ITBusiness.ca

Privacy Commissioner’s office weighs in on proposed data breach regulations

Canadian businesses that fall victim to data breaches will soon be required to notify users that their personal data has been compromised, if Canada’s privacy commissioner has his way.

The commissioner’s office recently submitted an official response to the Ministry of Innovation, Science and Economic Development regarding the new data breach notification and reporting regulations proposed for the Personal Information Protection and Electronic Documents Act (PIPEDA).

In the June 10 document, Barbara Bucknell, the director of policy and research for the privacy commissioner’s office, wrote that “during his appearance before the House of Commons Standing Committee on Industry, Science and Technology (INDU), Privacy Commissioner Daniel Therrien expressed support for the new measures, indicating that mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information.”

While the amendment’s final version has not yet been publicly released and will require government approval to become law, a draft version has been posted online since March, and companies and users alike were invited to comment until May 31.

Of course, the commissioner’s office had a few thoughts of its own regarding five key elements of the proposed regulations, and the companies facing the brunt of its impact might want to take note of them.

Can encryption prevent a “real risk of significant harm”?

At the core of PIPEDA’s new reporting and notification requirements is an obligation for businesses to perform a self-analysis and determine whether a breach of security results in a “real risk of significant harm.”

Much of the answer lies with a company’s efforts to protect itself from data breaches through methods such as encryption, Bucknell writes, which many firms will argue significantly lowers risk.

However, to follow the encryption example, as algorithms evolve encryption standards once considered unbreakable can eventually become decipherable, she writes. Key management systems could also be compromised, and personal information easily decrypted.

Nor do all organizations have the resources needed to identify and mitigate every potential security breach, Bucknell writes, nor would they necessarily be able to confirm whether information has been rendered unusable, or even whether a key has been breached.

Bottom line: “[T]he use of encryption should not be equated with a low risk to individuals,” she writes.

Under the amendment, companies must regularly submit reports to the Privacy Commissioner – here’s what they should contain

Another critical element of the amendment will be the requirement for companies to submit reports whenever there’s a data breach.

“These reports should provide sufficient information so that the Office may effectively assess whether organizations are appropriately notifying individuals and evaluate whether they have applied appropriate measures to contain breaches, mitigate the risk of harm to individuals and prevent future breaches of a similar nature,” Bucknell writes.

The commissioner’s office suggests that the following elements be included in these reports:

What do users know?

While the new regulations will require businesses to notify individuals, Bucknell notes that companies should be allowed to vary the content depending on the breach and method of notification.

In its submission, the commissioner’s office proposed that organizations specify the following:

Bucknell writes that businesses should be allowed to use a variety of communication methods to notify users, including in-person discussions, telephone calls, emails, or mailed letters, though she noted that any methods used “must be documented, verifiable, and… in plain language”.

Remember what we wrote about indirect notification?

Indirect notifications – for example, e-mailing users and calling it a day – should only be permitted in specific circumstances, Bucknell writes:

That said, once organizations have demonstrated valid reasons for using indirect notification, they should have flexibility in how they indirectly notify users, Bucknell writes.

The keeping of records

Another suggested regulation would require organizations to keep and maintain records, which Bucknell writes should include “sufficient information to demonstrate compliance with PIPEDA’s new notification requirements and… contain sufficient information to enable the Office to effectively perform its oversight functions.”

These records should also help the commissioner’s office understand how organizations determine whether to notify affected users, she writes.

The commissioner’s office believes the following elements should all be included in records of breaches:

All breaches, including those reported to the commissioner’s office, should be documented, Bucknell writes, and maintained for five years.

She notes that companies should be obligated to maintain reports whether aware of a breach or not, since allowing them to avoid submitting a report for unknown breaches could result in companies avoiding detection measures in the first place, in order to plead ignorance.

Exit mobile version