November 1, 2018, brings mandatory breach notification to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). We may have to remember that there were three other provinces which had a privacy law prior to this from 2010. Those provinces are Alberta Personal Information Protection Act (PIPA), Quebec and British Columbia.
As per the Gazette notification and section 27 of the Digital Privacy Act, Chapter 32 of the Statutes of Canada, 2015, fixed November 1, 2018, as the day on which sections 10, 11, and 14, subsections 17(1) and (4) and sections 19 and 22 to 25 of that Act come into force and providing regulated organizations with a lag period of approximately six months of preparation time after publication of final regulations that provide specifics. The objective is to implement Division 1.1 of PIPEDA, which provides for mandatory data breach reporting under the Act. The Breach of Security Safeguards Regulations will come into force at the same time, as per the accompanying regulatory proposal.
To give a background perspective, PIPEDA is Canada’s privacy law for private sector organizations. The Act, which came into force in January 2001, sets out rules that organizations must follow when collecting, using or disclosing personal information in the course of their commercial activities. The Office of the Privacy Commissioner (OPC) enforces PIPEDA by overseeing whether organizations are complying with the Act’s obligations. PIPEDA applies to the collection, use or disclosure of personal information by every organization in the course of a commercial activity. A commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or fundraising lists.
The federal government may exempt from PIPEDA organizations and/or activities in provinces that have adopted substantially similar privacy legislation. To date, Quebec, British Columbia and Alberta have adopted private sector legislation deemed substantially similar to PIPEDA. Further, Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have adopted substantially similar legislation with respect to personal health information.
Even in those provinces that have adopted legislation that is substantially similar to the federal privacy legislation, PIPEDA continues to apply to (i) all interprovincial and international transactions by all organizations subject to the Act, and (ii) to federally regulated organizations — “federal works, undertakings or businesses” — such as banks, and telecommunications and transportation companies, in the course of their commercial activities.
The purpose of PIPEDA is to facilitate growth in the digital economy by ensuring that Canadians have trust and confidence in how organizations handle their personal information. The Act employs a principles-based approach that balances the privacy rights of individuals with the legitimate needs of businesses to use or exchange information.
The Minister of Innovation, Science and Economic Development (ISED) administers and is responsible for PIPEDA, as well as its subordinate legislation. Pursuant to paragraph 26(1)(c) of PIPEDA, the Governor in Council has the authority to make regulations for carrying the purposes and provisions of the Act. Bill S-4, titled the Digital Privacy Act, received royal assent on June 18, 2015. The Digital Privacy Act amended PIPEDA to add mandatory breach reporting obligations under PIPEDA.
The amendments impose a new set of obligations onto organizations to inform individuals if their personal information has been lost, stolen or inappropriately accessed, and they are placed at risk of harm. Specifically, the Act states that
· data breaches that pose a real risk of significant harm will need to be reported to the Privacy Commissioner, and affected individuals will need to be notified;
· an organization may also be required to notify other organizations if they are in a position to protect affected individuals from harm (e.g. credit card companies, financial institutions or credit reporting agencies, if their assistance is necessary for contacting individuals or assisting with mitigating harm);
· records of all data breaches experienced by an organization will need to be maintained and provided to the Privacy Commissioner upon request;
· deliberately failing to report a data breach, or deliberately failing to notify an individual as required will be separate offences subject to fines of up to $100,000. In the case of notification to individuals, it will be a separate offence for every individual left without notification of the breach; and
· deliberately failing to keep, or destroying data breach records will also be an offence, subject to a fine of up to $100,000.
While the fines have been clearly mentioned, there is no clarity about how the breaches are counted, whether a single record breach is considered as a breach for the fine or if multiple records are included in the breach or would it be considered a series of breaches as a single occurrence and then fined accordingly. It is also unclear as what factors would the OPC consider to determine if violation has occurred.
Although Division 1.1 was given royal assent in June 2015, coming-into-force was postponed to allow for development and implementation of regulations that would outline specifics pertaining to how organizations should undertake their new obligations. Since that time ISED has conducted two consultations pertaining to development of the Regulations.
On November 1, 2018, new provisions in the Personal Information Protection and Electronic Documents Act (PIPEDA) related to breach of security safeguards came into force ( SI/2018-32 ), along with breach of security safeguards regulations (SOR/2018-64 ).
Mandatory data breach reporting under PIPEDA
With the implementation of Division 1.1 of PIPEDA, organizations that experience a data breach — referred to in the Act as a “breach of security safeguards” — will have certain obligations, as follows:
· The organization must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach (“affected individuals”) by conducting a risk assessment. The assessment of risk must consider the sensitivity of the information involved, and the probability that the information will be misused;
· When the organization considers that a breach is posing a real risk of significant harm (RROSH), it must notify affected individuals and report to the Privacy Commissioner of Canada (the Commissioner) as soon as feasible;
· The organization must notify any other organization that may be able to mitigate harm to affected individuals; and
· The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request.
Paragraph 26(1)(c) of PIPEDA provides the Governor in Council with the authority to make any regulations that are required under the Act. The objective of this regulatory proposal is to provide greater certainty and specificity with respect to certain elements of the Act’s data breach reporting requirements under Division 1.1.
The objectives of the Regulations are the following:
Ensure that all Canadians receive consistent information about data breaches that pose a risk of significant harm to them.
Ensure that data breach notifications contain sufficient information to enable individuals to understand the significance and potential impact of the breach.
Ensure that the Commissioner receives consistent and comparable information about data breaches that pose a risk of significant harm.
Ensure that the Commissioner is able to provide effective oversight and verify that organizations are complying with the requirements to notify affected individuals of a data breach and to report the breach to the Commissioner.
Reporting to the OPC
2 (1) A report of a breach of security safeguards referred to in subsection 10.1(2) of the Act must be in writing and must contain
(a) a description of the circumstances of the breach and, if known, the cause;
(b) the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
(c) a description of the personal information that is the subject of the breach to the extent that the information is known;
(d) the number of individuals affected by the breach or, if unknown, the approximate number;
(e) a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
(f) a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act; and
(g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
(2) An organization may submit to the Commissioner any new information referred to in subsection (1) that the organization becomes aware of after having made the report.
(3) The report may be sent to the Commissioner by any secure means of communication.
It would be worth noting that OPC does not prosecute offences under PIPEDA in courts.
Notification to Affected Individual – Contents of notification
3. A notification provided by an organization, in accordance with subsection 10.1(3) of the Act, to an affected individual with respect to a breach of security safeguards must contain
(a) a description of the circumstances of the breach;
(b) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
(c) a description of the personal information that is the subject of the breach to the extent that the information is known;
(d) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
(e) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
(f) contact information that the affected individual can use to obtain further information about the breach.
Direct notification — form and manner
4. For the purposes of subsection 10.1(5) of the Act, direct notification must be given to the affected individual in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances.
Indirect notification — circumstances
5. (1) For the purposes of subsection 10.1(5) of the Act, indirect notification must be given by an organization in any of the following circumstances:
(a) direct notification would be likely to cause further harm to the affected individual;
(b) direct notification would be likely to cause undue hardship for the organization; or
(c) the organization does not have contact information for the affected individual.
Indirect notification — form and manner
(2) For the purposes of subsection 10.1(5) of the Act, indirect notification must be given by public communication or similar measure that could reasonably be expected to reach the affected individuals.
6 (1) For the purposes of subsection 10.3(1) of the Act, an organization must maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred.
(2) The record referred to in subsection 10.3(1) of the Act must contain any information that enables the Commissioner to verify compliance with subsections 10.1(1) and (3) of the Act.
Here are some guidelines to be adopted, while responding to any privacy breach.
Understand the threats you’re facing:
Know what personal information you have, where it is, and what you are doing with it. Data inventories and process maps will help ensure you know exactly what personal information you need to protect, as well as when and where you need to protect it. When and where do you collect personal information? Where does that information go? Who can access it, and what do they do with it? You must understand your data before you can protect it!
Know your vulnerabilities. Conduct risk and vulnerability assessments and/or penetration tests within your organization to ensure that threats to privacy are identified. Don’t just focus on technical vulnerabilities, though. Are third parties collecting personal information on your behalf without appropriate safeguards? Do you use paper-based application forms, which are transferred to a central location (the loss of which means you’ll have no way of knowing who the affected individuals are, let alone how to notify them)? When you upgrade your systems, do the old systems and databases remain active, unwatched and unpatched? Identify your organizations’ weak points before a breach identifies them for you!
Know your industry. Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association, or whatever your source of industry news – don’t be the next vulnerable target!
Think beyond the people with bad intentions:
Encrypt laptops, USB keys and other portable media. Organizations often focus on privacy breaches caused by hackers, but this ignores some key threats. Perhaps the most common type of preventable breach seen out there, occurs due to loss or theft of unencrypted laptops, USB keys, and other portable media. In many of these incidents, the use of sufficiently strong encryption could have turned a headline-grabbing privacy breach into a minor issue!
Limit the personal information you collect, as well as what you retain. You should know not only why you are collecting each piece of personal information, but why you are keeping it. Where possible, don’t collect personal information. For example, in most identity authentication cases it is enough to view, but not record, an individual’s identification. Also, if personal information is only collected for limited purposes, securely dispose of it after they have been fulfilled. Always keep in mind: you can’t lose what you don’t have!
Don’t neglect personal information’s end-of-life. It is important that you protect personal information throughout its lifecycle – including the often overlooked end-of-life. Clearly define your policies and procedures about the secure destruction of personal information, and make sure they are followed. There has been many well known breaches caused by documents left behind in a move or thrown in the garbage, as well as by information not being properly erased from discarded or recycled electronics. Like an action movie hero, personal information tends to survive and reappear when its destruction isn’t seen through to the end!
Train your employees. Policies can only be effective when those responsible for implementing and abiding by them are aware of what they contain, why they exist, and the consequences of neglecting their responsibilities. You should have in place ongoing privacy and security training and awareness programs that go far beyond ‘box-ticking’ exercises. Employees who fully understand their roles and responsibilities in protecting personal information can be one of an organization’s best lines of defense against privacy breaches!
Limit, and monitor, access to personal information. Employees’ access to personal information should be limited to what they need to know, particularly when this information is sensitive. This can help ensure they don’t become the cause of a breach, either accidentally or intentionally. Similarly, monitored access logs can help you identify unusual behaviors, and potentially prevent an incident either before it occurs or in the early stage. Don’t burden your employees with more information than they need to do their jobs!
But don’t forget about people with bad intentions, either
Maintain up-to-date software and safeguards. This is Security 101: if you don’t protect yourself against known vulnerabilities, you greatly increase the likelihood of a breach. Establish systematic, documented processes to ensure security-related patches are applied in a timely manner, and that software that is no longer in use is removed from your system. As well, ensure that the virus and malware definitions associated with your anti-virus and anti-malware software are current by allowing them to perform regular updates. Operate at the speed of your attackers!
Implement and monitor, intrusion prevention and detection systems. An organization’s first goal is to prevent intrusions, and you should have systems in place to do so. However, the reality is that even with the best protections in place, your system may get breached. Measures such as intrusion detection systems, firewalls and audit logs can help you to identify and respond to privacy breaches before they escalate – assuming you’re paying attention to them. Ensure that safeguards used to monitor network or system activities and mitigate threats have been properly implemented and are proactively monitored. Don’t rely only on the guards you’ve posted at your gate; know what’s happening inside your walls!
Breach containment and preliminary assessment
You should take immediate common sense steps to limit the breach.
· Immediately contain the breach (e.g., stop the unauthorized practice, recover the records, shut down the system that was breached, revoke or change computer access codes or correct weaknesses in physical or electronic security).
· Designate an appropriate individual to lead the initial investigation. This individual should have appropriate scope within the organization to conduct the initial investigation and make initial recommendations. If necessary, a more detailed investigation may subsequently be required.
· Determine the need to assemble a team which could include representatives from appropriate parts of the business.
· Determine who needs to be made aware of the incident internally, and potentially externally, at this preliminary stage. Escalate internally as appropriate, including informing the person within your organization responsible for privacy compliance.
· Do not compromise the ability to investigate the breach. Be careful not to destroy evidence that may be valuable in determining the cause or allow you to take appropriate corrective action.
Prevention of future breaches: Once the immediate steps are taken to mitigate the risks associated with the breach, organizations need to take the time to investigate the cause of the breach and consider whether to develop a prevention plan. The level of effort should reflect the significance of the breach and whether it was a systemic breach or an isolated instance. This plan may include the following:
· a security audit of both physical and technical security;
· a review of policies and procedures and any changes to reflect the lessons learned from the investigation and regularly after that (e.g., security policies, record retention and collection policies, etc.); and
· a review of employee training practices; and
· a review of service delivery partners (e.g., dealers, retailers, etc.).
Reference: https://www.priv.gc.ca | https://www.gazette.gc.ca
Report by: Cyber Guru | CMN News
