Effective Nov 1, 2018, businesses that have a privacy breach must give notice of the breach under PIPEDA – the privacy legislation affecting the private sector in most Canadian provinces. The final regulations containing the details are about to be published.
Here are the highlights.
When do I have to report?
If there is a privacy breach that “creates a real risk of significant harm to an individual”. That includes bodily harm, humiliation, damage to reputation, financial loss, identity theft. Risk factors to decide the reporting threshold are provided. The report must be made “as soon as feasible after the organization determines that the breach has occurred.”
What do I have to report?
Circumstances of the breach, when it happened, what information was breached, steps taken to reduce the risk of harm, steps individuals can take to reduce risk, contact information.
Who do I have to report to?
The Privacy Commissioner, the individuals, and third parties that “may be able to reduce the risk of harm.” That third party requirement will require some pondering.
But wait, there’s more
Perhaps the most challenging aspect is a requirement to maintain a “record of every breach of security safeguards involving personal information under its control.” That must be shown to the Privacy Commissioner on request. The challenge is that there is no threshold, and every breach, even trivial ones, must be recorded.
What are the penalties?
Failure to report when required, and failure to keep the breach records can result in a penalty of up to $100,000.
What do I need to do now?
Businesses should review their privacy policies and processes and amend as needed. Record keeping systems must be put in place for recording all breaches. A breach reporting and incident response process should be put in place.