If you have logged on to LinkedIn, Twitter, or a digital news platform sometime in the past month, there is a good chance you have glimpsed a headline or ten about the GDPR.
It is certainly a consequential piece of legislation. Its vast extraterritorial reach has firmly inserted the topic of data protection into boardroom discussions and shareholder meetings around the world.
But the EU’s codification of privacy concerns in the digital age should not cause businesses to forget their own jurisdiction’s cyber security laws – many independent nations have enacted federal standards and regulations.
So what about Canada?
The Federal Government has recently decided that the days of playing cyber security catch-up with the rest of the developed world are over. Here is a quick run-down of what the Feds have been up to in the cyber security realm this year:
- February 27, 2018: The Federal Budget is released, and includes an allocation of approximately $507.7M over the next five years to support Canada’s new National Cyber Security Strategy, including a national cybercrime centre and coordination unit.
- March 26, 2018: By Order In Council, the long anticipated Digital Privacy Act (formerly Bill S-4) amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) are fixed to come into force as of November 1, 2018.
- April 18, 2018: the Government puts out a press release confirming the PIPEDA amendments and the Government’s commitment to “balancing technological innovation and a strong economy with Canadians’ peace of mind […]”
The amendments created by the Digital Privacy Act are set out in Division 1.1 of PIPEDA. Key takeaways are:
- Organizations are to report a breach to the Office of the Privacy Commissioner of Canada and inform impacted individuals if it would be reasonable in the circumstances to believe that the breach poses a “real risk of significant harm” to affected individuals.
- “Breach of security safeguards” means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards (such as physical, organizational and technological measures). Physical measures include things like locked filing cabinets, while technological measures can include the use of passwords and encryption.
- “Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft, negative effects on the credit record and damage to or loss of property.
- The potential of a real risk of significant harm depends on the sensitivity of the information involved and the likelihood that the information has been or may be misused.
- Once an organization has become aware that a breach will pose a real risk of significant harm, it must notify affected individuals and report to the Commissioner “as soon as feasible.”
- The organization must also inform any other organization that may be able to reduce the harm to impacted individuals.
- Organizations must maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request. The Commissioner may also audit organizations so long as there are reasonable grounds to believe the organization has contravened a provision of the Act.
Reporting of breaches will be voluntary until the above amendments come into effect on November 1st. Once the amendments do come into force, there are several provisions that the courts will likely be tasked with refining.
For instance, the “real risk of significant harm” standard seems to give businesses a small degree of control over whether a given cyber incident actually constitutes a reportable breach, or something that can be dealt with internally and swept under the rug. This is likely a false illusion, but it will be tempting for some companies to take the latter option to avoid the reputational risk of notifying all affected individuals.
Once a company does decide to report a breach, does it give over all of its decision-making power? The Office of the Privacy Commissioner recommends that the company contact its insurer and/or credit institutions whose assistance may be necessary for mitigating the harm. Does the affected company have the right to hire an IT response team and PR consultant prior to notifying their insurer, or is that decision properly one for the insurer to make? As cyber insurance policies enter the Canadian corporate mainstream, the answer will likely be clarified through contractual wording.
Another apparent grey zone created by the amendments is the timing of breach notification. The imprecise “as soon as feasible” reporting standard is somewhat similar to the GDPR’s “without undue delay” wording. But the GDPR goes on to clarify that the notification should ordinarily be given within 72 hours where feasible. PIPEDA does not contain reference to any concrete timeline.
Creating digital privacy legislation was never going to be easy, but since the days of the Dot Com bubble, most of the developed world has given it a shot nonetheless. With the enactment of the Digital Privacy Act, Canada joins the parade.
For more on the interplay between cyber security and insurance law, be sure to check out Schultz Frost’s inaugural issue of Percipience.
Thank you to Adrita Shah Noor, Student-at-Law, for her contribution to this blog post.