Next week the PIPEDA Breach of Security Safeguards Regulations come into force on November 1st. The Federal Commissioner issued guidelines for compliance that are likely to remain unaltered, for the most part. We may see the Breach Report Form embedded in the guidelines become a stand-alone form that organizations governed by PIPEDA can securely submit on-line, similar to what is provided under by the Alberta Commissioner to support mandatory reporting under the Alberta PIPA.
Given the extensive work I do with small and medium sized businesses, it is clear to me that many are just not ready for our new reporting era in Canada. It is critical that employees understand what exactly a data breach is so they can gather the necessary key information and escalate the issue promptly. This will facilitate discussions that senior management must have, with the support of legal counsel, to assess whether the breach meets the legal threshold for reporting – i.e. whether the breach poses a ‘real risk of significant harm’.
Many organizations don’t understand the nuances of what personal information is considered sensitive; or the difference between a privacy incident (which may or may not result in unauthorized access to or disclosure of personal information) and an actual breach. Many don’t know that all breaches need to be appropriately recorded, even if this threshold hasn’t been met. There is still a tendency to want to sweep breaches under a rug and hope they’ll go away. But more than ever before, accountability and a clear breach response plan are critical to avoiding the negative reputational harm associated with a data breach.
Here are some important things to think about:
- Has your organization taken steps to avoid a breach in the first place? Have security controls to mitigate internal and external threats been evaluated?
- Have you had conversations with your service providers on breach management and escalation? How will reporting obligations be synchronized if your service provider is processing data you control and they have a breach?
- Has there been sufficient privacy breach communication and training internally?
- Based on the personal information data sets you hold, have you considered what other organizations would need to know about a breach if it occurred in order to mitigate harm?
- If your information-handling practices span different jurisdictions (multiple countries or provinces), are you familiar with all the breach notification and reporting obligations that may apply? You don’t want unnecessary delays caused by trying to figure this out when you’re knee-deep in a breach situation!
- Do you have a robust breach recordkeeping system in place?
For an in-depth discussion of the nuances and key steps for complying with the new mandatory breach notification and reporting regime in Canada, join us for our final webinar on October 30th at 1:00 pm EST. CLICK HERE for more information and to register!0