New Privacy Breach Reporting Regulations
As of November 1, 2018, domestic and foreign organizations operating in Canada are required by law to provide notice of certain privacy breaches, defined as Personal Information Protection and Electronic Documents Act (PIPEDA).
The breach reporting requirements relate to a “breach of security safeguards” which is defined in PIPEDA as the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.
The impact on businesses is significant and can result in fines of up to $100,000.
Privacy Breach Reporting Requirements
The changes will require domestic and foreign organizations subject to PIPEDA to:
- notify individuals about privacy breaches;
- report privacy breaches to the Office of the Privacy Commissioner of Canada and others in certain circumstances;
- keep certain records of privacy breaches.
There is no specific time requirement to give notice; however, the required notices must be provided as soon as feasible after the organization determines the breach has occurred. That will vary on a case-by-case basis.
In addition to the form and content requirements of notices, the regulations require organizations to maintain certain records of every breach.
Guidance for Privacy Breach Record Keeping
Guidance from the privacy commissioner states that the minimum expectations for record keeping include information about:
- the date or estimated date of the breach.
- a general description of the circumstances of the breach.
- the nature of the information involved in the breach.
- whether or not the breach was reported to the privacy commissioner of Canada/individuals were notified.
- if the breach was not reported, a brief explanation of why the breach was determined not to pose a real risk of significant harm.
Give us a call at TCS Forensics, we offer free consultations, and we can answer any questions you may have about your organization’s security and the implications of Canada’s new Privacy Breach Reporting Requirements.