Canadian Breach Regulations: Introduction and Overview

Canadian Breach Regulations

A Primer

Introductions: Today’s Speakers

Gant Redmon, General Counsel, CIPP, Co3 Systems• 13 years as corporate counsel in security and privacy

David Loukidelis QC• More than a decade as a Canadian privacy regulator

with international experience (Information and Privacy Commissioner for British Columbia, 1999-2010, active APEC and European involvement)

• Extensive justice system and law enforcement experience (Deputy Attorney General, Ministry of Justice of British Columbia, 2010-2012)

Agenda

• General overview of the Canadian privacy regulation landscape

• Canadian breach notification laws and their implications for US and other businesses

• Description of health information-specific laws and their requirements

• Q&A

Co3 Automates Breach Management

PREPARE

Improve Organizational Readiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gaps

REPORT

Document Results and Track Performance• Document incident results• Track historical performance• Demonstrate organizational

preparedness• Generate audit/compliance reports

ASSESS

Quantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• See $ exposure• Send notice to team• Generate Impact Assessments

MANAGE

Easily Generate Detailed Incident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion

POLLHow Canadian Are You?

Political Subdivisions

• Ten provinces (gray) and three territories (green)

• Similar to the U.S., provinces and the federal government both have regulatory power (territories only have powers delegated to them by Ottawa)

• Creates a patchwork of federal and provincial privacy laws

• Result is that businesses face varying obligations, similar to U.S.

Federal Privacy Law

• Personal Information Protection and Electronic Documents Act (1998)

• Applies to every organization that collects or uses personal information in commercial activities

• “Personal information” is any information about an identifiable individual that is not business contact information

• Generally, an organization is prohibited from using personal information without the person’s consent

Federal Law - PIPEDA

• Gives individuals rights such as access and knowledge of why their information is being collected

• Individuals can complain to the Privacy Commissioner, who will issue recommendations if a breach is found; individuals can then apply for a court hearing where damages and injunctive relief can be awarded

• Commissioner can also seek court enforcement

• PIPEDA doesn’t apply to businesses in Quebec, BC and Alberta except those that are federally regulated

Breach Notification - Federal vs. Provincial

• PIPEDA does not expressly require notification of breaches to affected individuals or the regulator

• Privacy Commissioner guidance recommends individual notice where a ‘risk of harm’ exists, accounting for all circumstances (including ability of those affected to mitigate risk); notice to Commissioner is also suggested

• Amendments to PIPEDA are likely (Bill C-12) which would require notification on a standard of ‘real risk of significant harm’ after a ‘material breach of security safeguards’

• Amendments would also otherwise harmonize PIPEDA with the Alberta, BC and Quebec privacy laws (notably for employment and business transaction situations)

Breach Notification - Federal vs. Provincial

• Breach notification laws currently only exist at the provincial level:

• Alberta has Canada’s only comprehensive breach notification law

• Ontario, New Brunswick, and Newfoundland & Labrador require breach notification only for personal health information

Alberta’s Personal Information Protection Act (PIPA)

• Notification required to regulator where loss of data, or unauthorized access or disclosure

• Only have to report when “a reasonable person would consider that there exists a real risk of significant harm to an individual”

• “Significant harm” includes material harm such as financial loss, identity theft, physical harm, or reputational harm

Alberta’s Personal Information Protection Act (PIPA)

• If the harm qualifier is met, reports must be sent to the Alberta Privacy Commissioner; the Commissioner will then determine if individuals must be notified

• Notice to the Commissioner must be comprehensive and include a description of the breach, how many individuals were affected, mitigation steps, risk-of-harm assessment, and more

• Notice to the individual must include a description of the breach and the information lost, mitigation steps, and contact information

What about British Columbia?

• BC’s privacy law expressly requires ‘reasonable safeguards’ to protect against misuse of personal information

• BC’s Privacy Commissioner has issued guidance recommending notification where there is a ‘risk of harm’ such as financial, personal safety, humiliation or reputation

• Notice should be ‘as soon as possible’, with direct notification being preferred

What about Quebec?

• Quebec’s privacy law, dating from 1994, requires reasonable security measures having regard to sensitivity, purposes, quantity, distribution and storage medium

• No express notification requirement, but Quebec Commission guidance expects risk assessment and notification ‘without delay’, considering risk of ‘prejudicial use’ such as ID theft and whether individuals can act to mitigate risk if notified

• Notice to both the Commission and those affected

HEALTH INFORMATION-SPECIFIC LAWS

Ontario’s Personal Health Information Protection Act (PHIPA)

• Requires notification to affected individuals “at the first reasonable opportunity” where personal health information is lost, stolen or accessed by unauthorized persons

• No harm qualifier• No PHIPA requirement to notify the provincial Privacy

Commissioner or a government agency• Provincial Privacy Commissioner’s guidelines say notice

must include details of the breach, mitigation steps, reporting to the Commissioner if necessary, and contact information

New Brunswick’s Personal Health Information Privacy and Access Act

• Requires notification at the ‘first reasonable opportunity’ to both the provincial Privacy Commissioner and affected individuals

• Similar triggers to PHIPA, plus notification in cases of improper disposal

• Individual notice is required only where the custodian reasonably believes there will be an ‘adverse impact’ on affected individuals’ health care, benefits, mental, economic or social well-being

• Must include contact information, nature of the breach, when and where the breach occurred, when it came to the custodian’s attention

Newfoundland and Labrador’s Personal Health Information Act

• Similar to New Brunswick triggers (loss, theft, unauthorized access or disclosure)

• Individual notice is required only where the custodian reasonably believes there will be an ‘adverse impact’ on affected individuals’ health care, benefits, mental, economic or social well-being

• Provincial Privacy Commissioner also must be informed where custodian reasonably believes the breach is ‘material’

• Materiality factors include the sensitivity of the information, number of affected individuals, possibility of misuse, indication of systemic problem

Newfoundland and Labrador’s Personal Health Information Act

• Privacy Commissioner may recommend individual notification even if the above harm-to-well-being factors are not met

• Like Ontario’s law, there are no statutory requirements regarding content of notification

POLL

In the past year, have you experience a breach/loss in Canada?

What about penalties?

• Unlike many US laws, Canadian laws don’t impose administrative penalties for failing to notify affected individuals

• Regulators might formally rule, after investigation and hearing, that a company breached a notification requirement and this might lead to a separate lawsuit for (actual) damages

And still more…

• There’s no ability for the regulators to impose penalties themselves• For example, in Alberta it is an offense to fail to notify the

regulator of a breach with a maximum $10,000 fine if there’s a prosecution and a court conviction

• In Quebec, it is an offense to fail to safeguard personal information, but no fine is possible without a court’s conviction

• But remember reputational risk—Canadian consumers are privacy-sensitive, have fairly high privacy expectations, and the media are always happy to report on privacy breaches

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and very well designed.”

PONEMON INSTITUTE

David Loukidelis QC

Consulting & Legal Services

O. +1 780 429 6748

C. +1 587 985 2818

[email protected]

Canadian Breach Regulations: Introduction and Overview

Education

Transcript of Canadian Breach Regulations: Introduction and Overview