Effective November 1, 2018, organizations engaged in commercial activities in certain Canadian provinces and territories now have additional data breach reporting requirements pursuant to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA1) and the Breach of Security Safeguards Regulations2. While Quebec3, British Columbia4 and Alberta5 previously adopted substantially similar data breach requirements, if personal information during the course of a commercial activity crosses borders, PIPEDA may apply as well.
PIPEDA is Canada’s federal privacy law for the private sector. A breach is considered reportable if there is a “breach of security safeguards” which involves the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or failure of the organization to establish security safeguards. If the breach involves personal information under the organization’s control and it is reasonable to believe after a risk assessment that the breach creates a real risk of significant harm to an individual, it must be reported, regardless of the number of individuals affected.
Significant harm may include loss of employment business or professional opportunities, financial loss, identity theft, negative effects on credit, bodily harm, humiliation, damage to reputation or relationships and damage to or loss of property.
Notification includes notifying:
- The Office of the Privacy Commissioner of Canada;
- Affected individuals; and
- Other organizations such as payment processors and law enforcement.
Organizations must maintain breach related records for at least 24 months; or possibly longer depending on other legal requirements. The penalties for failure to report or failure to keep required records could result in fines of up to $100,000 (CAD).
This is an important development for any organization that conducts commercial activities in Canada. For more information, please contact the authoring attorney.