The new regulations go into effect on November 1, 2018.
Organizations which suffer a data breach will be required to
- Determine whether the breach poses a real risk of significant harm to those whose information was involved. These could be individuals or other organizations. A risk assessment of the information stolen or released must consider the sensitivity of the information involved, and the probability that the information will be misused.
- Notification to the affected individuals and a report to the Privacy Commissioner of Canada must be filed as soon as reasonably possible if the risk assessment has determined there is a real risk of significant harm.
- Notification must be given to other organizations which may be able to mitigate risk to those affected individuals.
- Maintaining a record of any data breaches that you become aware of as the Privacy Commissioner can request these reports at anytime.
How to determine Risk of Harm
The label of “significant harm” is very broad in scope. It includes many different risks such as bodily injury, financial risks and losses, identify theft, credit rating implications, defamation or reputational damage, and loss of income.
There are many contingent losses which can arise out of these risks. For example, a change in home insurance premium due to a deterioration of credit rating or loss of employment due to reputational harm.
To effectively assess the real risk of significant harm, your business can develop a framework or system based on a number of characteristics and factors. This will also provide consistency in your evaluation which is important to demonstrate to the Privacy Commissioner.
However, we can look at Principle 4.3.4 of PIPEDA which states:
“Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.”
As your business assess the potential risk of harm after a data breach, you must also evaluate the probability that the information could be misused.
Your evaluation should ask questions of the information released to determine the potential of misuse:
What happened and how likely is it that someone would be harmed by the breach?
This question must be asked of the information contained in the breach as well as the circumstances of the breach. Some information, such as credit card information, is more obvious than other.
Is there evidence of malicious intent such as theft or hacking?
Presumably if the data breach suggests a high degree of effort or intent from the offender they would have a much greater desire to obtain and misuse sensitive information.
What is the scope or depth of the personal information obtained?
If the offender has taken multiple points of information (name, address, email, & date of birth) or just one item there would be a varying level of the intent to misuse that information.
Was the information obtained by a known individual who has committed to destroying the information?
A data breach can occur through accidental disclosure to an unintended party – typing in the wrong email address for example. Even though this was not a malicious breach, it is still a breach and proper procedure must be followed.
The Notification Process to the Privacy Commissioner
The new regulations list specific categories of information which must be included in your report to the Privacy Commissioner:
- A detailed description surrounding the circumstances of the breach.
- The date & time the breach occurred.
- A description of the personal information exposed in the breach.
- The number of affected parties.
- Steps your organization has taken to reduce the harm which could result from the breach.
- Steps taken to notify individuals.
- The name and contact information of your appointed person who is available to the Privacy Commissioner’s questions.
The Notification Process to Affected Parties
This list of notification information can be supplemented by any other information you deem relevant but must include the following:
- The details surrounding the circumstances of the breach.
- The date & time of the breach.
- Description of the personal information contained in the breach.
- The steps you have taken to reduce the risk of harm to the affected parties resulting from the breach or your actions to mitigate their risk.
- The best steps the individual can take to reduce their risk of harm resulting from the breach.
- Contact information that the affected party can use to receive additional information about the data breach.
What else is required?
Other than notification to the impacted parties your organization must maintain data breach records. These records must demonstrate your organization is tracking data security incidents that have resulted in a breach of personal or sensitive information.
This is a new requirement which puts a lot of pressure on your business or organization. There is no minimum threshold meaning that no matter how significant or what data is contained in the breach, the record must be kept.
Your data breach records must be maintained & stored for a minimum of 24 months after the date the breach was discovered.
Bottom Line
In reality, this is a broad regulation update which can impact any business. No matter the size or operation of your business, you could be impacted.
The cost of notification can be a costly exercise. Luckily the cost of notification can be included in your cyber insurance policy.
Contact us today to discuss your cyber insurance solutions.