What you need to know about mandatory reporting of breaches of security safeguards

All business owners should be aware that, starting 1 November 2018, they have new reporting obligations regarding security breaches involving personal information.

All businesses are subject to The Personal Information Protection and Electronic Documents Act (PIPEDA) and this Act now requires them to:

1. report any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals to the Privacy Commissioner of Canada,
2. notify those individuals affected by the breaches, and
3. keep records of all breaches.

You are only required to report a breach if it is reasonable to believe that the breach creates a risk of significant harm to an individual.  What is considered “significant harm” covers a wide range of things, from bodily harm to negatively affecting someone’s credit record.

The obligation to report the breach is that of the organization in control of the personal information.  What is considered “control” is not defined in the Act, however, the Office of the Privacy Commissioner of Canada (OPC) notes that PIPEDA’s accountability principle provides that an organization remains responsible for any personal information that it has transferred to a third party for processing.  Therefore, even if a breach happens when the information is in the hands of a third party, the principal organization will still be responsible for reporting it.

PIPEDA requires that you keep and maintain a record of every breach of security safeguards involving personal information, whether or not it goes reported. These records should include:

• The date (or estimated date) of the breach
• A general description of the breach
• The nature of the information involved in the breach
• Whether or not the breach was reported.

Along with submitting a breach report to the OPC, organizations are also responsible for notifying any individual to whom the security breach poses a real risk of significant harm. This notification must be made as soon as possible, and must clearly explain the significance of the breach and provide enough information for the individual to be able to take steps to mitigate possible harm. Furthermore, the organization must also notify any government institutions that it believes could reduce the risk of harm resulting from the breach.  For example, you should notify law enforcement if you believe ‘bad actors’ have accessed your customers’ information.

Lastly, it is important that organizations develop a framework for assessing the real risk of significant harm.   The OPC suggests a two-pronged assessment that considers (1) the sensitivity of the information involved in the breach, and (2) the probability that the information has been or will be misused.

At Sotos LLP, we advise businesses on all aspects of privacy law and best processes for statutory compliance.