IF YOU OR YOUR organization have been procrastinating on implementing best-practices data breach policies and procedures, you have a deadline coming up: November 1, 2018. That’s the date the new federal rules on data breach reporting come into effect in Canada; it’s an important milestone, and you need to be ready.
A brief recap of the legislative history is in order. The federal data privacy/protection law, Personal Information Protection and Electronic Documents Act (PIPEDA), has been in effect since 2004. PIPEDA contains a fairly comprehensive regime of what organizations must do if they wish to collect, store, use and share personal information of customers, employees and others. In June 2015 the Digital Privacy Act (DPA) added several provisions to PIPEDA, including requiring organizations that have experienced certain types of data breaches to notify the Office of the Privacy Commissioner of Canada (OPC), and the individuals affected by the breach. The enactment of these breach notification provisions, however, was postponed in order to allow Canadian organizations to prepare for them.
In September 2017 the draft regulations for the data breach notification regime were published. In March, an order in council was published providing that on November 1, 2018, the data breach notification sections of the DPA would come into force; and on April 18 the final Breach of Security Safeguards Regulations were published.
What the new law means is that, as of November 1, 2018, a company that experiences a breach of security safeguards involving personal information must confirm whether the breach creates a risk of significant harm to any individual, and, if so, it must follow a strict protocol.
The initial risk assessment must establish what happened precisely; what data sets were penetrated; what might be done with this data; and whether anything is known about the data perpetrators and their behavior in prior hacks.
This activity sounds simple, but in the data breach litigation defence work that we have been involved in to date it turns out this initial step can be difficult. The forensic data scientists have to be called in, and if the hackers have done a good job of covering their tracks it can be fiendishly difficult to figure out what went down, when, and who the perpetrators were.
Once you figure out what happened, you must wrestle with what can be a tougher query: what was the harm done by the breach, and what potential harm remains? This is of critical importance, because under the new law only breaches that pose a real risk of significant harm to individuals have to be notified by the company collecting the data. Moreover, the government in the Regulations, has decided not to give statutory guidance on this all important question of what constitutes “significant harm.”
We do have some guidance from the Office of the Privacy Commissioner of Canada (OPC), however. The following questions may be asked: how sensitive is the private information? For example, is the information in question medical information, or financial payment information, or certain government information such as a social insurance number? And what is the likelihood that the information that was hacked will be abused?
Who to Notify and What to Say
If you conclude there is a significant harm from the data breach, you will then have to notify both the OPC, and the affected individuals. With respect to the former, here is what you’ll have to cover in your notice: what caused the security breach, and the circumstances surrounding it; the timeline for the breach; the particular types of personal information that were accessed as part of the breach; some figures surrounding the number of individuals impacted by the breach, and the degree of a real risk of significant harm to them; the measures you are taking to limit the risk of harm, or to at least mitigate the harm to the affected individuals; and how you propose to notify those individuals.
You must provide the name of the primary contact who will likely end up liaising with the federal Privacy Commissioner’s office.
As for notifying the individuals whose personal information has been compromised, here is what you must mention in that notice: the circumstances of the security breach; when the breach occurred (the day and time period); the personal information that has been compromised; the measures you are taking to reduce the risk of harm, or to mitigate the damages, to the affected individual data subjects; the measures those individuals can take to reduce the likelihood of harm befalling them; the co-ordinates (email address, 1-800 number, etc.) at which affected individuals can contact you for additional guidance and information about the breach event; and the ability of the individual to bring a complaint about your organization to the OPC under PIPEDA.
The nature and quality of this notice to affected individuals should allow them to comprehend the importance of the security breach and to help them diminish the likelihood of harm befalling them.
The new rules on data breach notification require you to keep records of each breach, including those that do not trigger the notifications discussed above. This record-keeping obligation is not a trivial responsibility. The information that you keep must allow the OPC to be able to confirm that you have done everything you were supposed to do under the breach notification rules; that is, the OPC must be assured, from the paper and electronic trail you keep, that you notified the OPC and relevant individuals as required. While seemingly a simple task, that is quite challenging in the real world. And finally, you must keep these records for 24 months from the date you discovered the data breach.
As you navigate through the new recordkeeping requirements, you should remain mindful of privilege issues related to the data breach. It is important, therefore, how you structure your relationship with your outside legal counsel, as well as how the non-legal managers in your organization conduct their communications with your in-house legal colleagues. Just because you have a new statutory record-keeping obligation doesn’t mean you should be waiving privilege where it is appropriate to maintain it.
An Up-To-Date Data Breach Policy
Once you have reviewed the issues discussed above and determined what needs to be done in your organization under the new data breach notification rules, it is important that you update your written data breach policy accordingly. If you don’t yet have a formal, written policy, now is the best time to prepare one, given that the firm date for compliance – November 1, 2018 – is fast approaching.
There are a number of important items that should be covered by the policy. It should be clear, for example, who is on the data breach response team. And your relevant insurance policy may well provide that you may use only an external law firm pre-approved by the insurance company; this is the sort of matter you want prepared and ready to go, because when the data breach occurs, time will certainly be of the essence.
Moreover, don’t forget to test your data breach plan; if you haven’t tested it in six months, assume you don’t really have a plan. I can’t emphasize enough how important it is that your organization test the data breach plan in advance; ideally the test will take place on an early weekend morning, when you and your response team least expect it. Computer hackers have a nasty habit of operating at all hours, and not simply when it’s most convenient for you.
As well, your test conditions should be as realistic as possible; you’ll want to simulate a “real world” set of conditions, including the very tight timelines of the new data breach reporting obligations. Remember, practice alone does not make perfect, but rather, “perfect practice makes perfect.”
Cyber Risk Insurance Review
While you are considering what updates and fine tunings you need to make to your data breach policy, you should also review your organization’s insurance coverage from the perspective of the specific threats posed to you by data breaches and industry-standard data security. This is generally called assessing “cyber risk.”
And if your organization does not have a cyber-risk insurance policy, now is certainly the time to consider your options. The insurance market has made great strides in the past half-dozen years in bringing to market various offerings in this space. And while you should be careful not to be over-insured, it certainly is a bad idea to be underinsured.
It is important, in this regard, to understand thoroughly your first-party liability: that is, what costs, expenses and damages could come to roost on your shoulders. But you also need to comprehend the third-party liability issues as well, i.e., what damages would impact your customers, or partners in your supply chain, if you were compromised.
Essentially, if you acquired a cyber-risk policy several years ago, now is an optimal time to review that coverage with your insurance broker. Just in the last couple of years some new products have come to market, and at different price points than previously. Particularly if you are in the midst of updating your data breach policy, you will be in a good position to understand your up-to-date risk profile, and to articulate what changes make sense to your cyber-risk insurance coverage.
George Takach is a senior partner at McCarthy Tétrault LLP and the author of Computer Law.