TORONTO (Thomson Reuters Regulatory Intelligence) - Canada has proposed new regulations outlining how organizations, including financial firms, will report and record cyber-security breaches, assess potential harm, and notify affected individuals. The proposal, which aligns with EU data-protection rules that take effect next year, is intended to implement mandatory breach-reporting requirements described in the Digital Privacy Act of 2015(here).
The Breach of Security Safeguards Regulations, proposed in September by the federal Department of Industry(here), specify minimum content requirements for reporting data breaches to the Privacy Commissioner and notifying affected individuals, while clarifying the scope and retention period for record-keeping.
The Digital Privacy Act amended Canada's private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA)(here), and introduced a mandate requiring companies to report data breaches to the Office of the Privacy Commissioner (OPC), and to the public. The proposed breach-reporting regulations aim to give some prescriptive clarity to those statutory requirements, while offering enough flexibility to ease implementation. These obligations will come into force once the government passes the proposed regulation.
The amended PIPEDA requires the following measures from firms that experience a “breach of security safeguards”:
— Conduct a risk assessment to determine if the breach poses a “real risk of significant harm” to individuals whose information was involved in the breach, including an evaluation of the sensitivity of the information involved and the probability of it being misused;
— In cases of significant harm, notify affected individuals and report to the Privacy Commissioner of Canada as soon as feasible;
— Notify other organizations capable of mitigating harm to affected individuals; and
— Maintain records of detected data breaches and provide them to the Privacy Commissioner upon request.
Under the proposed regulations, breach-reports must be filed in writing and must contain the following:
— A description of the circumstances of the breach and, if known, the cause;
— The day or period during which the breach occurred;
— A description of the personal information exposed by the breach;
— An estimate of how many individuals face “real risk of significant harm” due to the breach;
— A description of the steps taken to reduce or mitigate the risk of harm to each affected individual;
— A description of the steps that will or have been taken to notify each affected individual; and
— The name and contact information of a person who can address questions from the Privacy Commissioner on behalf of the firm.
Notifications for individuals must contain the following:
— A description of the circumstances of the breach;
— The period during which the breach occurred;
— A description of the personal information exposed by the breach;
— A description of the steps taken to reduce or mitigate the risk of harm to the affected individual;
— A description of the measures available to affected individuals for reducing or mitigating the risk of harm resulting from the breach;
— A toll-free number or email address that the affected individual can use to obtain further information about the breach; and
— Information about the firm’s internal complaint process and about the affected individual’s right, under PIPEDA, to file a complaint with the Privacy Commissioner.
Firms must directly notify affected individuals in the following ways:
— By email or any other secure form of communication, assuming the affected individual has consented to receiving communications from the firm in that manner;
— By letter delivered to the last known home address of the affected individual;
— By telephone; or
— In person.
Firms would be permitted to use indirect notification methods if direct contact would either cause further harm, impose prohibitive costs on the firm, or if the organization lacks accurate contact information for the affected individual. The proposal specified two indirect channels: a “conspicuous message” posted on the organization’s website for at least 90 days; and/or an advertisement likely to reach affected individuals.
The proposal would require firms to maintain a record of every breach for 24 months “after the day on which the organization determines that the breach has occurred”, the consultation said. It added that the two-year retention period will “incentivize organizations to track and analyze the impact of all data security incidents”.
Firms could apply a “broad interpretation” of what constituted a record, the consultation noted. Records would have to include information that “enables the Commissioner to verify compliance” with PIPEDA’s reporting and notification requirements. Breach reports sent to the Privacy Commissioner would constitute such a record, the consultation specified. This “will encourage better data security practices by the organizations,” it said.
The proposed provisions align closely with the European Union (EU) General Data Protection Regulation (GDPR), which comes into force in May 2018(here). This alignment was an "important factor in mitigating compliance costs" for firms operating in Canadian and European jurisdictions, the consultation said. "To the extent that the proposed regulations can align data breach reporting under PIPEDA with requirements in other jurisdictions, this would reduce the burden of notification for many organizations in Canada," it added.
The United States has been slower to develop national data-protection standards, leaving states including New York and Colorado to take a lead.
“The proposed Regulations allow for data breach reports to be submitted with the best information available to the reporting organization at the time,” the proposal said. “This allows an organization to report breaches within an appropriate time frame, even when all information is not yet available. In these cases, organizations may provide updates to the report at a later date, if further pertinent information becomes available.”
Citing previous industry feedback, the proposal stressed the “need for flexibility” to allow a wide range of organizations to comply with PIPEDA in a way that suited their particular circumstances. “The majority of business representatives were against overly prescriptive regulations and expressed the desire to make use of existing practices to meet their new obligations to the extent possible,” the paper said.
Mandatory breach reporting, along with specific content requirements, would give affected individuals the opportunity take “immediate action to protect themselves” from further harm, such as fraud, identity theft, humiliation, and/or loss of employment, the proposal said. “A minimum standard for notification also assures Canadians that they can expect a similar approach to notification by all organizations,” it added.
Noting that the proposed regulations largely reflected existing best practices established by the Office of the Privacy Commissioner, the consultation stressed that many regulated entities “will have already incorporated them to some degree into their own policies and procedures”.
In response to industry requests for a transition period, the proposed regulations will allow for “delayed coming into force” after the publication of final rules, though it offered no timeline. “This will give regulated organizations time to adjust their policies and procedures accordingly and to ensure that systems are in place to track and record all breaches of security safeguards that they experience,” the consultation said.
Interested parties have until October 1, 2017, to comment on the proposal.
(Daniel Seleanu is a correspondent for Thomson Reuters Regulatory Intelligence in Toronto. Email Daniel at email@example.com)
This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Sept. 28. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters