The Current State of Data Breach Laws
Data breach notification laws require an entity that has been subject to a data breach to notify those affected about the breach, and take other steps to remedy injuries caused by the breach. Such laws have been enacted in most U.S. states since 2002, with California being the first. These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information. Meanwhile, Canada has trailed behind. Alberta is the only province with mandatory data breach reporting requirements for all private sector organizations. Under the Alberta Personal Information Protection Act (PIPA), the information and privacy commissioner makes the determination as to whether individuals should be notified about a breach. Provincial health privacy laws in Ontario, New Brunswick, and Newfoundland and Labrador contain notification requirements for the healthcare sector when personal health information has been compromised. Recently, amendments to Ontario’s health privacy law (Bill 119) have been tabled that would further require health practitioners to report certain prescribed breaches to Ontario’s information and privacy commissioner.
The Digital Privacy Act
Rather than a piecemeal approach to breach notification and reporting, the breach of safeguards obligations introduced by the Digital Privacy Act provide a long overdue Canadian framework. This includes:
- Logging breaches of security safeguards;
- Reporting a breach to the Office of the Privacy Commissioner of Canada (OPCC) if it is reasonable to believe that the breach creates a real risk of significant harm to an individual;
- Notifying affected individuals about a breach that it is reasonable to believe creates a real risk of significant harm to the individual; and
- Notifying third parties where appropriate if the third party could mitigate the risk of harm.
Consultation for regulations
The federal government commenced a consultation process on March 4th to seek input from Canadians on regulations that will cover record keeping requirements for the logging of breaches of security safeguards, the form and content of reports to the OPCC and of notifications to affected individuals, as well as other factors (if necessary, beyond those already specified in the law) relating to the determination of whether there is a “real risk” of significant harm.
The breach notification and reporting obligations will not come into force until these regulations are passed. The consultation paper often turns to the Alberta PIPA as well as the OPCC’s existing voluntary data breach reporting program that has been in place since 2007. Many of the consultation questions focus on the adequacy of these standards for the new regulations.
Consultation responses are due by May 31st. The government will then publish draft regulations for public comment. Thus, the final regulations likely won’t come into force till the end of 2016 or early 2017. It is important that organizations take the time to prepare their breach recording and response plans, using the Alberta model and the voluntary federal breach reporting guidance as the threshold for breach management best practice.
For assistance with your breach response plan, contact PRIVATECH.