

Equifax Hit by New Cyber Scare

Source: Insurance Business Canada

Equifax Inc. is reporting that a third-party vendor the credit rating agency uses to collect performance data on its US Equifax website was serving malicious content.

“Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis,” an Equifax spokesperson said in an emailed statement Thursday.

“Equifax can confirm that its systems were not compromised and that the reported issue did not affect our customer dispute portal.”

Search and compare product listings for insurance against a Data Breach from specialty market providers here

Earlier Thursday, Equifax Canada said its US parent company was temporarily taking down one of its customer services pages amid reports that hackers had allegedly altered Equifax’s credit report assistance page so that it would send users malicious software disguised as Adobe Flash.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax Canada spokesman Tom Carroll said in an emailed statement.

“Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

Carroll did not respond to direct questions about any potential breach to Equifax Canada’s website.
The news comes as Equifax Inc. continues to deal with the aftermath of a cyber breach earlier this year which allowed the personal information of 145.5 million Americans, and 8,000 Canadians, to be accessed or stolen.

Since news of Equifax’s massive data breach broke last month, the company is facing investigations in Canada and the US, as well as at least two proposed class actions filed in Canada.

The massive data breach has also led to a number of high-profile departures at the Atlanta-based consumer credit reporting agency, including its chief executive, chief information officer and chief security officer.

In early October, Equifax revised the number of consumers potentially impacted in the breach _ bumping up the total in the US to 145.5 million and reducing the number in Canada from an estimated 100,000 to 8,000.

For these Canadian consumers, Equifax says the information that may have been accessed includes name, address, social insurance number and, in “limited cases” credit card numbers.
On its website, Equifax’s Canadian division says it has not yet mailed out any notices and made clear it would not be making any unsolicited calls or emails about the issue.

In September, Equifax reported that its investigation had shown that hackers had unauthorized access to its files from May 13 to July 30. Equifax Canada said at the time it was working closely with its parent company Equifax Inc. and an unnamed, independent cybersecurity firm conducting the ongoing investigation.

The cyberattack occurred through a vulnerability in an open-source application framework it uses called Apache Struts. The United States Computer Readiness team detected and disclosed the vulnerability in March, and Equifax “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”

Canadian Press

What Should Canadians Affected by Equifax Data Breach Do?

Equifax, one of the largest credit reporting agencies in the United States, was recently the victim of a massive cyber attack—an attack that may have compromised the personal information of 143 million people.

Impacted individuals were not simply limited to the United States either, as the hackers gained unauthorized access to personal information of certain Canadian and U.K. residents. Initial reports suggest 209,000 credit card numbers were stolen in the attack, some of which may belong to international customers.

The breach itself occurred between mid-May and July 2017 when cyber criminals gained access to sensitive data by exploiting a weak point in website software. In the United States, sensitive information like Social Security numbers, birthdays, addresses and driver’s licence numbers were compromised.

The recent attack on Equifax is the third major cyber security threat the organization has experienced since 2015 and one of the largest risks to personally sensitive information in recent years. The attack is so severe, in fact, it’s likely that anyone with a credit report was affected.

If you are concerned that you may have been impacted by the breach, Equifax has set up a website to help individuals determine if any of their personal information may have been stolen.

It should be noted that it may not be obvious that you are a customer of Equifax, as the company gets its data from credit card companies, banks and lenders that report on credit activity. As such, it’s important to follow the appropriate steps and check to see if your information was compromised.

Additionally, you should review your online bank and credit card statements on a weekly basis. This will help you monitor any suspicious activity.

Equifax will work with regulators in Canada and the United Kingdom to determine appropriate next steps.

© Zywave, Inc. All rights reserved

Is Your Organization Ready for Mandatory Data Breach Notifications?

Overview

On June 18, 2015, the Digital Privacy Act (DPA) received royal assent and became law. Among other things, the DPA amended the Personal Information Protection and Electronic Documents Act (PIPEDA) by revising consent requirements, introducing mandatory breach notification and record-keeping requirements, and adding significant fines for non-compliance.

While many of the measures introduced by the DPA have been in force since the bill was first enacted, the government held off on imposing mandatory breach reporting until the proper regulations were implemented.

Such regulations could be in place as early as fall 2017, and organizations will want to ensure that they know what is expected of them in order to remain compliant and avoid costly fines as high as $100,000.

Mandatory Data Breach Notifications

The DPA imposes reporting requirements for every organization in Canada that suffers a data breach, particularly if that data breach creates a real risk of significant harm to the personal information of one or more individuals. While the full extent of the reporting requirements will not be known until the corresponding regulations are published, the DPA defines significant harm broadly to include the following:

  • Bodily harm
  • Humiliation
  • Damage to reputations or relationships
  • Loss of employment, business or professional opportunities
  • Financial loss
  • Identity theft
  • Negative effects on credit records
  • Damage to or loss of property

Most often, the existence of “a real risk of significant harm” will be based on the sensitivity of the personal information involved in the breach, the probability that the personal information will be misused and additional factors that may be prescribed by the forthcoming regulations.

If a breach causing significant harm to one or more individuals occurs, the affected organization must do the following, as soon as feasible:

  • Report the incident to the Office of the Privacy Commissioner of Canada (Privacy Commissioner).
  • Notify affected individuals of the breach and provide them with information on how they may minimize the harm caused by the breach.
  • Inform other organizations and government entities of the breach, especially if they believe that doing so could reduce risks or mitigate harm.

Notices must contain enough information to help affected individuals fully understand the extent of harm caused by the breach. Additionally, notices must be conspicuous and provided directly to affected individuals. However, in limited circumstances, indirect notices may be permitted. Once again, more detail will be available to organizations once the forthcoming regulations are published.

Record-keeping Requirements

Another key change under the DPA will be the requirement that organizations keep records of all security breaches involving personal information. While it is still unclear the level of detail these records will need to contain, it is clear that the Privacy Commissioner will have the right to request and review these records at any time.

Penalties for Non-compliance

Under the DPA, fines up to $100,000 may be imposed against organizations that knowingly violate the mandatory breach notification requirements or breach record-keeping requirements. Until the regulations are finalized, it will remain unclear if a violation will include a single incident (for example, a single failure to notify all individuals impacted by a breach) or each incident (for example, each failure to notify each individual impacted by a breach). However, it is clear that the Privacy Commissioner now has the ability to impose significant fines for non-compliance.

What Does this Mean for Organizations?

Mandatory data breach notifications could impact any organization that is at risk of a cyber attack. Given the reach of the DPA and upcoming regulations, all organizations should consider doing the following:

  • Review and update existing protocols and policies to account for detecting, responding and reporting data breach incidents internally.
  • Assess the types of information—personal information, intellectual property, supplier data, etc.—they hold and how they would respond in the event of a breach.
  • Create a data breach incident response plan if one does not already exist. Such a plan should include methods for notifying the Privacy Commissioner and any impacted individuals.
  • Ensure that they have sufficient insurance in place and have taken the steps to mitigate any litigation exposures. Such steps often include requiring employee training, performing security audits and identifying cyber security vendors.

Organizations should review the DPA to ensure they are compliant with all aspects of the legislation.

© Zywave, Inc. All rights reserved

Canada Second Most Expensive Country for Data Breaches

Source: Canadian Underwriter

Canada was the second most expensive country for data breaches, costing an average of $255 per lost or stolen record in 2017, according to a new report sponsored by IBM Security and conducted by the Ponemon Institute.

Released earlier in June, the 2017 Cost of Data Breach Study: Canada report found that Canada was also the second most expensive country of those surveyed for malicious/criminal breaches at $156 per record. The Canadian research report examined the costs incurred by 27 Canadian companies from 12 different industry sectors following the loss or theft of protected personal data and the notification of breach victims as required by various laws.

In Canada, the average total cost of data breaches decreased from $6.03 million in 2016 to $5.78 million in the current year, although the lowest average total cost was $5.32 million in 2015, IBM said in a statement. Over the past year, the average total cost of data breach decreased by 4%, but the average breach size or number of records increased by 3%, the report noted. The number of breached records per incident this year ranged from 4,300 to 69,844, with an average of 21,750 records breached.

The report found that organizations that can contain a breach in less than 30 days save $1.79 million ($4.88 million compared to $6.67 million). However, on average, Canadian organizations took 173 days to identify a breach and 60 days to contain one. This year, the cost of notification in Canada also decreased from $180,000 per company on average in 2016 to $160,000. These costs include IT activities associated with the creation of contract databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures and inbound communication set-up.

IBM noted in the statement that certain industries have higher data breach costs: services ($398 per capita cost), financial services ($356) and technology ($340) companies had a per capita data breach cost above the mean of $255 ($278 in 2016). Public sector ($105), hospitality ($172) and transportation ($175) companies had a per capita cost well below the overall mean value. Investments in incident response teams and plans, extensive use of encryption, employee training programs, board-level involvement or participation in threat sharing were shown to reduce the per capita and total cost of data breach, the statement added.

Of the $255 average per compromised record, $147 pertained to indirect costs, including abnormal turnover or churn of customers, and $108 was related to direct costs incurred to resolve the data breach, such as investments in technologies or legal fees.

From a global perspective, this is the first year the global total cost of a breach has declined in the history of the study, which began in the United States 12 years ago. The 2017 Cost of Data Breach Study: Global Overview said that the global average cost per lost or stolen record was US$141 (from $158 in 2016), with the number one factor to reducing the cost reported as having an incident response team in place (lowering the cost by US$19 per lost or stolen record).

The cost of a data breach also dropped 10% globally in the 2017 study to US$3.62 million from US$4 million. Since debuting in the U.S., the study has expanded to the following countries and regions: the United Kingdom; Germany; Australia; France; Brazil; Japan; Italy; India; Canada; South Africa; the Middle East (including the United Arab Emirates and Saudi Arabia); and the ASEAN region (including Singapore, Indonesia, the Philippines and Malaysia).

Another press release from IBM said that the company identified a close correlation between the response to regulatory requirements in Europe and the overall cost of a data breach. European countries saw a 26% decrease in the total cost of a data breach over last year’s study, the release said, noting that businesses in Europe operate in a more “centralized regulatory environment,” while businesses in the U.S. have unique requirements (48 of 50 states have their own data breach laws).

In the U.S., “compliance failures” and “rushing to notify” were among the top five reasons the cost of a breach rose in the U.S. As well, U.S. companies reported paying over $690,000 on average for notification costs related to a breach – more than double the amount of any other country surveyed in the report.

General global findings included the following:

  • Canada was the third most expensive country for data breaches, costing organizations an average of US$4.31 million;
  • The cost of a data breach in the U.S. was US$7.35 million, a 5% increase compared to last year;
  • Organizations in the Middle East, Japan, South Africa and India all experienced increased costs in 2017 compared to the four-year average costs;
  • Germany, France, Italy and the U.K. experienced significant decreases compared to the four-year average costs. Australia, Canada and Brazil also experienced decreased costs compared to the four-year average cost of a data breach;
  • In the Middle East, organizations saw the second highest average cost of a data breach at US$4.94 million, a more than 10% increase over the previous year;
  • In Brazil data breaches were the least expensive overall, costing companies only US$1.52 million;
  • For the seventh year in a row, healthcare has topped the list as the most expensive industry for data breaches. Healthcare data breaches cost organizations US$380 per record, more than 2.5 times the global average across industries (US$141 per record);
  • The involvement of third parties in a data breach was the top contributing factor that led to an increase in the cost of a data breach, increasing the cost US$17 per record; and
  • Incident response, encryption and education were the factors shown to have the most impact on reducing the cost of a data breach. Having an incident response team in place resulted in US$19 reduction in cost per lost or stolen record, followed by extensive use of encryption (US$16 reduction per record) and employee training (US$12.50 reduction per record).