As of November 1, 2018, organizations subject to Canadian privacy law must comply with important new rules in relation to privacy breaches.
In this article, we provide six key considerations for organizations seeking to comply with the new rules and to mitigate the risk of civil and criminal liability associated with a failure to comply.
Identify the range of rules that may apply in a privacy breach
The new rules in the Personal Information Protection and Electronic Documents Act (PIPEDA) will be directly applicable to most private sector organizations operating in Canada. However, questions remain about the extent to which the PIPEDA rules will be applicable in British Columbia, Alberta and Quebec, which have enacted privacy laws that apply within those provinces and supplant the application of PIPEDA in many cases. In addition, foreign breach notification rules (e.g., the General Data Protection Regulation and US state laws) and industry specific notification rules may be applicable in some cases. In approaching compliance with the new rules under PIPEDA, it is important that organizations understand the full range of rules that may be applicable to their operations, as well as the ways that each set of rules may impose different notification, reporting and record keeping requirements.
Assess breach detection capabilities
Proactive auditing and detection measures have previously been encouraged by the Commissioner as part of the safeguarding obligation under PIPEDA. In order to ensure that potential privacy breaches will be identified for appropriate action under the new rules in PIPEDA, organizations should assess and update their incident detection capabilities as needed. In addition to the use of data loss prevention tools and related technical measures to prevent and flag potential breaches, organizations should consider how audits and detailed privacy training programs can help identify privacy breaches. Privacy training programs should be reviewed and updated to educate employees about breach scenarios, their responsibilities, and the importance of the new rules.
Update incident response plans
Organizations should update their incident response plans to help ensure effective incident response and compliance with the new rules. For example, incident response plans should provide a clear roadmap for employees to escalate privacy incidents in a pre-determined manner so that designated decision makers can address any necessary actions under PIPEDA. This roadmap should include appropriate communication protocols and rules to protect legal privilege. Organizations should also consider updating incident response plans to (i) reflect a breach record keeping strategy and relevant insurance considerations, highlighted below, and (ii) identify the types of organizations (e.g. law enforcement, financial institutions) that may need to be notified under the new PIPEDA rules depending on the nature of the breach.
Implement a breach record keeping strategy
Pursuant to the new rules, organizations are required to retain a record of every privacy breach, no matter how benign or insignificant the breach may appear and irrespective of whether individuals are notified. The breach record must contain sufficient information to enable the Commissioner to verify compliance with the breach notification and reporting requirements in PIPEDA. The content of the breach record is of particular significance in respect of breaches that do not lead to notification because the organization will need to explain in the record why notice was not given.
Organizations should adopt a considered approach to breach record keeping, bearing in mind privilege, business objectives and the limits of the obligation under PIPEDA. For example, breach records should be prepared by legal counsel, or with the advice of legal counsel. Any drafts of a breach record should be marked "Privileged and Confidential" and submitted to legal counsel for advice about whether the requirements of PIPEDA have been met before the record is finalized. In addition, although there may be contractual or other purposes for keeping breach records, organizations should consider whether to maintain PIPEDA breach records in a standalone file and refrain from creating such records in respect of the following as appropriate:
- suspected or potential breaches (i.e. breaches that have not been determined to have occurred);
- information that is not under the organization's control (e.g. information that is processed as a service provider for another organization);
- breaches affecting employee personal information if the organization is not a federal work, undertaking or business under PIPEDA; and
- information or activities that are not subject to PIPEDA (e.g. non-commercial activities or non-personal information).
PIPEDA breach records must be kept for 24 months after a breach is determined to have occurred. Each breach record should clearly indicate the date the breach was determined to have occurred and the date on which the record may be destroyed, subject to whether the record must be retained for a litigation hold or other purpose. PIPEDA breach records should be securely retained and not disclosed or produced for any purpose, subject to the advice of legal counsel. Legal advice should be obtained in respect of any requests for disclosure or production of a PIPEDA breach record for any purpose.
Review service provider relationships
Where an organization engages a service provider to process personal information on its behalf, that organization remains accountable under PIPEDA and is considered to remain in control of the information. Since the new PIPEDA rules apply to the organization with "control" of personal information that is breached, that organization should consider the full range of contractual and other measures necessary to manage risk and compliance arising out of service provider breaches.
Contractual measures may include provisions requiring the service provider to notify the organization of all suspected breaches, to cooperate with the organization and share information to investigate such breaches, and to provide the organization with all information necessary for it to meet its notification, reporting and record-keeping obligations. While these are not new considerations, the introduction of mandatory breach notification and record-keeping requirements under PIPEDA heightens the need to scrutinize service provider relationships to ensure that they contain the full range of necessary protections.
Understand insurance coverage and requirements
In recent years, organizations in Canada and abroad have increasingly turned to cyber insurance to transfer the potentially staggering costs and liability that can be associated with privacy breaches. The introduction of mandatory breach notification and record keeping in Canada is expected to exacerbate such risks and further drive the evolution of the cyber insurance market. Organizations should ensure that they clearly understand the scope of coverage under their insurance policies in the context of a breach. For example, in responding to an incident and meeting the new requirements under PIPEDA, organizations will often incur costs to engage forensics experts and to obtain legal advice about what the new PIPEDA rules require in a given case. Requirements to notify insurers, the limitations of the coverage and the presence of any requirements to obtain insurer consent prior to notifying individuals, offering credit monitoring to individuals, or taking other steps, should be identified and mapped out as part of an incident response plan so that no relevant insurance considerations are overlooked in the heat of a crisis.
The coming into force of mandatory breach notification, reporting and record keeping under PIPEDA is widely expected to have a dramatic impact on the privacy compliance and risk landscape in Canada. In this article, we have sought to highlight six key practical steps that organizations should consider in meeting their obligations under the new rules in PIPEDA to help mitigate such risks. In addition to reviewing the PIPEDA provisions and regulations in respect of privacy breaches, organizations should review the final privacy breach guidance to be issued by the Commissioner and gain a deeper understanding of the range of domestic and international rules that may be applicable to them in the event of a data breach.