It could have been worse – Canada’s Breach Regulations

On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguard Regulations. These Regulations fill in some missing elements of Canada’s federal data breach law that was enacted as part of the Digital Privacy Act amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA).

For the most part, ISED came through with manageable requirements for organizations. Here’s my take on the good stuff:

  • The Regulations track the Alberta requirements. For the most part ISED has followed the Alberta requirements for the content of the regulatory reports and for individual notifications.
  • Organizations don’t need to speculate in writing about the “risk of harm” to individuals. The Alberta law that requires organizations to report to the Alberta Office of the Information and Privacy Commissioner (OIPC) whenever a “reasonable person” would consider there to be a “real risk of significant harm” from the loss of or unauthorized access to personal information. The OIPC then decides whether the organization must notify individuals by second guessing the organization’s real risk of significant harm analysis. This is a quirky feature of the Alberta law. Thankfully, that same quirk wasn’t carried over into PIPEDA. Perhaps as a result, the federal Regulations do not require organizations to engage in this speculative analysis in their reports to the OPC. Yay!
  • The Regulations contain some consumer-friendly enhancements to the individual notification requirements. Organizations must include a toll-free number or email address to ask questions about the incident. In addition, organizations must tell individuals about the organization’s internal complaints process and the right of affected individuals to complain to the OPC.
  • The Regulations provide for flexibility in terms of how organizations may notify affected individuals – email or other secure electronic methods (provided the individual has consented) or traditional means such as by a letter to the last known address, by phone or in person are all permitted. The Regulations also provide that indirect notification through posting on the organization’s website (conspicuously) for 90 days or more or by publishing advertisements that are likely to come to the attention of the individual are acceptable in some circumstances. Those circumstances include where the cost of direct notification would be prohibitive,  the organization doesn’t have current contact information, or direct notification could cause harm to the individual.
  • The record-keeping requirements are much less onerous than feared. Organizations are required to keep a record of every loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards. On its plain reading, this does not mean a record of every suspected or possible loss or unauthorized access or unauthorized disclosure. In terms of the content of the records, ISED has left that to the organization to decide provided that the records contain sufficient information for the OPC to assess whether the organization is meeting its obligations under the data breach provisions of PIPEDA. Records must be kept only for 2 years.

There is one area of major disappointment. ISED had an opportunity to short-circuit the long-running feud between the Canadian Commissioners who see the ghost of significant harm everywhere and organizations trying to apply the test of “real risk of significant harm” in a sensible way. The ISED could have decided, for example, that the unauthorized access to properly encrypted data did not create a real risk of significant harm. Frankly, the loss of a credit card number that has been reported to the card issuers hardly constitutes a risk of harm (once reported). Alas, the feud will continue unless the Commissioners take a more realistic approach.

The draft Regulations are subject to change, so check the final version! Read the draft here. There is a 30 day comment period. After that, ISED can either publish amended regulations or register the final version and specify a date on which they will come into force.