Firms holding personal info on Canadians must meet new standard

Firms holding personal info on Canadians must meet new standard
© iStock

Organizations subject to Canadian privacy law were forced to comply with new rules in relation to privacy breaches as of Nov. 1. Here are six key considerations for organizations seeking to comply.

1. Identify all the rules that may apply.

The new PIPEDA rules will be directly applicable to most private-sector organizations operating in Canada or that process information about Canadians.

Canadian privacy regulators have frequently taken jurisdiction over foreign-based organizations in the context of privacy breaches, including where organizations do not have any local presence or operations but held personal information about Canadian residents. Where there exists a "real and substantial" connection to Canada, PIPEDA will normally be considered to apply.

Questions remain about how the rules will apply in British Columbia, Alberta and Quebec, which have enacted privacy laws that supplant the application of PIPEDA in many cases.

In addition, foreign breach notification rules and industry-specific notification rules may be applicable in some cases — of particular significance are European Union and California breach notification rules described below.

In the European Union, under the General Data Protection Regulation (GDPR), controllers have the duty to report data breaches to the appropriate supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the incident.

When the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller should communicate as soon as possible the personal data breach to the affected individuals under certain circumstances.

In California, any business that operates in the state and that owns or licences computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The disclosure shall be made in the most expedient time possible and without unreasonable delay. Breaches of confidentiality that affect more than 500 California residents must also be reported to the California attorney general.

The California Consumer Privacy Act, which will come into force in 2020, does not provide for any additional obligations to these requirements.

2. Assess breach detection capabilities.

Proactive auditing and detection measures have previously been encouraged by the Office of the Privacy Commissioner of Canada as part of the safeguarding obligation under PIPEDA: Evolving Cybersecurity Regulatory Guidance — Key Finding from Privacy Commissioner of Canada.

In order to ensure that potential privacy breaches will be identified for appropriate action, organizations should assess and update their incident detection capabilities as needed.

In addition to the use of data-loss prevention tools and related technical measures to prevent and flag potential breaches, organizations should consider how audits and detailed privacy training programs can help identify privacy breaches.

Privacy training programs should be updated to educate employees about breaches, their responsibilities, and the new rules.

3. Update incident response plans.

Organizations should update their incident response plans to help ensure effective incident response and compliance. Incident response plans should provide a clear roadmap for employees to escalate privacy incidents so that designated decision-makers can address any necessary actions under PIPEDA.

This roadmap should include communication protocols and rules to protect legal privilege. Organizations should also consider updating incident response plans to reflect a breach recordkeeping strategy and relevant insurance considerations, highlighted below, and other matters.

4. Implement a breach record keeping strategy.

Pursuant to the new rules, organizations are required to retain for 24 months a record of every privacy breach, no matter how insignificant the breach may appear. The record must contain sufficient information to enable the commissioner to verify compliance with the breach notification requirements in PIPEDA.

Organizations should adopt a considered approach to recordkeeping, bearing in mind privilege, business objectives and the limits of PIPEDA.

Organizations should consider whether to maintain PIPEDA breach records in a stand-alone file and refrain from creating such records in respect of: suspected or potential breaches, information that is not under the organization’s control and breaches affecting employee personal information if the organization is not a federal work, undertaking or business under PIPEDA.

5. Review service-provider relationships.

Where an organization engages a service-provider to process personal information on its behalf, that organization remains accountable under PIPEDA and is considered to remain in control of the information.

Since the new PIPEDA rules apply to the organization with "control" of personal information that is breached, that organization should consider the full range of contractual and other measures necessary to manage risk arising out of service-provider breaches.

Contractual measures may include provisions requiring the service provider to notify the organization of all suspected breaches, cooperate to investigate breaches and provide all information necessary to meet the new PIPEDA rules.

6. Understand insurance coverage and requirements.

Organizations have increasingly turned to cyber insurance to transfer the potentially staggering costs and liability that can be associated with privacy breaches.

The new PIPEDA rules are expected to exacerbate such risks, further increase an already active class-action litigation environment in Canada for privacy breaches, and further drive the evolution of the cyber insurance market.

Organizations must clearly understand the scope of coverage and requirements under their insurance policies in the context of a breach.

Conclusion

The coming into force of the new PIPEDA rules is widely expected to have a dramatic impact on the privacy compliance and risk landscape in Canada.

In addition to reviewing the PIPEDA provisions and regulations in respect of privacy breaches, organizations should review the final privacy breach guidance issued by the commissioner.

Alex Cameron is chair of Fasken's Privacy and Cybersecurity Group. Antoine Guilmain is an associate with Fasken and a member of the firm's Privacy and Cybersecurity Group. Fasken is an international business law firm headquartered in Toronto.