On November 1, 2018, organizations will be required to report breaches to the Office of the Privacy Commissioner (OPC) of Canada. This includes the breach of security safeguards if the breach poses a "real risk of significant harm" to individuals affected by the security incident.
If that is the case, the organization must notify all affected individuals, report it to the Commissioner as soon as feasible, and notify other organizations that can help mitigate any harm to affected individuals, as reported by the Canada Gazette.
PIPEDA, GDPR & The Digital Privacy Act
Canada’s current federal privacy law for how businesses must handle personal information is known as the Personal Information Protection and Electronic Documents Act (PIPEDA). The act applies to the collection, use or disclosure of personal information during a commercial activity, and affects all transactional organizations, as well as federally regulated ones, like banks, telecommunications and transportation companies.
This breach notification requirement was introduced as part of the Digital Privacy Act, which brought amendments to the PIPEDA, including the breach reporting provisions under Division 1.1 of PIPEDA. The reporting requirement was published in April 2018, giving organizations within scope about six months of time to prepare to come under compliance.
The new PIPEDA regulations coincide with the European Union's General Data Protection Regulation (GDPR) enforcement that also includes mandatory data breach reporting. EU companies must provide similar information to authorities and individuals, and keep a record of all data breaches, as the Government of Canada stated in their Breach of Security Safeguards Regulations.
Organizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches could face fines of up to $100,000. - The Digital Privacy Act and PIPEDA, Office of the Privacy Commissioner of Canada
The Cost of Breaches in Canada
According to the Ponemon Institute's 2017 Cost of a Data Breach report, data breaches are the most expensive in the United States and Canada, at an average per capita cost of $225 and $190, respectively.
The average detection and escalation costs for Canada was $1.46 million, the highest among all other countries. These costs include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.
Canada also ranks fifth for the most expensive notification costs (.12 million USD), while the U.S. (.69 million USD) ranks as first. Notification costs include creating contact databases, working through regulatory requirements, hiring outside experts, outbound communication to affected individuals, and more.
It’s important to prepare your company for the new breach reporting requirements, and to understand your IT environment in order to protect against a costly data breach. The Government of Canada offers some flexibility and guidance around the costs of breach notification:
It is anticipated that the flexible approach taken in the proposed Regulations will serve to mitigate the costs of complying with the statutory requirements for notifying individuals. The proposed Regulations allow for organizations to notify individuals indirectly where directly contacting each affected individual may prove unreasonably costly. In these cases, the proposed Regulations allow notification to take place via communication channels that are much more cost effective and efficient, greatly reducing the burden of notification. This may be particularly important for small to medium-sized organizations that may experience a data breach involving a very large number of customers.
Preparing for Breach Reporting
Here’s what organizations must include in their breach reports to the Commissioner:
- A description/cause of the breach (if known)
- Date or period during which the breach occurred
- What kind of personal information was breached
- How many people were affected
- What the organization has done to reduce the risk of harm of affected people, post-breach
- What the organization intends to do to notify affected people
- One point of contact that will represent the organization and answer questions about the breach
At a minimum, organizations must also maintain a data breach record for 24 months from the date that the breach was confirmed by the organization (not from when it occurred).
To start preparing for a breach report (and to help prevent a breach):
- Conduct a risk assessment to consider the sensitivity of information that could be leaked, and how likely it is that the data will be misused.
- Conduct an audit of your applications and determine where personal information is collected, processed or stored.
- Then ensure you have visibility into security events with logs and reports of user access and activity, as well as actionable insight into the security of their devices.
- Determine which users or user groups have privileged access, and limit the number of administrative users to those that need it to do their jobs (least privilege).
- Keep track of new patches when they become available and update your systems and applications, and/or notify your users to update their personal devices.
Learn about a new security model designed to protect against threats that may lead to a data breach, in our free guide, Moving Beyond the Perimeter: Part 1.