Mandatory Data Breach Notification … Are You Ready?
On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) received Royal Assent in Parliament. This Act provides amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Under the Digital Privacy Act, organizations that experience a data breach — referred to in the Act as a “breach of security safeguards” — must soon – by law – comply with certain reporting obligations:
- The organization must determine whether the breach poses a “real risk of significant harm” (RRoSH) to any individual whose information was involved in the breach (“affected individuals”) by assessing the sensitivity of the information involved and the probability that the information will be misused;
- When the organization identifies a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (the Commissioner) “as soon as feasible”;
- The organization must also notify any other organization that may be able to mitigate harm to affected individuals; and
- The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request. The record must be retained for a minimum of two years.
According to the Order in Council released March 26, 2018, the long-awaited mandatory breach notification requirements will come into effect on November 1, 2018.
The final version of the data breach notification regulations was released on April 18, 2018 in Canada Gazette.
The objectives of the new regulations are to ensure that:
- All Canadians receive consistent information about data breaches that pose a risk of significant harm to them;
- Notifications contain sufficient information to enable individuals to understand the significance and potential impact of the breach to them;
- The Privacy Commissioner of Canada receives consistent and comparable information about data breaches that pose a risk of significant harm; and
- The Commissioner is able to provide effective oversight and verify that organizations are complying with the requirements to notify affected individuals of a data breach and to report the breach to the Commissioner.
With these regulations coming into force, there will undoubtedly be many questions as organizations endeavor to come to grips with what the regulations mean to them, and what the impact will be.
Who needs to comply with PIPEDA and the new requirements?
PIPEDA applies to private sector organizations that are not federally regulated, and do business in the following provinces or territories:
- New Brunswick
- Newfoundland and Labrador
- Northwest Territories
- Nova Scotia
- Prince Edward Island
PIPEDA does not apply to the following provinces, which have their own privacy legislation deemed to be substantially similar to PIPEDA:
- British Columbia
However, if any personal information leaves the province, then PIPEDA would apply. Some of these provincial laws already have breach notification requirements in place, and some do not. It is likely that all will eventually follow suit, in order to remain “substantially similar” to PIPEDA.
What constitutes a “Real Risk of Significant Harm”?
PIPEDA defines RRoSH as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”.
The following factors should be taken into consideration when conducting a risk assessment to evaluate whether a breach poses a real risk of significant harm to an individual:
- the sensitivity of the personal information involved in the breach; and
- the probability that the personal information has been, is being or will be misused.
What are “appropriate security safeguards” and how can they be breached?
PIPEDA defines a “breach of security safeguards” as the loss, unauthorized access, or unauthorized disclosure of personal information resulting from either a failure to establish or a failure of an organization’s security safeguards.
Appropriate safeguards will vary depending on the sensitivity of the information that they are protecting, but in general they should include:
- Physical protection such as a locked filing cabinet, locked office or locked data centre;
- Logical protection such as role-based access permissions and restricting access based on need-to-know; and
- Technical controls such as passwords and encryption.
Examples of a breach of security safeguards could include, but are not limited to:
- A lost or stolen laptop or removable electronic storage device containing personally identifiable information of customers;
- An employee opening/responding to a phishing email, inadvertently disclosing their password or allowing keystroke logging malware to be installed; and
- Lost or stolen paper records containing personally identifiable information.
How do I know if I’ve been breached?
Many organizations do not realize that a data breach has occurred until months after it has actually taken place. According to the Ponemon Institute’s 2017 Cost of Data Breach Study, the average amount of time an attacker is able to operate undetected is approximately 191 days. In fact, the majority of organizations don’t identify the breach themselves, but are notified by external parties such as law enforcement, customers, service providers, business partners, or sometimes the attacker themselves.
Security Incident and Event Management (SIEM) or Intrusion Detection/Prevention Systems (IDS/IPS) that monitor system logs or network traffic for suspicious activity can be an effective way of identifying attempts to gain unauthorized access, or in some cases, actual breaches in progress. Other technologies that can alert when sudden increases in network activity occur can help to detect (and even block) attempts to send out large amounts of data from the organization.
What steps can I take to prevent being breached?
It is important to know what data you have, the sensitivity of the data, and where the data is stored. A good data inventory is a good first step. Strict access controls should be applied to sensitive data to prevent unauthorized access. Systems should be kept up to date with security patches to reduce the presence of vulnerabilities, especially on systems that are exposed to the Internet, such as web servers or mail servers.
While preventative controls will help to prevent an intrusion or a data breach, detective controls are useful as a layered defense, in the event that there is a breakdown of the preventative controls. Having sufficient security logs is essential for both detection and investigation of a breach. Key systems, such as firewalls and other network devices, security systems, and servers should send their security logs to a centralized log analysis system to detect anomalous activity. Sending the logs to a log monitoring tool will provide a level of situational awareness that is not possible using humans to review the vast amount of logs.
Conducting regular risk assessments or third party audits on your IT infrastructure can be useful in staying up to date with emerging threats and identifying areas where security controls may need improvement. Additionally, as breaches often occur when a third party service provider/vendor is compromised and used as a launch point for further attacks, it is prudent to evaluate the risks that third parties pose to your organization.
What can I do to minimize my risk after a breach?
The sooner a breach is detected, the sooner it can be contained and recovered from. Having a well-documented and tested Incident Response Plan can go a long way to ensure an appropriate, timely, and effective response. If your organization experiences a data breach, the following tasks need to be performed in order to comply with the new breach notification requirements:
- Conduct a risk assessment
- Maintain a log of all breaches – the log must retain information about breaches for a period of at least two years from the time the breach was declared. Maintaining a log of all breaches is important as the Privacy Commissioner may request to see these records
- Notify the Privacy Commissioner (if there is a RRoSH)
- Notify affected individuals and take steps to minimize impact to them, if possible
How long do I have to report a breach?
When it comes to reporting a breach “as soon as feasible”, many organizations will question what that means. The regulations recognize that breach investigations can be lengthy, sometimes taking weeks or months to complete. In such cases, it would not be prudent to wait until the investigation is concluded before reporting the breach to the Privacy Commissioner.
A more practical approach is to provide a report to the Commissioner containing initial information that is available at the time and then provide an update to the report at a point in the future. It is recommended that initial disclosure be communicated to the Commissioner 48 to 72 hours following the detection of the breach.
What is involved in notification?
In order to notify the Office of the Privacy Commissioner (OPC), there is a form that can be downloaded from the OPC website. The form requires the following information:
- Information about the organization, including contact information
- Third party reporting the breach (if applicable), and identification of the third party
- Location, date of the incident and discovery date of the incident
- Description of the incident, cause (if known), estimated number of individuals affected and type(s) of individuals affected (e.g. customers, employees)
- Types of personal information involved
- Brief description of action taken to contain breach
- Has anyone been notified of the incident? (e.g. affected individuals, law enforcement, other) and when? (date)
Notification to individuals can be done in a variety of ways, depending on how the organization typically communicates with them. This could be through email, in-app notification, text message, telephone, mail, or other means.
What happens if I don’t disclose a breach of personal data?
Organizations that knowingly withhold information about data breaches from the Privacy Commissioner’s office or fail to keep records of past breaches could face fines of up to $100,000 and be publicly named by the OPC. Thus, the reputational damage could far exceed this amount of the fine in the form of lost customer confidence.
How Richter can help:
A data breach can happen to any company – and if it does, how you respond is what matters. Understanding and complying with new legislation may be difficult, but doing so will not only help you manage your reputation with your clients or customers, ultimately, it will ensure you won’t be breaking the law.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Digital Privacy Act
Canada Gazette Vol. 151, No. 35 — September 2, 2017
Canada Gazette Vol. 152, No. 8 — April 18, 2018
Ponemon Institute Research Report: 2017 Cost of Data Breach Study
Summary of Privacy Laws in Canada (from OPC Website)