On April 18, 2018, the Canadian government published long-awaited Breach of Security Safeguards Regulations specifying the requirements for notifying the Office of the Privacy Commissioner and affected individuals of data breaches that pose a “real risk of significant harm.” The Regulations will come into force on November 1.

As we previously reported, the Digital Privacy Act, which amended Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to include a mandatory breach notification requirement, became law nearly three years ago. The Regulatory Impact Analysis Statement accompanying the Regulations indicates that the timing of their release last week may have been motivated in part by a desire to bring Canadian standards in line with the forthcoming EU General Data Protection Regulation, which takes effect on May 25. Certain stakeholders, including the Privacy Commissioner, advocated immediate implementation of the Regulations, citing the “lengthy period of consultations on the Regulations and the frequency of data breaches involving the information of Canadians” as well as “the need to align the Regulations more closely with those of the breach reporting requirements of the GDPR given that many Canadian organizations must comply with both Canadian and European law.”

Among other obligations, the Regulations require organizations to:

  • Conduct a risk assessment to determine whether the breach poses a “real risk of significant harm” to affected individuals, considering both the sensitivity of the compromised information and the probability that it will be misused.
    • “Significant harm” may include humiliation; damage to reputation or relationships; identity theft; bodily harm; loss of employment, business or professional opportunities; financial loss; identity theft; and damage to or loss of property.
  • Provide notice to affected individuals and to the Privacy Commissioner “as soon as feasible” – no set time limit is specified. Similar to the GDPR’s approach, the Regulations allow for updating of a breach report as additional information becomes available.
  • Maintain a record of every security incident for 24 months after “the day on which the organization determines that the breach has occurred.” The records must be made available to the Commissioner and contain enough detail to allow the Commissioner to verify the organization’s compliance with applicable requirements.

Notification to the Commissioner must be in writing, and must include (to the extent known):

  • a description of the circumstances of the breach and the cause;
  • when the breach occurred;
  • a description of the affected personal information;
  • the number of affected individuals;
  • a description of the steps that the organization has taken to reduce the risk of harm to affected individuals or mitigate such harm;
  • a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach; and
  • the name and contact information of a person who can answer the Commissioner’s questions about the breach.

Notification to individuals may be made “in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances” and must include (to the extent known):

  • a description of the circumstances of the breach;
  • when the breach occurred;
  • a description of the affected personal information;
  • a description of the steps the organization has taken to reduce the risk of harm that could result;
  • a description of the steps affected individuals could take to reduce the risk of harm or to mitigate such harm; and
  • contact information that the affected individual can use to obtain further information about the breach.

Penalties for violating the Regulations may be significant: deliberate failures to report breaches or to notify individuals may be subject to fines of up to CA$100,000 per offense. With respect to individuals, each person not notified will constitute a separate offense. Not keeping proper records of breaches, or destroying such records, also would constitute an offense subject to the CA$100,000 fine.

Companies that maintain Canadian personal data should take this opportunity to revisit their incident response plans and, as appropriate, add or supplement provisions regarding the specific obligations relevant to breaches affecting Canadians. Canadian authorities have indicated that companies should consider voluntary notification prior to November 1, citing the fact that organizations have had years to prepare for the Regulations to take effect.