Like many organizations in Canada, yours is probably not fully prepared for the mandatory breach reporting requirements coming into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) November 1, 2018.
Here are three measures your organization ought to take in preparation for mandatory breach reporting:
1. Implement internal breach reporting and response protocols.
Organizations subject to PIPEDA will be required to separately report to individuals and to the Privacy Commissioner of Canada breaches of “security safeguards” involving personal information that pose “a real risk of significant harm” to individuals.
It is likely few employees in an organization will know about this requirement, or understand what sort of breach must be reported. Due diligence requires organizations to have a breach reporting procedure in place, and training on it, to ensure information concerning a breach can be handled appropriately. Studies on breaches demonstrate that employees can be the weakest link. Let your employees help you. Also, prompt recognition and escalation of a real issue, and notifying people affected by a breach that their information may have been compromised can be matters of good customer service.
2. Review and update third-party vendor and service provider agreements.
Your organization will be responsible for personal information under its control, which includes information held by your vendors and service providers. Most third-party services agreements do not contemplate the type of breach reporting up the chain from the service provider required to satisfy the lead organization’s breach reporting and record-keeping requirements.
Most organizations rely on their service providers to safeguard and manage sensitive information. Do not let gaps in your agreements result in a breach of notification or record-keeping requirements, or leave any potential for embarrassing reputational risks.
3. Develop a plan for record retention: do not create evidence or waive privilege.
The new regulations require an organization to maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred. This requirement is daunting and you may be asking yourself, “What is the extent of the records required?” and, “Are we just preserving evidence for a class action claim?”
The regulations say the records must contain any information that enables the Commissioner to verify compliance with the reporting requirements, particularly referencing the legal issue of whether it is reasonable in the circumstances to believe that the breach creates “a real risk of significant harm” to an individual. The Commissioner’s guidance on this point calls for a general description of the circumstances of the breach and, if a breach is not reported, a brief explanation as to why not.
Keeping the right records can be tricky. As demonstrated in Kaplan v. Casino Rama Services Inc., 2018 ONSC 3545, it may be too easy to waive privilege over investigation and forensics reports. You need a plan in place that will address the record-keeping requirements and help maintain privilege over records. Involve your legal counsel in the development of your incident response plans and breach response to ensure you get this right.
If you have questions about whether your organization is subject to PIPEDA and a particular data breach needs to be reported, you can ask Parker, our privacy chatbot.