Last week, I participated to a lively LexisNexis Canada webinar on “How to Handle a Data Breach Like a Pro.” The webinar is free and archived for you to view. Last Wednesday, I posted the first 3 of 10 Pro Tips from the webinar. Here’s the next 3. Stay tuned next week for the final 4. I’m also putting together responses to questions we weren’t able to address during the webinar. If you have any questions you’d like to pose about the new Canadian requirements, let me know, and I will add them.
Pro Tip #4: Integrate the new breach record keeping requirements into your breach response protocol
The Personal Information Protection and Electronic Documents Act (PIPEDA) now contains a requirement that organizations keep and maintain a record of every breach of security safeguards involving personal information under their control. Organizations must provide the Office of the Privacy Commissioner of Canada (OPC) access to or a copy of the record on request. There is no obligation for the OPC to have commenced an investigation in order to ask for the record. Therefore, the OPC can (and likely will) conduct sweeps or targeted requests to ensure organizations are complying.
There are a few important things to remember when creating the breach record. First, the record applies to all breaches of security safeguards even if the threshold for reporting the breach to the OPC and notifying individuals has not been met. We discussed the meaning of a breach of security safeguards in the webinar.
Second, you will want to make sure that your breach record contains the necessary information to establish your compliance with the breach reporting and notification requirements of PIPEDA. Here is what the OPC says it expects:
As a starting point, we would expect at minimum a record to include:
- date or estimated date of the breach;
- general description of the circumstances of the breach;
- nature of information involved in the breach; and
- whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified.
The record should also contain sufficient details for the OPC to assess whether an organization has correctly applied the real risk of significant harm standard and otherwise met its obligations to report and notify in respect of breaches that pose a real risk of significant harm. This could include a brief explanation of why the organization determined there was not a real risk of significant harm in cases where the organization did not report the breach to the Privacy Commissioner and notify individuals.
Finally, it is a breach of PIPEDA and an offence not to comply with this provision. Although the OPC does not have the power to levy fines, the OPC could issue a report of findings publicly naming the organization and refer the matter for prosecution. Potential fines for organizations are up to $100,000.
Pro Tip #5: Consider how you will manage privilege when creating breach records
Organizations should consider how to preserve privilege when creating breach records. Even though the OPC would like to see information about all of the relevant security safeguards that were in place and a detailed analysis of the risk of harm, the government did not accept the OPC’s position. So, organizations should consider carefully whether it is in their interest to put all of these details in the breach record. Not only will the breach record be given to the OPC, it might also become producible in litigation (this last point is not determined yet by the courts).
Generally, organizations may wish to consider having privileged files in which the organization’s in-house or external legal advisors conduct the real risk of significant harm analysis and look at the broader context in which the breach occurred to consider the organization’s duties and potential liabilities. The breach record itself should generally contain only the essential details that meet tthe legal requirements for breach record keeping.
Pro Tip #6: Make sure your service providers are part of your record keeping plans
There was initial concern that the OPC believed that all service providers had to independently report breaches that met the threshold for a real risk of significant harm. However, the OPC ultimately concluded that service providers that solely process data for the purposes of providing services to another company (the “principal organization”) do not have to make such a report to the OPC.
This is great news. However, the OPC reminded all organizations that use service providers that they remain fully accountable for complying with the PIPEDA provisions.
Therefore, the principal organization must ensure that it receives timely reports of breaches of security safeguards, keep records, and make the required reports and notifications. As we discussed in the webinar, this means making sure you have thought through in advance how breach records will be developed, who will maintain them, what information must be made available, what cooperation the service provider will give if there is an investigation, and who is going to pay for this! Remember, it will be an offence for the outsourcing party to fail to comply. The fact that your service provider wants to be paid or failed to keep the records might not fly with the OPC if there is an investigation.
So, a Pro isn’t going to wait until the breach happens to review supplier contracts to get proper cooperation provisions and procedures in place.
Check back next week for the last 4 Pro Tips.