Canada’s federal data breach reporting law has been in force for almost 6 months. Do the major multi-national cloud infrastructure as a service firms contractually commit to help their Canadian customers comply with data breach reporting obligations? Or, do they leave their customers to fend for themselves?
The answer might surprise you. What’s clear is that not all cloud providers are equal in terms of offering off-the-shelf compliant contractual terms.
Canadian data breach obligations
The first thing to remember when considering data breach provisions in cloud contracts is that there are several different formulations of data breach obligations in Canadian private sector and health sector privacy laws. In this post, I will focus only on the Personal Information Protection and Electronic Documents Act (PIPEDA). However, readers should be aware that there are slight (but important) differences with the breach reporting provision in the Alberta Personal Information Protection Act and that the breach reporting provisions in health privacy laws tend to be much broader. I’ve used PIPEDA as the litmus test because if the contract doesn’t permit you to comply with PIPEDA it is unlikely to work for you under other Canadian data breach laws.
PIPEDA requires that an organization keep and maintain a record of every breach of security safeguards involving personal information under its control. These records must be kept for at least 2 years from the date the breach of security safeguards was discovered. The term “control” is not defined. However, it is generally accepted that information is under an organization’s control if the organization decides what information will be collected and how it will be used and disclosed. In the context of cloud computing agreements, the cloud provider will usually expressly disclaim that it is in control of customer content that is uploaded to the services. So, if the customer is in control, then the customer must maintain a record of each breach of security safeguards (or have the service provider do so on its behalf) if the customer is going to be able to comply with this requirement.
An organization must also notify the Privacy Commissioner of Canada and the affected individual if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. In order to make that determination, an organization must consider a number of factors, including the probability that the personal information has been, is being or will be misused. This will require the organization to have information about the circumstances of the breach, including whether there is evidence of criminal activity. In the case of a breach by a cloud service provider that affects multiple clients, it may be relevant whether there is evidence of criminal activity affecting another client.
If a report to the Privacy Commissioner is required, the organization must include certain mandatory information. For the purposes of this post, the information that is relevant is: (a) the circumstances of the breach and its cause; (b) the date or duration of the breach; (c) the information that was the subject of the breach; (d) the number of individuals affected by the breach; and (e) steps taken to mitigate harm.
How do the contracts stack up?
In preparing a quick spot check on some of the major cloud infrastructure as a service providers, I reviewed the following cloud “click through” services agreements:
- AWS Customer Agreement, November 1, 2018 https://aws.amazon.com/agreement/ & AWS Privacy Notice, December 10, 2018 https://aws.amazon.com/privacy/
- Google Platform Terms of Services, November 2, 2018 https://cloud.google.com/terms/ and Google Data Processing and Security Terms https://cloud.google.com/terms/data-processing-terms
- IBM Cloud Services Agreement, v. 9 https://www.ibm.com/support/customer/csol/contractexplorer/cloud/csa/ca-en/9
- Microsoft Online Service Terms, April 1, 2019 https://www.microsoft.com/en-us/licensing/product-licensing/products
As you will see from the table below, not all click-through customer agreements are equal. There is a clear division of approach. Google and Microsoft expressly agree to notify customers and to provide customers with information about the data breach. By contrast AWS and IBM are silent. The silence of AWS and IBM is interesting given that each have a GDPR Data Processing Addendum that would cover breaches of data under the GDPR.
The fact that a provider does not have data breach commitments does not mean that the providers would not, in practice, notify their customers. Cloud service providers are not in the business of putting their customers in legal jeopardy. However, any organization seeking to demonstrate that it has fulfilled the accountability principle in PIPEDA should pause to consider the implications of not having contractual provisions relating to data breach when these terms are available by some providers in the market.
The most important lesson is – BEWARE of the click-through.