PIPEDA Mandatory Breach Notification in Effect November 1, 2018
The majority of Alberta private sector businesses are already subject to mandatory breach notification rules under the Personal Information Protection Act (PIPA) which is the Alberta government’s legislation. However, come November 1, 2018, those Alberta businesses who are federally regulated (banking, broadcasting, interprovincial trucking, telecommunications etc.), and local businesses in the Yukon, Nunavut and the Northwest Territories will also be subject to breach reporting rules.
The Digital Privacy Act became law in August, 2015 but the implementation of the rules relating to the reporting of data breaches was delayed. Perhaps as a result of several recent high profile breaches (Facebook, Uber, Hudson Bay Co.), the federal government has now decided to roll out the breach notification requirements.
Starting November 1, any organization which is subject to the federal legislation (the Personal Information and Protection of Electronic Documents Act or PIPEDA) will be required to report to the federal Privacy Commissioner any “breach of security safeguards”, which is basically any loss of, unauthorized access to or unauthorized disclosure of personal information, if it is reasonable to believe that the breach creates a real risk of significant harm to an individual. In addition, organizations will be required to report the breach to any individual affected by the breach. Finally, if an organization believes that another organization (e.g. a credit card issuing bank) or government body might be able to reduce the risk of harm to the individuals affected by the breach, it must also report the breach to that organization or government body. All reporting must be done “as soon as feasible” after the breach occurs. Regulations will detail all of the information which must be included when reporting a data breach to either the Privacy Commissioner or the affected individual.
When determining whether there is a risk of significant harm, organizations must consider the sensitivity of the personal information involved in the breach and the probability that the personal information is being, or will be, misused. “Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property.
In addition to the reporting requirements, organizations will be required to keep a record of all breaches involving personal information (including those that do not create a real risk of significant harm) for a period of two years and provide a copy of that record to the Privacy Commissioner upon request.
Organizations must be prepared to take their breach notification obligations seriously as a knowing failure to comply with the breach reporting requirements could result in fines of up to $100,000. Further, as the number of class actions related to data breaches continues to grow, organizations which fail to meet the legislated requirements related to breaches put themselves at risk of significant damages.
We have assisted clients with breach reporting requirements under PIPA and are well-positioned to help if your organization finds itself faced with a privacy breach.