Banner Accent
Created with Sketch.

PIPEDA Update Makes Security Breach Reporting Mandatory in Canada

Posted 29 Nov 2018

pipeda review canada

November 1, 2018, was the enforcement date of a new addendum to the Personal Information Protection and Electronic Documents Act (PIPEDA), called the Electronic Documents Act (EDA).

The EDA addendum was designed so that organizations subject to PIPEDA are now required to comply with mandatory reporting of informational and/or data breaches. Businesses across the country are required to make the necessary preparations however many have not complied, and must now take this as a call to action. Below we have detailed exactly what your company needs to know, and do.

What Your Company Needs to Know About the 2018 Update to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

Background on PIPEDA

PIPEDA is a Canadian privacy law for private sector organizations which came into force in January 2001.  The law sets out rules that organizations in the private sector must follow whenever they collect, use or disclose personal information in the course of their commercial activities.

Canada’s Digital Privacy Act received Royal Assent in June of 2015, and sets out the general rules that private sector organizations must follow in case of a data breach.  The DPA is an amendment to PIPEDA.

On April 18th, 2018, The Government of Canada published on Canada Gazette the “Breach of Security Safeguards Regulations”. This resource details the DPA’s rules regulations that private sector organizations must follow in case of a data breach. The Government of Canada followed the publication with the order setting November 1, 2018 as the enforcement date under the DPA to allow businesses time to adjust information systems, procedures, practices and to train employees.

Mandatory Reporting of Security Breaches

Under the DPA, deliberate failure to report a data breach to the Privacy Commissioner of Canada and deliberate failure to notify potentially affected individuals are considered as separate offenses and subject to separate files of up to $100,000.  

Here is a succinct review of your new obligations:

  • Your company must report all breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals.
  • Your company must notify potentially impacted individuals about breaches.
  • Your company must maintain comprehensive records of all breaches.

The latter obligation bears repeating, as the DPA considers the deliberate failure to keep (or the destruction of) data breach records as an offense. Violators will be subject to a fine of up to $100,000.

Mandatory Data Breach Reporting Rules

A. Data Breach Report to the Privacy Commissioner of Canada 

The DPA regulations mandate that any data breach that poses a “real risk of significant harm” to any individual must be reports to the Privacy Commissioner of Canada “as soon as feasible”, specifying the following:
  • Description of the circumstances of the data breach and the cause, if known
  • Day or the period during which the data breach happened, or if neither is known, the approximate period
  • Description of the personal information that was breached
  • Specific number of people affected by the breach, or if unknown, the approximate number
  • Description of the measures that the organization has undertaken to lessen or mitigate the risk of harm to the affected individuals
  • Description of the steps that the organization has undertaken or intends to undertake to notify the affected individuals
  • Name and contact information of a person who can answer, on behalf of the organization, to the Privacy Commissioner of Canada about the breach
Under the DPA regulations, report may be sent to the Privacy Commissioner of Canada by any secure means of communication.

B. Notification to Affected Individual 

The DPA regulations mandate that affected individual or individuals must be notified about the breach “as soon as feasible”.  In terms of content, the required notification to affected individuals is similar to the content of the data breach report to the Privacy Commissioner of Canada. 

Under the DPA regulations, notifying the affected individual can be done through direct or indirect means.  Direct notification under the regulations refers to telephone, mail, email or in-person communications; while indirect notification refers to public announcements that could reasonably be expected to reach the affected individual or individuals. 

Indirect notification is allowed under the regulations when any of the following condition is present:

  • Direct notification would likely result in further harm to the affected individual
  • Direct notification would likely result in undue hardship to the organization
  • Organization has no contact details for the affected individual
C. Data Breach Record-Keeping Requirements 

The Digital Privacy Act’s regulations mandate that an organization that suffered data breach must maintain a record for 24 months, starting from the day the organization found out that the breach has occurred.

The Government of Canada, in a statement, said that the mandatory data breach reporting has social, economic and public security benefits.

The Canadian Government said that in terms of social benefits, the mandatory breach reporting allows affected individuals to take immediate action to protect themselves in terms of economic benefits, the mandatory breach reporting creates certainty across the marketplace about how organizations notify affected individuals; and in terms of public security benefits, the mandatory breach reporting contributes positively to the security of individuals and the cybersecurity readiness of businesses in Canada.

Finding a Partner to Mitigate Risk and Maintain Compliance

We encourage you to become well versed on the 2018 PIPEDA update by reviewing this information. However, the best way to hedge the risk of violating the new rules and regulations of mandatory breach reporting, is to not get breached in the first place.

How do you accomplish this? Through the following: 

  • Use business software tools that offer enterprise data security and threat protection. 
  • Adopt endpoint threat protection that leverages machine learning and AI. 
  • Secure the services of a Managed Services Provider (MSP) with experience and expertise in advanced cyber security and data privacy law compliance.

As one of the country’s premier MSPs, SIRKit has extensive experience in helping organizations institute exacting cyber security protocols that also adhere to compliance laws in Canada, the U.S. and overseas. Contact SIRKit to learn more.

© 2019 Sirkit. All Rights Reserved.