Draft mandatory data breach reporting regulations released for comment in Canada

Data Protection Report - Norton Rose Fulbright

On September 2, 2017, the Government of Canada published proposed new data breach regulations in the Canada Gazette.

These regulations set out specifics regarding the mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act.

The PIPEDA Amendments were passed in June, 2015 but are not yet in force.

Overview

The Regulations set out the proposed requirements for the reporting of  data breaches of security safeguards (each, a Breach). Under the PIPEDA Amendments, a report to the Privacy Commissioner of Canada is required if it is reasonable in the circumstances to believe that the Breach poses a “real risk of significant harm” to any individual.

The Regulations include specifics of:

  1. the contents of a Breach report addressed to the Commissioner;
  2. the contents of a notice to an individual affected by a Breach;
  3. how notices must be provided; and
  4. record-keeping requirements.

Alberta is currently the only Canadian jurisdiction in which data breach reporting is mandatory. The “real risk of significant harm” threshold in the PIPEDA Amendments and the reporting requirements under the Regulations are substantially similar to the requirements under Alberta’s private sector privacy legislation, the Personal Information Protection Act (AlbertaPIPA). The practice and experience in Alberta may therefore be considered when interpreting the new federal requirements.

Notices of a data breach to the Commissioner

A report of a Breach made to the Commissioner must be in writing and must contain the specific content set out in the Regulations.

There are no surprises in connection with the required content for a report of a data breach to the Commissioner, which mirrors the current form provided by the Commissioner for voluntary reporting and is similar to the requirements of the Alberta PIPA.

The Office of the Information and Privacy Commissioner of Alberta currently publishes data breach notification decisions where a real risk of significant harm was identified and notification to affected individuals was required. These decisions include the name of the organization that suffered the data breach and include the Alberta OIPC’s analysis of harm to individuals. It remains to be seen whether the Commissioner will adopt this practice.  If it does, organizations should be prepared for a Breach to be made public when it is reported to the Commissioner.

Notices to affected individuals

Under the PIPEDA Amendments, organizations must notify an individual affected by a Breach when it is reasonable to believe that the Breach creates a real risk of significant harm to the individual.

Most of the content of these required notices mirrors the requirements under the Alberta PIPA for mandatory data breach reporting and the Commissioner for voluntary notification to individuals with some additions. In particular, there is a proposed requirement to include a description of the steps that the individual could take to reduce the risk of harm.

The Regulations set out the manner of providing direct notification to individuals. Notification by “email or another secure form of communication” appears to be permitted only if the affected individual has consented to receiving information from the organization in that manner. As drafted, it is not entirely clear if consent would be needed for email notice or just for notice sent by “any other secure form of communication.” Paper (delivered or sent by “snail mail”), telephone and in-person notices may be used without consent. In our view, the consent requirement should be eliminated in favour of allowing notification by electronic means where such means have been used previously by the organization to communicate with the individuals. Furthermore, a preference for personal over electronic communication is outdated.

The Regulations also set out the circumstances when notification to affected individuals may be given indirectly, which include when the cost of giving direct notification is prohibitive to the organization. This may be welcomed by businesses in some circumstances, especially by smaller and mid-sized businesses involved in Breaches that affect many individuals. However, in order to provide indirect notice, an organization would have to publish information about the Breach conspicuously on its website or publish an advertisement that is likely to reach the affected individuals.

Record-keeping requirements for data breaches

The Regulations require organizations to maintain a record of every Breach for 24 months after the date of determination that it has occurred. This record-keeping requirement has been criticized as being overly broad in that it requires record-keeping in respect of all Breaches, including those that that do not involve a “risk of significant harm” to individuals and would not be required to be reported to the Commissioner.

These records must include information that enables the Commissioner to verify compliance with the reporting and notification requirements under PIPEDA. Where a report to the Commissioner has been made, such report may be used as a record to satisfy the record-keeping requirement.

Next steps

Members of the public may make representations regarding the Regulations until October 2, 2017.1

It is expected that once the final version of the Regulations is published, there will be a transition period before the PIPEDA Amendments are introduced and also prior to the Regulations being brought into force. The government did not indicate the duration of the transition period, although the regulatory impact statement notes that stakeholders proposed transition periods ranging from six to eighteen months. As there was a previous consultation on this topic in 2016, the PIPEDA Amendments and the Regulations may be finalized relatively quickly.  Organizations should therefore be prepared to update their data breach response plans to address the requirements of the PIPEDA Amendments and the Regulations once they are finalized.

Footnote

1 We note that there was a consultation last year on what should be included under the Regulations (before any draft of the Regulations had been published).  Some of the responses to that consultation were apparently considered in the drafting of the Regulations.

“But the emails” – companies’ SEC filings reflect ransomware risks

Data Protection Report - Norton Rose Fulbright

The Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer information. Still, in what for the moment might seem like a more pedestrian risk, companies continue to be affected by ransomware.  One of the unique aspects of ransomware is that it does not involve just stealing information, but makes the information unavailable to the business. If critical information is unavailable, there is operational impact and often a material effect that companies must disclose publicly.

Most recently, WannaCry and Petya demonstrated the ability of ransomware to exploit security vulnerabilities, spread quickly and, in some cases, cripple company operations. Here is how some companies have addressed it.

General ransomware risk disclosures

In the energy sector, at least two companies — Concho Resources and Repsol — have disclosed ransomware risks. Concho’s 8-Ks from Q1 and Q2 2017 reference ransomware in the “Forward Looking and Cautionary Statements” section, where the company lists events and developments “regarding the Company’s future financial position, operations, performance, business strategy…” There, Concho lists cybersecurity risks, specifically ransomware, phishing, and data breaches as potential threats that could adversely affect the company.

Similarly, Repsol addresses ransomware in its 40-F filings as one of the cyber risk factors for the company. The company discloses that cyber risk factors, including ransomware, result in increased industry-wide concern about cyber threats intended to disrupt business that “could have a negative financial effect on the Company’s operational performance and earnings, as well as the Company’s reputation.”

IBM’s most recent 10-K identifies ransomware as a cyber risk that could impact the company’s business by causing “the loss of access to critical data or systems.”

Ransomware incident disclosures

Companies have also made specific disclosures about ransomware after experiencing an attack.

In one example of a post-attack disclosure, FedEx’s most recent 10-K (May 2017) discusses the impact of the WannaCry and Petya attacks on FedEx systems and subsidiaries. Specifically, the disclosure states that a FedEx subsidiary “TNT Express experienced a significant cyber-attack” but that the company was at the time still unable “to determine the full extent of its impact, including the impact on …  results of operations and financial condition,” concluding that likely “the financial impact will be material.”  The 10-K also warns that FedEx is unable to “estimate when TNT Express services will be fully restored” and that it may be “unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted.”

Our take

It has been about 10 years since the TJX breach opened companies’ eyes to potential risks of not being vigilant in protecting their data and systems. As attackers have become more discerning and sophisticated, the impact of breaches on companies has moved from the realm of plaintiffs’ counsel imagination to real operational impact.  Ransomware locks up important data that can stop a company in its tracks, and massive breaches like the one impacting Equifax create existential threats for companies that live and die by data.  Companies that have avoided experiencing serious harm from breaches should use every publicized incident as an opportunity to remind management that more can and should be done to protect critical data and systems.  And, in the aftermath of such an attack, companies must consider whether they have a duty to report the potential harm from the attack to the public and shareholders.

—————————————

Norton Rose Fulbright nominated for Cyber Law Firm of the Year

Norton Rose Fulbright has been shortlisted for ‘Cyber law firm of the year’ at the Insurance Insider Cyber Ranking Awards 2017. Voting is now open, and you can show your support for Norton Rose Fulbright by casting your vote ahead of the award ceremony on 29 September 2017.

The category of “Cyber law firm of the year” is a new addition to the Cyber Ranking Awards and provides brokers and underwriters with a chance to vote for the law firm that they believe has contributed the most to bringing innovative solutions to market over the past 12 months. We are honored to be included as a nominee, and believe that it reflects our leading experience within the cyber insurance sector.

Norton Rose Fulbright provides data protection, privacy and incident response services around the globe, and works closely with the insurance industry to address cyber and technology-related risks.

Delaware amends data breach notification law

Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018.  Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all information necessary for the resident to enroll in such services as well as instructions for how to implement a credit freeze. This makes Delaware the second state to require credit monitoring services be provided to residents at no cost following a breach. (Connecticut has a similar provision.)

Continue reading

UK data protection after Brexit – UK government Statement of Intent contains few surprises

On the 7th August 2017, the UK’s Government Department for Digital, Culture, Media and Sport issued a Statement of Intent (the Statement) outlining its planned reforms of the UK’s data protection laws which are to be implemented by the Data Protection Bill (the Bill). The Statement anticipates the UK’s departure from the EU and makes it clear that following this, the Bill will transpose the General Data Protection Regulation (the GDPR) into domestic law, stressing the importance of continued efficiency of data flow between the UK and the EU in a post-Brexit world.

Continue reading

German court: monitoring of employees by key logger is not allowed

Data Protection Report - Norton Rose Fulbright

The German federal labor court held in a recent decision (Bundesarbeitsgericht, 27 July 2017 – case no. 2 AZR 681/16) that the use of evidence obtained through the use of key logger software is not permitted under current German privacy law, if there is no suspicion of a criminal offense. Such monitoring is only allowed when an employer has a concrete suspicion of a criminal offense by an employee or any other serious breach of duty in a specific case. This decision is understood as a general guidance where the highest labor court gave guidance on secret employee monitoring.

Continue reading

US Senators introduce IoT cybersecurity bill

Data Protection Report - Norton Rose Fulbright

On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.

The draft bill, introduced by a bipartisan coalition of Senators, proposes implementation of basic security requirements for interconnected devices purchased by the federal government. Under the proposed law, federal suppliers would be required to monitor and patch cybersecurity vulnerabilities.

Continue reading

US Coast Guard Releases Draft Cybersecurity Guidelines

Data Protection Report - Norton Rose Fulbright

On July 11, 2017, the US Coast Guard (USCG) and the Department of Homeland Security (DHS) proposed new cybersecurity draft guidelines for Maritime Transportation Security Act (MTSA) regulated facilities. The guidelines follow the White House’s May 2017 Executive Order to strengthen the cybersecurity of critical infrastructure. The draft guidelines are open for public comment until September 11, 2017.  The guidelines outline a position on addressing cybersecurity that is consistent with the National Institute for Standards and Technology (NIST) Cybersecurity Framework and other cybersecurity guidance. Similar to the Executive Order, the draft reflects a growing emphasis on mitigating cyber threats to critical infrastructure.

The guidelines are divided into two sections. One provides draft guidance on existing regulatory requirements and how they relate to cybersecurity. The second advises regulated facilities on how to implement a cyber risk management governance program.

Continue reading

Hong Kong Company Director Convicted Under Personal Data (Privacy) Ordinance

Data Protection Report - Norton Rose Fulbright

A director of a Hong Kong company has been convicted of an offence under the Personal Data (Privacy) Ordinance (“PDPO”). This is the first conviction of its type under the PDPO since the law came into effect in 1996, confirming the potential for directors’ liability under the law.

Continue reading

China Seeks Comment on Draft Regulation on Critical Information Infrastructure

On 10 July 2017 the Cyberspace Administration of China (CAC) issued a draft Regulation on the Protection of Critical Information Infrastructure (CII Regulation) for public comment. The comment period ends on 10 August 2017. This long-anticipated regulation, formulated pursuant to Article 31 of the Cyber Security Law of China (Cyber Security Law), is a key implementing measure for the Cyber Security Law. In this client update we outline the key features of the draft CII Regulation and highlight its implications for businesses.

Continue reading

The Privacy Implications of Autonomous Vehicles

This is the first of a two-part series discussing the privacy and security issues associated with the widespread use of automated vehicle technology.  This first post focuses on potential privacy issues, while the second post – coming soon – will address security issues.

Background

As the development and testing of self-driving car technology has progressed, the prospect of privately-owned autonomous vehicles operating on public roads is nearing. Several states have passed laws related to autonomous vehicles, including Nevada, California, Florida, Michigan, and Tennessee. Other states have ordered that government agencies support testing and operations of these vehicles. Industry experts predict that autonomous vehicles will be commercially available within the next five to ten years. A 2016 federal budget proposal, slated to provide nearly $4 billion in funding for testing connected vehicle systems, could accelerate this time frame. In addition, the National Highway Traffic Safety Administration (NHTSA) set a goal to work with stakeholders to “accelerate the deployment” of autonomous technologies.

This post will explore some of the  privacy issues that should be addressed before these vehicles are fully commercialized.

Continue reading

LexBlog