Canada is the latest country to roll out a mandatory data breach notification regime, following in the footsteps of the European Union’s General Data Protection Regulation (GDPR) and Australia’s Notifiable Data Breaches (NDB) scheme, which were both implemented earlier this year.
Starting on 1 November 2018, private sector organisations in Canada will be required to notify the Office of the Privacy Commissioner of Canada (OPC) and any affected individuals of any breach involving personal information that it believes may create a “real risk of significant harm”. Organisations must also maintain records of every detected data breach and provide it to the OPC upon request. Failure to report a breach or maintain records is punishable by a fine of up to CAD 100,000.
The data breach notification regime was created via amendments to Canada’s data protection legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), in 2015. The requirements of the new regime were set out in the April 2018 Breach of Security Safeguards Regulations (BSSR).
According to the OPC’s recently published annual report, data breaches have increased in frequency-the number reported to the regulator has doubled since 2014. In 2017-18, 116 private sector breaches were reported to the OPC, an increase of 22% from the year before. The majority of incidents related to theft and unauthorised access (67%), followed by accidental disclosure (29%).
The OPC recently published draft guidelines on mandatory breach reporting that are intended to help organisations comply with breach reporting and record-keeping obligations under PIPEDA. Consultation ended in October and the OPC says it will publish final guidance by November 1st.
According to law firm Blake, Cassels & Graydon, much of the information in the draft guidelines is simply a reiteration of the legal requirements set out in PIPEDA and the BSSR. However, the draft guidelines provide some useful guidance in certain areas, such as how to assess the reporting threshold of “real risk of significant harm”.
According to the OPC, significant harm would be defined as: bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
The guidelines also set out the minimum information required when recording a data breach or reporting a breach to the OPC, the regulator responsible for enforcing the rules. The regulator has already published a draft report form that organisations can use to report a breach.
The OPC says it will pay particular attention to how organisations address security vulnerabilities and assess the real risk of significant harm. It will also monitor how breach records are maintained by organisations, a new obligation under PIPEDA.
While mandatory notification is a move in the right direction towards enhancing privacy protection, the OPC said that it would have liked the regulations go further. Canada’s mandatory notification regime is more limited in scope than the GDPR, and the OPC says that reporting requirements will not generate the information it requires to assess the adequacy of an organisation’s safeguards. It also says it will receive no additional funding or resources to enforce the rules.
The OPC added that its powers to levy sanctions are limited under the notification rules. An “effective” breach reporting regime should include financial sanctions for not having adequate safeguards in the first place, not only for knowingly failing to report breaches after they have occurred, the OPC says in its annual report.
In addition to the notification requirements, Canadian data protection and privacy laws could soon get even tougher. At the end of September, the OPC Commissioner Daniel Therrien called on the federal government to give the regulator greater powers to hold organisations to account. The Commissioner said that data breaches at Equifax, Uber and Nissan Canada Finance, as well as the alleged misuse of Facebook user data by Cambridge Analytica should act as a ‘wake-up call’ to government.
Canada’s privacy legislation gives companies “wide latitude” to use personal information for their own benefit, according to Mr Therrien, who says that the “time of self-regulation is over”. He called for the drafting of “stronger privacy laws,” as well as greater powers and resources for the OPC to enforce them.
In particular, the OPC needs new powers to make orders, issue fines and conduct inspections to ensure businesses respect the law. The Commissioner also called for the government to increase the resources of the OPC, in part to meet its obligations under the new breach reporting regulations that come into force in November.
In February 2018, the Canadian House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI), which has been tasked with reviewing Canada’s privacy laws, called for changes to PIPEDA as proposed by the OPC, and even called for additional measures inspired by Europe’s GDPR. In June 2018, the Canadian government responded to ETHI’s recommendations to amend PIPEDA and conceded that changes are required to Canada’s privacy regime pending consultation.
The notification regime kicks-in at a time of heightened cyber risk for Canadian companies and a potential lack of preparedness. According to the Canadian Survey of Cyber Security and Cybercrime, just over one-fifth (21%) of Canadian businesses said they were impacted by a cyber security incident in 2017. More than half (54%) of impacted businesses reported that cyber security incidents prevented employees from carrying out day-to-day work, while over half (58%) of businesses experienced some downtime as a result of an incident.
Worryingly, just 13% of businesses had a written policy in place to manage or report cyber security incidents. Only 10% of businesses impacted by a cyber security incident reported it to authorities. While almost all Canadian businesses surveyed employed some form of cyber security to protect themselves, many smaller firms failed to adopt basic cyber hygiene. Almost a quarter did not use anti-malware software or email security, while a third did not have network security, such as firewalls.