New mandatory data breach notification rules became effective on November 1, 2018.
The Personal Information Protection and Electronic Documents Act underwent significant changes on November 1, 2018. This federal legislation can apply to Quebec businesses. Businesses covered by the Act are subject to new, very strict, provisions regarding breaches of security safeguards.
Under the Act, businesses must now take action in the event of a “breach of security safeguards involving personal information under [their] control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”
In the Act, a breach of security safeguards refers to “the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards […] or from a failure to establish [such] safeguards.”
According to the Act, “[s]ignificant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” It is clear that this definition is very broad.
In the event that an organization discovers that a breach of security safeguards has occurred, it must quickly determine if the breach has created a real risk of significant harm, through a risk assessment with regard to those affected. In particular, the sensitivity of the information in question and the probability that it will be misused must be considered.
It is now mandatory to report such a breach to the Office of the Privacy Commissioner of Canada as soon as possible after the organization determines that there has in fact been a breach.
According to the Breach of Security Safeguards Regulations, such breaches must be reported in writing, and must contain the following information about the breach: a) the circumstances and cause; b) the date it occurred; c) the type of data; d) the number of individuals affected; e) steps the organization has taken to reduce the risk of harm for individuals affected; f) steps taken by the organization to notify the individuals affected; and g) the name and contact information of a representative of the organization who can answer questions about the breach.
It is also mandatory to notify individuals of a data breach involving their personal information, unless otherwise prohibited by law, as soon as possible after the organization concludes that there has in fact been a breach.
According to the Breach of Security Safeguards Regulations, the notice must contain the following information about the breach: a) the circumstances; b) the day or period during which it occurred; c) the type of personal information; d) steps the organization has taken to reduce the risk of harm for individuals affected; e) steps affected individuals can take to reduce their own risk of harm; and f) contact information for individuals to find out more about the breach.
The Regulations also provide the form and manner for sending notices, whether directly or indirectly, based on factors set out in the Regulations, to be applied on a case-by-case basis.
Organizations must keep and maintain a record of all breaches of security safeguards related to personal information that they manage, even for cases in which breaches do not involve a real risk of significant harm to an individual. Records must be maintained for at least 24 months after breaches occur and must be provided to the Office of the Commissioner upon request.
It is mandatory, in some cases, to inform other organizations in order to reduce harm to individuals (e.g., credit card companies or credit-reporting agencies).
Failure to comply with these obligations will lead to penalties, which can be very high, with fines up to $100,000 per affected individual.
Therefore, it is now extremely important for businesses to implement adequate cybersecurity measures and policies. The Office of the Commissioner published guidance for businesses on reporting privacy breaches, which is very useful since it provides the minimum expectations of the Office of the Commissioner.
It is important to keep in mind that while Quebec’s Act respecting the protection of personal information in the private sector does not formally provide for mandatory reporting of security breaches, for many years, the Commission d’accès à l’information du Québec has nevertheless suggested that businesses do so voluntarily in a similar manner to that which is now mandatory under federal legislation.
Although the federal government excluded organizations, other than federal works, that operate businesses in Quebec from the federal legislation with regard to the collection, use, and disclosure of personal information within the province of Quebec, such legislation continues to apply, for example, for interprovincial and international operations. It is therefore important to be very careful before asserting that Quebec legislation, instead of federal legislation, will apply in the event of a security breach, given the very severe penalties for businesses that do not comply with their obligations under the legislation.
*Disclaimer: This publication is provided as an information service and may include items reported from other sources. We do not warrant its accuracy. This information is not meant as legal opinion or advice.
By: Alexandre Ajami, lawyer (Miller Thomson LLP)
