Canadian businesses that fall victim to data breaches will soon be required to notify users that their personal data has been compromised, if Canada’s privacy commissioner has his way.
The commissioner’s office recently submitted an official response to the Ministry of Innovation, Science and Economic Development regarding the new data breach notification and reporting regulations proposed for the Personal Information Protection and Electronic Documents Act (PIPEDA).
In the June 10 document, Barbara Bucknell, the director of policy and research for the privacy commissioner’s office, wrote that “during his appearance before the House of Commons Standing Committee on Industry, Science and Technology (INDU), Privacy Commissioner Daniel Therrien expressed support for the new measures, indicating that mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information.”
While the amendment’s final version has not yet been publicly released and will require government approval to become law, a draft version has been posted online since March, and companies and users alike were invited to comment until May 31.
Of course, the commissioner’s office had a few thoughts of its own regarding five key elements of the proposed regulations, and the companies facing the brunt of its impact might want to take note of them.
Can encryption prevent a “real risk of significant harm”?
At the core of PIPEDA’s new reporting and notification requirements is an obligation for businesses to perform a self-analysis and determine whether a breach of security results in a “real risk of significant harm.”
Much of the answer lies with a company’s efforts to protect itself from data breaches through methods such as encryption, Bucknell writes, which many firms will argue significantly lowers risk.
However, to follow the encryption example, as algorithms evolve encryption standards once considered unbreakable can eventually become decipherable, she writes. Key management systems could also be compromised, and personal information easily decrypted.
Nor do all organizations have the resources needed to identify and mitigate every potential security breach, Bucknell writes, nor would they necessarily be able to confirm whether information has been rendered unusable, or even whether a key has been breached.
Bottom line: “[T]he use of encryption should not be equated with a low risk to individuals,” she writes.
Under the amendment, companies must regularly submit reports to the Privacy Commissioner – here’s what they should contain
Another critical element of the amendment will be the requirement for companies to submit reports whenever there’s a data breach.
“These reports should provide sufficient information so that the Office may effectively assess whether organizations are appropriately notifying individuals and evaluate whether they have applied appropriate measures to contain breaches, mitigate the risk of harm to individuals and prevent future breaches of a similar nature,” Bucknell writes.
The commissioner’s office suggests that the following elements be included in these reports:
- The company’s name;
- Contact information for someone who can answer questions on the company’s behalf;
- Description of the breach, including:
- The estimated number of users affected;
- The personal information leaked;
- The date of the breach, if known, or an estimated date or date range if unknown;
- A list of other organizations involved in the breach, such as affiliates or third party processors;
- An assessment of the risk faced by individuals as a result of the breach;
- A description of any steps planned or taken to notify affected individuals, including:
- A notification date;
- Whether the party has been or will be notified, whether they will be notified directly or indirectly, and if indirectly notified, why (more on this below);
- A copy of the notification;
- A list of third party organizations that were notified of the breach;
- A description of measures the company has taken or will be taking to contain the breach and reduce its risk to affected users;
- A description of the organization’s related safeguards, taking improvements against future breaches into account.
What do users know?
While the new regulations will require businesses to notify individuals, Bucknell notes that companies should be allowed to vary the content depending on the breach and method of notification.
In its submission, the commissioner’s office proposed that organizations specify the following:
- A description of the breach’s circumstances;
- The breach’s date, if known, or an estimated date or date range if it’s not;
- A description of the personal information leaked;
- A description of the steps taken to mitigate the risk;
- Steps the individual can take to reduce their own risk;
- Contact information for someone who can answer questions about the breach on the organization’s behalf;
- Information about their right of recourse under PIPEDA and the act’s complaints process.
Bucknell writes that businesses should be allowed to use a variety of communication methods to notify users, including in-person discussions, telephone calls, emails, or mailed letters, though she noted that any methods used “must be documented, verifiable, and… in plain language”.
Remember what we wrote about indirect notification?
Indirect notifications – for example, e-mailing users and calling it a day – should only be permitted in specific circumstances, Bucknell writes:
- When direct notification is likely to cause further harm; for example, by letting family members know that a user had purchased or subscribed to a product or service the user wanted to keep secret;
- When notifying every affected individual would involve “prohibitive costs to the organization and unreasonably interfere with its operations”;
- When the contact information for affected users is unknown, out of date, incomplete, or inaccurate.
That said, once organizations have demonstrated valid reasons for using indirect notification, they should have flexibility in how they indirectly notify users, Bucknell writes.
The keeping of records
Another suggested regulation would require organizations to keep and maintain records, which Bucknell writes should include “sufficient information to demonstrate compliance with PIPEDA’s new notification requirements and… contain sufficient information to enable the Office to effectively perform its oversight functions.”
These records should also help the commissioner’s office understand how organizations determine whether to notify affected users, she writes.
The commissioner’s office believes the following elements should all be included in records of breaches:
- The date or estimated date of the breach;
- A general description of the breach and its circumstances;
- The type of information compromised in the breach;
- A summary and conclusion of the company’s risk assessment, leading to its decision whether to report the breach or not.
All breaches, including those reported to the commissioner’s office, should be documented, Bucknell writes, and maintained for five years.
She notes that companies should be obligated to maintain reports whether aware of a breach or not, since allowing them to avoid submitting a report for unknown breaches could result in companies avoiding detection measures in the first place, in order to plead ignorance.