Data Breach Reporting Now Required by Law in Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) was amended under the Digital Privacy Act last June 18, 2015 to include provisions requiring mandatory data breach reporting and notification. On April 18, 2018, the Canadian federal government released the Breach of Security Safeguards Regulations which outlines the rules and requirements applicable in the event of a breach of security safeguards affecting personal information. The “breach of security safeguards,” is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.
What the Law Requires
If it is reasonable to believe the breach of security safeguards creates a real risk of significant harm to the individual:
These provisions, along with the accompanying Breach of Security Safeguards Regulations, which include fines up to CAD$100,000 (per offense). will be in force as of 1 November 2018. This follows Alberta’s Personal Information Protection Act (PIPA) which has had such a law since 2010.
Organizational Impact of PIPEDA
Notice to the Commissioner in writing, and must include:
Notification to individuals may be made “in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances” and must include:
Three years since PIPEDA’s amendment, organizations are expected to have reviewed their readiness and response processes and procedures in monitoring, recording and reporting security or data breaches for compliance. Mature organizations with an Information Security Management System in place, this is something that they are prepared for. However this poses a huge challenge for startups, fintechs, and any small or medium enterprises that process personally identifiable information (PII), given their limited security expertise and resources.
The Tugboat Logic Solution
Tugboat Logic, the Virtual CISO platform, can help prepare you for these regulatory changes by providing a simple wizard to quickly define which security policies you need to comply, Tugboat Logic then helps guide you to the what controls your organization needs to have in place in order to comply with these recommended policies, and tracks the implementation of appropriate controls to help prove you are compliant to regulators and clients..
Tugboat Logic Turnkey Policies Map to PIPEDA’s Notification Requirements:
Tugboat Logic provides organizations with an automated framework to demystify the process of setting up a security program that builds their credibility with clients quickly and simply and lets them focus on selling more, and reduces their risk of regulatory fines.
You can find additional resources here:
OIPC breach report guidance
PIPEDA Breach Report Form
Alberta breach report form (.doc)
Canadian federally regulated businesses and industries