Preparing for mandatory data breach reporting and record-keeping

Canadian Employment News Series

Employment Alert


There was no shortage of high-profile data incidents in 2017, with massive increases in the number of data breaches over 2016 in both the United States and Canada. The increase in breaches, combined with significant recent developments in Canadian privacy legislation, have privacy issues as a top priority for many organizations this year.  

It is difficult for companies to keep up with the ever-increasing regulatory burden under privacy legislation. As cyber security issues, data collection and data breaches increase, the legislation in turn becomes more robust.  Even organizations that do not collect large amounts of personal information need to be aware of the legislative requirements, as employee information is subject to the same regulations.

Canadian Privacy Legislation Landscape

In Canada, regulation of the protection of personal information for private-sector organizations is governed by either federal, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), or provincial legislation. Subject to some industry-specific exceptions, PIPEDA applies to all private-sector organizations, unless a province has enacted its own privacy laws that are substantially similar to PIPEDA (currently Alberta, British Columbia and Quebec), in which case the provincial legislation applies. In provinces with substantially similar legislation, PIPEDA will apply to personal information collected through interprovincial and international transactions, such as customer information collected through global internet sales.

In June of 2015, PIPEDA saw significant amendments under the Digital Privacy Act, including the introduction of mandatory breach reporting and record-keeping. The amendments introducing mandatory breach reporting and record-keeping are not yet in force, but many expect they will be introduced in the Spring of 2018. On September 2, 2017, the Canadian government published the Breach of Security Safeguards Regulations, which provides further details on mandatory breach reporting and record-keeping.

Mandatory Breach Reporting

As organizations plan for upcoming quarters it is important to be cognizant of how the privacy regulatory landscape will change with the coming amendments to PIPEDA. Under the new mandatory breach reporting and record keeping provisions, PIPEDA will require that any “breach of security safeguards involving personal information” be disclosed where there is a “real risk of significant harm.” Once it is determined a data breach has occurred, an organization must disclose the breach “as soon as feasible.” 

Alberta’s Personal Information Protection Act (“PIPA”) is the only piece of Canadian legislation currently requiring mandatory notification of data breaches. PIPA requires disclosure of a breach where there is a real risk of significant harm to an individual, which must occur without unreasonable delay. There are many similarities between the reporting provisions of PIPA and PIPEDA and we can look to PIPA in assessing how mandatory reporting will occur.

Learning of a potential data breach can be overwhelming, particularly for small and medium sized businesses without in-house privacy staff. The first step upon learning of a data breach is to determine whether the information disclosed creates a real risk of significant harm. The ‘real risk’ criteria focuses on the context of the breach. Central to this determination is what caused the breach. Organizations must ask, was the breach due to inadvertence, for example an employee leaving their laptop containing employee personal information in an airport, or was the breach intentional, such as a hacker gaining access to the company’s data? The context of the breach largely informs whether there is a real risk that the personal information disclosed is going to be misused.

The ‘substantial harm’ criteria relates to the nature of the information disclosed. Organizations must ask, was the personal information disclosed a list of customer names, or was it employee names, SIN numbers and health information? Some information is clearly more personal and potentially harmful than others, such as a SIN versus an email address. However, it is also important to consider the scope of the breach, as multiple pieces of less private information can add up to be more potentially damaging. For instance, an individual’s first and last name, address and drivers licence number, which can facilitate identity theft, could be more potentially harmful than an individual’s SIN number alone.

Privacy legislation requires timely disclosure, but it is important to take reasonable steps to assess the risk at the outset. Determining the exact nature of a potential data breach can avoid disclosing incorrect information and needlessly worrying customers and employees. Effective policies and procedures increase the efficiency of this analysis and significantly reduce a company’s potential exposure to liability in the event of a data breach.

Mandatory Data Breach Record-Keeping

The amendments to PIPEDA will also require organizations to maintain records of every unauthorized disclosure of personal information for two years after it occurs. There is no threshold associated with this requirement, so even records relating to data breaches with no risk of significant harm must be kept. This record-keeping requirement is a significant regulatory burden on corporations, particularly smaller organizations without dedicated privacy departments. However, with potential fines of up to $100,000 under both PIPA and PIPEDA, organizations are well advised to ensure compliance with privacy requirements. 

In addition to the OPC, who may request to inspect a corporations breach records at any time, the list of those interested in reviewing breach records includes:

  • potential cyber insurers – who will almost certainly request to review an organizations breach records when negotiating premiums;
  • service providers – who will likely be asked to disclose their breach records when negotiating service agreements with customers; and
  • parties to corporation transactions – who are increasingly requesting disclosure from one another as part of transactional due diligence.

Canadian Changes Reflecting Global Trends

The increasing importance of privacy legislation compliance in today’s economy is compounded by global developments, namely the European Union’s introduction of the General Data Protection Regulation (“GDPR”). The GDPR will impose a uniform, and stringent, privacy standard on all companies that process or hold the personal information of anyone residing in the EU, regardless of the company’s location. 

As the economy continues to become more digital, with data playing a central role, the regulatory requirements surrounding that data will grow more stringent. Mandatory breach reporting and record-keeping will soon be the global standard and organizations are well served by a pro-active approach and an early emphasis on privacy policies and procedures. Compliance with global privacy standards is a cost of doing business today and the up-front costs of a pro-active approach to privacy are far outweighed by the potential pitfalls of sub-par privacy procedures and policies.

[Republished in April 2018 edition of Internet and E-Commerce Law in Canada]