Custom Media

Lexpert June 2018

The most widely read magazine for Canadian lawyers

Issue link: https://digital.canadianlawyermag.com/i/1004189

Contents of this Issue

Navigation

Page 66 of 75

LEXPERT MAGAZINE | JUNE 2018 67 BY GEORGE TAKACH TECHNOLOGY November 1 is the deadline for organizations to meet the requirements of the Digital Privacy Act; prepare yourself now D-Day for Data Breach Preparedness IF YOU OR YOUR organization have been procrastinating on implementing best-practices data breach policies and procedures, you have a deadline coming up: November 1, 2018. at's the date the new federal rules on data breach re- porting come into effect in Canada; it's an important milestone, and you need to be ready. A brief recap of the legislative history is in order. e federal data privacy/ protection law, Personal Information Protection and Electronic Documents Act (PIPEDA), has been in effect since 2004. PIPEDA contains a fairly com- prehensive regime of what organizations must do if they wish to collect, store, use and share personal information of custom- ers, employees and others. In June 2015 the Digital Privacy Act (DPA) added several provisions to PIPEDA, including requir- ing organizations that have experienced certain types of data breaches to notify the Office of the Privacy Commissioner of Canada (OPC), and the individuals affect- ed by the breach. e enactment of these breach notification provisions, however, was postponed in order to allow Canadian organizations to prepare for them. In September 2017 the dra regula- tions for the data breach notification re- gime were published. In March, an order in council was published providing that on November 1, 2018, the data breach notification sections of the DPA would come into force; and on April 18 the fi- nal Breach of Security Safeguards Regula- tions were published. What the new law means is that, as of November 1, 2018, a company that ex- periences a breach of security safeguards involving personal information must con- firm whether the breach creates a risk of significant harm to any individual, and, if so, it must follow a strict protocol. e initial risk assessment must establish what happened precisely; what data sets were penetrated; what might be done with this data; and whether anything is known about the data perpetrators and their be- havior in prior hacks. is activity sounds simple, but in the data breach litigation defence work that we have been involved in to date it turns out this initial step can be difficult. e foren- sic data scientists have to be called in, and if the hackers have done a good job of cover- ing their tracks it can be fiendishly difficult to figure out what went down, when, and who the perpetrators were. Once you figure out what happened, you must wrestle with what can be a tougher query: what was the harm done by the breach, and what potential harm remains? is is of critical importance, because under the new law only breaches that pose a real risk of significant harm to individuals have to be notified by the company collecting the data. Moreover, the government in the Regulations, has decided not to give statutory guidance on this all important question of what consti- tutes "significant harm." We do have some guidance from the Office of the Privacy Commissioner of Canada (OPC), however. e following questions may be asked: how sensitive is the private information? For example, is the information in question medi- cal information, or financial payment information, or certain government information such as a social insurance number? And what is the likelihood that the information that was hacked will be abused? WHO TO NOTIFY AND WHAT TO SAY If you conclude there is a significant harm from the data breach, you will then have to notify both the OPC, and the af- fected individuals. With respect to the former, here is what you'll have to cover in your notice: what caused the security breach, and the circumstances surrounding it; the timeline for the breach; the particu- lar types of personal information that were accessed as part of the breach; some figures surrounding the number of individuals impacted by the breach, and the degree of a real risk of significant harm to them; the measures you are taking to limit the risk of harm, or to at least mitigate the harm to the affected individuals; and how you propose to notify those individuals. You must provide the name of the pri- mary contact who will likely end up li- aising with the federal Privacy Commis- sioner's office. As for notifying the individuals whose personal information has been compro- mised, here is what you must mention in that notice: the circumstances of the secu- rity breach; when the breach occurred (the day and time period); the personal infor- mation that has been compromised; the measures you are taking to reduce the risk of harm, or to mitigate the damages, to the PHOTO: SHUTTERSTOCK | COLUMNS |

Articles in this issue

Links on this page

Archives of this issue

view archives of Custom Media - Lexpert June 2018