Privacy and cybersecurity in Canada: What every business needs to know

Cybersecurity attacks are happening more and more often, and they can be very costly for businesses. In Canada, almost all Canadian organizations reported a cybersecurity attack in 2022, with 25 percent of organizations experiencing at least one attack per day and most organizations experiencing more than 11-30 attacks per month. The average cost of a data breach is reported to be $5.64 million US dollars.

Preparing for a data breach is simply good business.

Maintain strong privacy and cybersecurity policies and practices

Businesses can mitigate risk by maintaining strong privacy protocols. Business should only collect  information (including personal information) reasonably necessary for business operations.  Access to the information should be limited to employees, contractors and service providers who need to access it for the purposes of their duties and responsibilities to the organization.  Organizations should audit that access on a regular basis. The federal commissioner has recommended security information, event management, user identity and behavior analytics systems where companies manage large volumes of sensitive personal information. Businesses should also implement effective data segregation, retention and destruction policies.  Vulnerability management, data loss prevention and back up/disaster recovery protocols should be put in place and employees should be trained on all policies and procedures.

As a business still controls and is responsible for personal information that is transferred to a third-party service provider to process, it is important to implement key contractual clauses to require the third parties to use and protect the information appropriately.

Prepare an effective breach response plan

Your business should have a breach response plan. The Court of Appeal of Quebec recently dismissed the first privacy class action against the Investment Industry Regulatory Organization of Canada (IIROC) for the loss of personal information of thousands of Canadian investors resulting from a data breach. The court examined IIROC’s post-breach actions and found that it had acted diligently in dealing with the breach. This decision highlights the importance of having a well-prepared and executed breach response plan that can shield the business from civil liability arising from a cybersecurity attack or other data breaches.

All employees, contractors and applicable service providers should know how to identify, report and escalate an incident. The plan should also include a response team that clearly understands their roles, emergency contact numbers for everyone on the team and back ups for all team members in the event of absences. The response team should include team members from the privacy office, IT, key managers, in-house counsel (if applicable) and can include human resources and external parties such as insurers, legal counsel, internal or external forensic experts and communications experts.  Reviewing and testing the plan regularly can help your business proactively identify weaknesses in its cybersecurity and shore up your defences. The response plan must be scrutinized and amended periodically to account for improvements in technology and change in internal processes.

Breach notification

If a breach occurs, Canadian businesses must assess whether breach notification is required under applicable federal or provincial privacy laws. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to businesses engaged in commercial activities across Canada unless such activity takes place entirely within one of the three provinces of Alberta, British Columbia and Québec. These provinces have their own privacy laws which are deemed to be substantially similar to PIPEDA. PIPEDA also applies to federal works, undertakings and businesses operating within these provinces, such as banking, railway and telecommunications. PIPEDA and the equivalent Alberta and Quebec legislation have mandatory breach reporting requirements.

There are also breach notification requirements under various provincial public sector privacy and health information laws. For the purposes of this article we comment on the private sector breach notification requirements only.

PIPEDA requires business to notify the Officer of Privacy Commissioner of Canada and affected individuals of a privacy breach that poses a “real risk of significant harm” to the affected individuals as soon as feasible. The notification should provide sufficient information to allow the Commissioner to understand the breach’s significance and to take steps to reduce the risk of harm. The Québec An Act respecting the protection of personal information in the private sector and Alberta’s Personal Information Protection Act (PIPA)‎ have similar privacy breach notification requirements. A breach could therefore require notification in multiple jurisdictions with different requirements.

When a cybersecurity attack results in the loss of personal information, or unauthorized access or disclosure of personal information, a business needs to consider the following questions to meet the notification requirements:

Who is responsible for reporting the breach?

Businesses that “control” or “hold” personal information must report the breach to the federal Privacy Commissioner, and the Privacy Commissioner of Alberta or Québec if the personal information of individuals living in these provinces is implicated in the breach. When a business transfers personal information to a third party for processing and a breach occurs to the personal information in the processor’s possession, the principal business remains in control of the personal information and therefore is responsible for reporting the breach. That said, the Quebec legislation’s notification requirements apply to any organization that experiences a data breach in relation to personal information that the organization “holds”, and it is not yet clear whether Quebec regulators will draw the same distinction between the controlling entity and is processors.

Private sector laws in Canada may apply extra-territorially where there is a real and substantial connection with Canada. ‎The breach notification requirements will therefore apply to foreign entities who have collected Canadians’ personal information and suffer a breach affecting that information.

What kinds of breaches must be reported?

Under PIPEDA and Alberta PIPA, only breaches that pose a “real risk of significant harm” (RROSH) to an ‎individual must be reported. Similarly, Quebec’s new law requires reporting of breaches that pose a “risk ‎of injury”.‎ The real risk of significant harm could include bodily harm, humiliation, damage ‎to reputation or relationships, ‎loss of employment, business ‎or professional opportunities, ‎financial loss, identity theft, ‎negative effects on credit ‎records and damage to or loss ‎of property.

The RROSH test is not clearly defined, but PIPEDA provides a few broad factors to consider in the ‎determination of an RROSH. It generally includes factors such as the sensitivity of the personal information involved and the probability of misuse of that information. ‎Sensitive information usually includes categories of identity, financial, medical, employment and contact information. A personal email can be considered sensitive information if it could be exploited by malicious individuals for identity theft. Factors to consider the probability of misuse of personal information may include if there is a deliberate or malicious intent (e.g. theft, hacking) to cause the breach, what happened and how likely it is that someone would be harmed by the breach, how long the personal information has been exposed, how much personal information elements are at issue, and whether the personal information is recovered or destroyed promptly after the breach. 

Under PIPEDA and the Quebec legislation, businesses are required to maintain a record of every breach, even if it is not reportable under the applicable test.

How are the affected individuals notified?

When a data breach occurs, PIPEDA requires a business to give notifications to affected individuals as soon as feasible if the breach poses a “real risk of significant harm” to those individuals. Quebec’s new law has a similar requirement.‎ In Alberta, after a business notifies the Alberta Privacy Commissioner of ‎the breach, the Commissioner may require the business to notify individuals. In fact, according to the Alberta ‎PIPA Breach Report 2022, 80 percent of businesses had already notified affected individuals at the time the ‎breach was reported to the Commissioner.

The breach notifications to affected individuals should include sufficient information to allow the individuals to understand the significance of the breach to them and to take steps to mitigate the harm.

The business can consider offering the affected individuals credit monitoring services, identity theft protection services and other information and resources in order to mitigate the risk of harm.

What is the penalty if a business fails to report?

Under Québec’s legislation, a business that fails to report a breach to the privacy commissioner or affected individual could face a penalty of up to $25 million or 4 percent of its worldwide income or a monetary administrative penalty of up to $10 million or 2 percent of its worldwide income.

The Federal government introduced Bill C-27 Digital Charter Implementation Act, 2022 (DCIA) in 2022 to replace PIPEDA with more robust privacy and data protection laws.‎¹‎ The DCIA will introduce new privacy rights for individuals and stronger powers for the Privacy Commissioner. It will also establish a new Personal Information and Data Protection Tribunal and the risk of significant administrative monetary penalties or penal fines for privacy violations or offences. The bill is currently at the second reading stage in the House of Commons and is subject to debate, amendments, and further scrutiny before it can be passed into law.

If DCIA is passed, failing to report breaches to the Privacy Commissioner can lead to maximum fines of $25 million or five percent of gross global revenue. The affected individuals may have a private right of action if the Privacy Commissioner found that the business failed to put appropriate security protocols in place.

Final thoughts

As can be seen, privacy breaches are increasingly common, and bring organizational, legal, and reputational risk. Overall, privacy and cybersecurity should therefore be a top priority for businesses in Canada. An experienced team familiar with the laws and practices can effectively help mitigate the risks and costs associated with cybersecurity incidents.