Mandatory data breach reporting is now in full effect. Are you prepared?
In Canada, the Digital Privacy Act amended the longstanding Personal Information Protection and Electronic Documents Act (PIPEDA) in 2015 to include a mandatory clause regarding required breach notification practices.
Accompanying that amendment, the timing of the release of its Regulatory Impact Analysis Statement beckoned the need for Canada to accelerate its standards to match the newly implemented EU General Data Protection Regulation (GDPR), which took effect in late May of 2018.
The finalized Canadian amendments represent the need to align Canada’s regulations with the new European standard to ensure Canadian organizations comply with both Canadian and European law, and are considered essential to the longstanding mutual benefits of Canadian-European trade/relations.
We’re breaking down everything you need to know about Canadian Data Breach Legislation, the specifics of data breach reporting, and how it will affect businesses.
What is the Canadian Data Breach Legislation?
As part of PIPEDA, the Federal Government of Canada published eagerly anticipated Breach of Security Safeguards Regulations on April 18th, 2018.
These regulations specify the requirements of groups and organizations to alert the Office of the Privacy Commissioner of potential breaches of data that pose risks of real and significant harm. The regulations came into effect on November 1st.
How Does the Legislation Impact Businesses?
New Canadian Data Breach Legislation affects the policies and procedures of organizations and businesses working in the sphere of data collection and transmission.
Under the stipulations of the amendments, organizations that have experienced a data breach under certain circumstances must determine if the breach poses a “real risk of significant harm” to anyone whose information – personal or professional – was involved in the breach by conducting a risk assessment.
Risk assessments consider the sensitivity of the information involved, and whether or not the information will/could be misused. Where reasonable risk is detected, an organization must notify all affected individuals and immediately report to the Privacy Commissioner of Canada as soon as possible.
The breach notice must contain sufficient information that allows the affected individual to fully understand the significance to them, and to take steps that in turn help reduce the risk of such harm. The notice must be direct and purposeful, and given directly to the individual, except under circumstances where indirect notice, like posting the details of the breach to a website, may suffice.
Data Breach Reporting
Data Breach Reporting is perhaps the most important and most paramount subsection of the Breach of Security Safeguards Regulations. Reporting ensures that data breaches are recorded and tracked, and such reports are both communicated to the Privacy Commissioner and to the affected individuals.
As per the federal government’s regulations, an organization must submit a report with new data breach information in writing, and it must contain:
- (a) a description of the circumstances of the breach and, if known, the cause;
- (b) the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
- (c) a description of the personal information that is the subject of the breach to the extent that the information is known;
- (d) the number of individuals affected by the breach or, if unknown, the approximate number;
- (e) a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
- (f) a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act; and
- (g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
Individuals affected directly and/or indirectly by the data breach must also be communicated, containing:
- (a) a description of the circumstances of the breach;
- (b) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
- (c) a description of the personal information that is the subject of the breach to the extent that the information is known;
- (d) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
- (e) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
- (f) contact information that the affected individual can use to obtain further information about the breach.
Mandatory Records for Breaches
Second to reporting, organizations must keep and maintain a record of every data breach involving personal information under their control; whether they constitute serious risk or not.
Upon request, businesses and organizations must be able to provide thorough and complete records to the Office of Privacy Commissioner, who may publish information from the record should the publication be in the public’s interest. The Commissioner may also use these records as a basis from which to launch an audit or investigation based on the info received.
Staying Ahead of The Curve With Active Cybersecurity Solutions
Liken your data and cyber-security needs to a ship. Should your ship run aground, the best fix isn’t a patch job on the hull. We believe a proper fix should stem from newly acquired, impeccable navigational skills that prevent the accident from happening again. Imagine Shield as a proactive, preventative measure, rather than a fix-it solution.
Shield cybersecurity solutions can be effective tools in reducing and preventing security and data breaches that help address security requirements as part of the revamped Canadian Data Breach Legislation.
Shield products like Shield-SDE prevent attacks against data by ensuring it is encrypted and only accessible to authorized personnel, providing secure file and email access while streamlining operations and reducing capital costs. Whereas Shield-BGProtect identifies intruder attempts to steal your data and it leaves your network.
Shield safeguards and supports regulatory compliance laws, regulations, and guidelines by:
- Protecting from malicious software
- Ensuring transmission security re: Integrity controls and Encryption
- Assess Control
- Encryption
- Decryption
- User Identification
- Firewall Configuration
- Protection of Stored Cardholder Data
- Encrypted transmission of cardholder data over public networks
—-
Your data deserves the best protection, and judging by Canada’s amendments to the Personal Information Protection and Electronic Documents Act, the nation’s lawmakers agree.
The updates to the Canadian Data Breach Legislation ensures individuals are adequately and promptly notified of a data breach that affects them, and gives organizations a clearer, more direct stream from which to communicate with the authorities. The third pillar to that equation is superior cyber-security measures that prevent breaches from happening to begin with.
That’s where Shield comes in.