Canada’s Data Breach Response Effective November 1, 2018: 5 Key Areas

Every Canadian business must adhere to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – any organization that collects, uses or discloses personal information must ensure they’re ready to comply with the privacy act’s new mandatory data breach response requirements as of November 1, 2018 or face non-compliance consequences.

In order to have the right keys to data breach risk management planning, there must be steps in place to reduce the risk of breaches in the beginning and creating action plans to ensure readiness for when (not if) breaches occur – are fundamental in ensuring compliance in this digital landscape. These compliances will not happen overnight, the new recordkeeping, reporting, and notification rules are strict and the advance preparation necessary to reduce your businesses liability and reputation risks when a breach does occur.

Here are five key areas to focus on when preparing to comply with the Digital Privacy Act’s Data Breach Response.

1) Understanding The New Obligations

• Your organization must understand what the requirements are and when the new obligations are triggered. You will need to implement policies and procedures that are aligned with the law. A thorough privacy gap analysis of existing policies and procedures will allow your organization to identify where the risks are.
• The “Breach of security safeguards” involving personal information under your businesses control, will trigger data breach reporting for ANY breach of security safeguards. That means regardless if there is a real risk or not, you still have to report the breach.
• “Sensitivity of information”, the obligation of your business to protect personal information by security safeguards against loss of theft, unauthorized access, disclosure, copying, use or modification. Any information can be considered sensitive, depending on the context.
• “Appropriate safeguards”, what determines this is appropriate to the sensitivity of the information. Your business should use common sense and risk management concepts, and consider the possible hard of a breach. More sensitive information should be safeguarded by a higher level of protection.
• “Breach of security safeguards”. Very broad definition, but which most wouldn’t consider amounting to a data breach. There must be a loss of, unauthorized access to, or unauthorized disclosure of personal information that is either caused by a breach or security safeguards or not having the safeguards in place. The common scenario would be an employee allowing their child to use their company-issued smartphone, which contains customer information.

2) Dealing with Third Party Contractor Risks

• Reviewing third-party contracts to ensure they include accountability measures for enabling, monitoring and verifying their compliance with the new requirements. This is the most overlooked step in preparing for compliance with the Digital Privacy Act.
• Your organization could be responsible for any breaches by a third party in relation to personal information to which that third party has access or with which the third party is dealing on the business behalf.

3) Dealing With Employee Risks

• The weakest link in terms of privacy vulnerabilities and liability exposure is its own employees. Organizations often place the data security focus on “outside” security threats, and external third party accessing business data. In fact, most data breaches are caused by an organization’s own employees, either accidental or intentional.
• Implementing a plan to avoid and handle data breaches by its own employees is an important aspect of businesses data breach risk mitigation plan. It is important that under the Digital Privacy Act’s new breach response requirements because more employee breaches are likely to occur. The reporting obligation will be triggered for common scenarios that businesses might not consider privacy breaches requiring action, like allowing their child to use their smart phone that contains customer information. This means organizations must pay close attention to an employee action plan in preparation for mandatory data breach response obligations.
• Training and Policies – businesses must ensure their employee policies and training reflect the definition of a “Breach of security safeguards” to reduce the frequency of trivial breaches occurring.
• Internal breach reporting – businesses must develop a culture that allows employees to report breaches without unreasonable fear of reprisals, to ensure accurate internal reporting.
• Liability – more lawsuits are on the horizon. Employers are liable for the acts of their employees in the course of their employment – including data breaches. Even if insurance is present, no organization can insure against reputation damage.

4) Paper Trail – Record keeping and reporting requirements will translate into a significant change in procedures and resource allocation for many businesses. Documentation can be very complex and businesses should keep this in mind when planning for compliance.

5) Protecting Your Legal Privilege – mandatory notification will place more businesses under scrutiny and accelerate the trend in data breach class action lawsuits. This is why it is very important for organizations to make effort to protect is materials, especially those that identify any privacy and security risks in the organization. If not, their risks will be available to the Privacy Commissioner in any investigation, and can be used against you in a civil lawsuit.