Winter is coming: Preparing for Canada’s new mandatory federal data breach regulations

It’s fair to say that new breach-reporting requirements represent a sea change in how many organizations will manage their unauthorized disclosures of personal information.

Lisa R. Lifshitz

After years of waiting, the countdown is on.

 

As of Nov. 1, 2018, organizations subject to the federal Personal Information Protection and Electronic Documents Act that experience a data breach (referred to in PIPEDA as a “breach of security safeguards”) involving personal information will be required to report the breach to the Privacy Commissioner of Canada if the breach poses a “real risk of significant harm” to individuals, notify the affected individuals and notify other third-party organizations and government institutions (or part of government institution) of the data breach if the notifying organization concludes that such notification may reduce the risk of harm that could result from the breach and keep robust records of all breaches. 

 

It’s fair to say that these new breach-reporting requirements represent a sea change in how many organizations will manage their unauthorized disclosures of personal information. Judging from the countless conversations that I have had over the years with clients that preferred to keep unauthorized disclosures of personal information under wraps, there has been little appetite to report data breaches when such reporting was strictly voluntary. 

 

However, as the new mandatory breach notification requirements come with some sticks — once in force any organization that knowingly fails to report to the OPC, notify affected individuals of a breach that poses a real risk of significant harm or knowingly fails to maintain a record of all such breaches face fines of up to $100,000 per violation — there is no time like the present for smart companies to review their current practices and establish those critical safeguards or methodologies to avoid these penalties.

 

Before giving in to panic, the following are five common-sense actions all organizations should be taking to prepare for mandatory reporting of breaches of security safeguards.

 

Ensure that you have a privacy officer and give them something to do  

 

By now (and as required under PIPEDA) every organization should have a privacy officer whose role is to be the first point of contact in the organization when privacy issues arise.

 

Typically, a privacy officer is responsible for: conducting privacy audits and self-assessments;  taking the lead on developing a privacy policy or incident plan (see below), implementing it and maintaining its currency; managing internal privacy training; responding to requests for access to and correction of personal information and working with the OPC and other regulators in the event of an investigation or data breach. 

 

However, this is just the tip of the iceberg. Today’s privacy officers also liaise with their internal and external IT cyber-experts to conduct proactive risk and vulnerability assessments and penetration tests within their organizations to ensure that threats to privacy are identified, conduct privacy and security training and awareness programs and often hold senior management positions given their important risk mitigation or compliance functions. 

 

Regrettably, some organizations have not fully bought into the importance of this role and instead of tasking someone (with authority) to take on this critical function, they have merely added the job title of privacy officer to the existing HR manager or CIO without giving them the additional support, training, resources and power to successfully navigate these important issues within the organization. 

 

That is a big mistake. If your organization doesn’t have a privacy officer, now is the time to hire one. If you do have a privacy officer, they should be actively preparing for the post-Nov. 1  world as will be further discussed in this article. 

 

At a minimum, they should be tasked with the job of familiarizing themselves with the OPC’s breach report requirements and those related to notifying individuals and third-party organizations and  keeping detailed records of every breach of security safeguards for a minimum of 24 months after the day on which the organization determines that the breach has occurred.

 

Create a breach response plan now 

 

As the old Scouts Canada and Girl Guides of Canada motto says, “Be prepared.” 

 

Every organization should have in place a basic breach response plan to ensure that when a breach of security safeguards occurs (not if), the organization has a general idea of the process by which it will deal with the breach in an orderly fashion to minimize compounding the harm (forestalling someone in the impacted organization from posting about it on social media, for example).

 

The plan should set out, at a minimum, the individuals (or titles of individuals) from various departments of your organization that have a role in handling breaches of security safeguards (the privacy officer, CIO, potentially HR if past or present employees and contractors are involved, marketing, internal legal counsel); the process for identifying, confirming and containing the breach, risk assessment criteria to determine if a real risk of significant harm has occurred and the process to comply with any necessary notification steps that follow; external parties who should be involved (outside legal counsel, cybersecurity experts and forensic investigators); an internal and external communication strategy and risk-mitigation efforts, apart from notification to reduce harm to individuals and to prevent a similar event occurring in the future.

 

The act of creating the plan may also expose privacy and security weaknesses in your organization that require further action, for example, the role of the chief privacy officer in the corporate hierarchy, a need for additional IT resources and additional employee training. Vendors and service providers should also have these plans in place so that they can advise their clients of such breaches quickly and professionally and not exacerbate their liability through chaotic, insufficient and haphazard breach notification efforts.

 

All breach response plans should be revisited at least annually and updated periodically to reflect evolving technologies and circumstances, changes in personnel, organization structures and job titles.

 

Vet your contracts and ask your vendors questions

 

Arguably, the days of relying on the sufficiency of a statement in a contract that requires a vendor or service provider to comply with all applicable laws are over.

 

Today, any legal agreement that involves the access, use, disclosure, processing and destruction of personal information should have robust privacy language that sets out in the detail the requirements for the protection of such personal information as well as very specific language regarding the timely reporting of actual or suspected security or data breaches. 

 

While such language is commonplace in more sophisticated technology contracts, virtually every contract that an organization signs that touches personal information, including advertising or marketing agreements, staffing contracts, pension arrangements, even agreements for cleaning services, should include requisite language that requires vendors to, at a minimum, notify the organization of actual or suspected breaches as soon as feasible or upon a very tight time frame and immediately take all necessary measures to investigate and mitigate such breach and prevent further breaches; assist with any internal investigations by the customer of data/security breaches and/or those of regulators at the vendor’s cost; fully cooperate with the organization in connection with any investigations, audits or information requests (including requests for detailed reports) that may be made in connection with the data or security breaches with a view to determining the reasons for such data/security breach and prevent its future occurrence and all such requirements should be flowed down to all key vendor subcontractors or sub-processors. 

 

If your standard agreements are insufficient and fail to adequately deal with these new requirements, now is the time to remedy them. If your larger vendor contracts do not contain adequate privacy or security language, press your vendors to sign additional privacy addendums or advise them that you may be thinking of taking your business elsewhere in the near future. Start the due diligence process now and look for new vendors that take their privacy and data security responsibilities seriously and are willing to say so in their legal agreements.

 

Clean up your own data house

 

As has been discovered by some Canadian companies that have recently been asked to agree to GDPR-inspired data processing addenda, some organizations do not have a good understanding of the kinds of personal information that they collect and how and when they collect it. 

 

It is more difficult to protect personal information internally and externally when there is general confusion regarding the types of data held, how and why it is used and who has access to it. Organizations also have the regrettable habit of retaining data that they have collected forever, especially sensitive consumer data, with no standard data retention and destruction policies in place, in explicit contravention of PIPEDA.

 

Accordingly, organizations should map their data (especially personal information) to see where it resides within the company and externally, to determine whether certain personal information should still be retained or can be securely deleted and how to best protect the data that must be retained in order to limit the amount of data that may be subject to a breach of security safeguards. 

 

Another internal vulnerability is the failure of some organizations to establish sufficient access controls or identity-management protocols regarding access to personal information. While it may be easier, for example, to give large number of employees in an organization broad rights to access any personal data held by the company rather than to limit access to those critical need-to-know employees, this is terrible cybersecurity practice. Access to personal information within organizations should be limited to what employees (and especially contractors) need to know (particularly when this information is sensitive) to limit the possibility that they don’t become the cause of a breach.   

 

The number of privileged users should especially be restricted. Companies should review their internal access protocols to ensure that these and other security procedures are being followed. All managers, systems administrators and users of organizational information systems should be made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of the organization’s information systems (and if there are currently no such policies, standards or procedures, now is the perfect time to begin the process of creating them).

 

Organizations must ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.   

 

Keep your experts on speed dial

 

Dealing with any data breach is time consuming, frustrating and stressful at best for all involved. It’s time to line up your trusted friends and advisors to help you navigate the perils before the breach occurs. Take a moment now to identify prospective cybersecurity experts, credit-monitoring service providers, backup storage providers (think ransomware), legal experts and anyone else that you think can help you deal with breaches of security safeguards. 

 

Consider putting any necessary contracts in place with such third parties as it’s much better to have these conversations with providers before these incidents occur than begin to issue RFPs in the middle of a breach when the clock is ticking and your organization is supposed to be advising the OPC and impacted individuals as “soon as feasible.”

 

Undergoing a breach of security safeguards is almost inevitable for most organizations, but the best defence is being prepared, and taking proactive steps can assist in making the reporting and mitigation process less difficult. The advent of the new federal mandatory breach of security safeguards notification requirements has presented Canadian organizations with the opportunity to ask these difficult internal questions, engage in some necessary privacy clean-up activities and avoid the business-as-usual mentality.