1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguards Regulations. The draft Regulations will be open for comment for 30 days. If the Regulations are not further amended by ISED, they may be registered and republished. ISED has stated that there will be a delay between finalizing the Regulations and their coming into force to permit organizations time to implement any necessary organizational changes.

ISED has drafted Regulations that hew close to similar regulations under Alberta’s Personal Information Protection Act. Far from being unsettling, this sense of  déjà vu will be welcome for organizations concerned about coping with divergent requirements.

However, there are still some important differences to note:

1.  Reporting to the regulator can focus on the cause of the breach rather than speculate about the harm

The content of the report to the Office of the Privacy Commissioner of Canada (OPC) tracks fairly close to the content required under Alberta’s law. Perhaps as a matter of clarification more than a substantive difference, the federal Regulations specify that the report should include the “cause” of the breach if known. However, one significant difference is that organizations are not required to engage in speculation about the potential harm to individuals. This will be highly appreciated by organizations who have had to deal with Alberta’s law.

2.  Organizations must make it easy on individuals to get information or to complain

The content of the notices to individuals of a breach are also similar to those in Alberta. However, ISED has included some consumer-friendly requirements. First, individuals should have a toll-free number to contact someone who can answer questions on behalf of the organization (or an email address). Second, individuals must be informed about the organization’s internal complaint process. Finally, individuals must be advised of their right to complain to the OPC about the breach.

3.  There is flexibility with respect to the manner of reporting

The federal Regulations specifically provide that notices to individuals can be provided:

  • by email or other secure forms of communication (to which the individual has consented)
  • by letter
  • by telephone
  • in person

Moreover, organizations can opt for indirect notification (without having to pre-clear this with the OPC) if direct notification would cause harm to the individual, the cost of direct notification would be prohibitive to the organization, or the organization does not have current contact information.  Indirect notification can be made by conspicuous posting of the notice on the organization’s website for 90 days (or more) or by means of an advertisement that is likely to reach the affected individuals.

4. Record-keeping is much less onerous than feared

One difference between the Alberta law and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), is that PIPEDA requires an organization to maintain a record of every breach of security safeguards even if that breach does not result in a real risk of significant harm to an individual.

The ISED has heard the concerns raised by organizations about this provision. Organizations only need to maintain records for 2 years. The form and content of the records are up to the organization provided that they contain enough information to allow the OPC to assess whether the organization was making any required reports to the OPC and required notifications to affected individuals. Since a report to the OPC containing the prescribed elements would be sufficient as a record, this appears to mean that the type of information that must be kept does not include a written assessment of the risk of harm.

Read the draft Regulations here.

, ,

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

Data processors under the GDPR

In our monthly GDPR Updates we discuss various key issues of the General Data Protection Regulation, (EU) 2016/679 (the GDPR), which applies from 25 May 2018. With the introduction of the GDPR, the existing Directive 95/46/EC and its implementation in the local laws of the various EU Member States will be repealed. The GDPR will bring significant and substantial changes with respect to the processing of personal data. It introduces several new concepts, such as Privacy by Design, Privacy by Default and Data Portability. As the GDPR contains several onerous obligations that require significant preparation time, organisations are recommended to timely commence the implementation process.

We notice that personal data protection is becoming more and more topical within organisations, and that the first steps towards compliance with the GDPR are undertaken. Our GDPR Updates illustrate the relevant changes resulting from the GDPR and provide readers with practical recommendations on the implementation of the GDPR within their organisations.

In the August edition of our GDPR Updates we address the position of the data processor. Under the GDPR the data processor is given certain specific responsibilities, meaning that it will no longer be only the data controller who is responsible for compliance with the privacy regulations. From 25 May 2018 also the data processor can be held liable for not complying with the GDPR requirements and additional legislation relating thereto.

If the data processor falls within the territorial scope of the GDPR (data processors will be confronted with an expansion of the territorial scope of the European privacy regulations), the data processor could face the following obligations:

  • the obligation to designate a representative in the EU if the data processor is not established in the EU but its processing is related to (i) offering of goods and/or services to data subjects in the EU; or  (ii) monitoring of data subjects in the EU;
  • complying with the mandatory requirements with regard to the content of the processing agreement as set out in Article 28 GDPR;
  • the obligation to maintain a written record of processing activities. Note that this obligation is not applicable to organisations employing fewer than 250 employees, unless (i) the processing is likely to result in a risk to the rights and freedoms of data subjects, (ii) the processing is not occasional, or (iii) the processing includes special categories of data. Data processors that provide services whereby the processing of personal data is standard practice are not likely to fall within the scope of the exceptions and will therefore be obliged to maintain a written record of processing activities (e.g. SaaS, hosting and other cloud service providers);
  • the obligation to designate a data protection officer if (i) the data processor is a public authority or body; (ii) its core activities consist of processing on a large scale of special categories of personal data or data relating to criminal convictions; or (iii) its core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; and
  • the obligation to notify the data controller (without undue delay) after becoming aware of a breach of the processed personal data and assist the data controller in ensuring compliance with its subsequent obligations towards the competent supervisory authorities and (where necessary) the data subjects.

Instead of only being contractually liable on the basis of a processing agreement with a data controller, under the GDPR data processors will also be subject to administrative liability in case of non-compliance. Administrative fines can increase up to EUR 20 million or (if higher) 4% of the total worldwide annual turnover of the organisation concerned. In addition to administrative liability and contractual liability towards the data controller, a data processor can be held liable towards data subjects who have suffered damages as a result of a breach of the GDPR by the data processor.

Organisations are recommended to carefully examine their positions within the various data processing activities and to make a very clear assessment on the associated responsibilities and obligations. A careful inventory should be made of the parties involved in the various personal data processing activities within an organisation and their roles (data controller/co or joint data controller/data processor/sub-processor, et cetera). This is particularly relevant as the division of roles directly influences the responsibilities a party has in the personal data processing activity, as well as the corresponding liability.

Please click here to read the entire August GDPR Update.

, , ,

Data processors under the GDPR

New Mexico Becomes 48th State To Enact Data Breach Notification Law

On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the only two states without such a law. The New Mexico law goes into effect June 16, 2017.

Who Is Covered? Defining “Personal Identifying Information”

The new law applies to any “person that owns or licenses elements that include personal identifying information of a New Mexico resident[.]” The definition of “personal identifying information” largely tracks the definitions adopted by sister states, and includes an individual’s first name or first initial and last name in combination with one or more of the following data elements, when such data elements “are not protected through encryption or redaction or otherwise rendered unreadable or unusable:”

  • social security number;
  • driver’s license number;
  • government-issued identification number;
  • account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person’s financial account; or
  • biometric data.

Biometric data is defined under the new law to mean a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to “uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account[.]” “[E]ncrypted” is defined under the new statute to mean “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security[.]” And “personal identifying information” does not mean information that is “lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the general public[.]”

When Is Notification Required?

Defining “Security Breach”

Notification is required under the new law when the “personal identifying information” of a “New Mexico resident” is “reasonably believed to have been subject to a security breach.” The phrase “security breach” is defined under the statute to mean the “unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.” The phrase “security breach” does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a “legitimate business purpose of the person[,]” so long as the personal identifying information is not subject to further unauthorized disclosure.

45 Day Window

Notice under the new law must be made “in the most expedient time possible, but no later” than 45 calendar days “following discovery of the security breach[.]” Notification may be delayed, however, if a law enforcement agency determines that the notification will impede a criminal investigation, or “as necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system.”

Investigation Defense / Risk Of Harm

Notification is not required if “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”

What Is Required In The Notice?

If notice is required, the new law provides specific content requirements, including:

  • The name and contact information of the notifying person;
  • A list of the types of personal identifying information that are reasonably believed to have been the subject of a security breach, if known;
  • The date of the security breach, the estimated date of the breach or the range of dates within which the security breach occurred, if known;
  • A general description of the security breach incident;
  • The toll-free telephone numbers and addresses of the major consumer reporting agencies;
  • Advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach; and
  • Advice that informs the recipient of the notification of the recipient’s rights pursuant to the federal Fair Credit Reporting Act.

Are There Exemptions?

Yes. The new law does not apply to covered persons subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.

Do The Attorney General And Credit Reporting Agencies Require Notification?

Yes. If notice goes out to more than 1,000 New Mexico residents “as a result of a single security breach” the covered person must “notify the office of the attorney general and major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p)[.]” Such notice must be made “in the most expedient time possible,” but no later than the same time that notice goes out to the impacted resident – 45 calendar days. Such notice must “notify the attorney general of the number of New Mexico residents that received notification” and “shall provide a copy of the notification that was sent to affected residents within” 45 calendar days “following discovery of the security breach[.]”

Is There A Private Right Of Action?

No. The new law only allows for an enforcement action brought by the attorney general. And in such cases, the attorney general may seek injunctive or compensatory relief. If the court determines the person violated the new law “knowingly or recklessly,” the court may also impose a civil penalty of the greater of $25,000 or, in the case of failed notification, $10.00 per instance of failed notification up to a maximum of $150,000.

5 Takeaways

  1. Encryption is key. The new law contains a safe harbor provision for encrypted data, so long as the encryption key is not compromised. The new law does not describe the specific encryption method required, as opposed to Tennessee’s new revisions.
  2. Investigation is key. Conducting an adequate and thorough investigation at the outset of a breach is critical under the new law. Conducting such an investigation will provide for extra time to complete notification, if required. It will also allow for non-notice if the investigation determines the security breach “does not give rise to a significant risk of identity theft or fraud.”
  3. Consider involving law enforcement. It may seem counterintuitive, but involving law enforcement early in a data breach case may provide extra time on notification. The federal government, and particularly the FBI and DHS, also actively encourage private business to reach out in the case of a data breach. In the case of 1,000 impacted New Mexico residents, however, notice to the New Mexico attorney general is required.
  4. Time is of the essence. The new law provides a 45 calendar day window to effectuate notice to both residents and law enforcement, when required. That means investigations need to be undertaken immediately, and without delay.

The Dentons Privacy and Cybersecurity Group is prepared to help you and your business navigate this new law, address your encryption issues, and help conduct the required investigations necessary once breach occurs.

New Mexico Becomes 48th State To Enact Data Breach Notification Law

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

On April 4, 2017, Tennessee Governor Bill Haslam signed into law an amendment to the state’s data breach notification law, making two substantive changes to the statute:

  1. Adding a technically specific safe harbor encryption provision; and
  2. Adding a 45 day window to complete breach notification, when required.

Overall Summary of Breach Notification Law

Tennessee’s data breach notification law applies to any person or business conducting business in Tennessee that owns or licenses computerized data that contains “personal information.” “Personal information” is defined under the statute as a person’s first name or initial and last name combined with:

  • Social security number;
  • Driver’s license number; or
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Covered entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 or the Health Insurance Portability and Accountability Act of 1996, as expanded by the Health Information Technology for Clinical and Economic Health Act, are exempt from the law.

The statute requires covered entities to disclose a “breach in the security of the system” to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an “unauthorized person.”

New Encryption Requirements

Under the new law, the phrase “breach in the security of the system” has been amended to read “breach of system security,” and is defined to mean the acquisition of: (1) unencrypted computerized data; or (2) encrypted computerized data and the encryption key that contains personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. The new statute defines encrypted to mean “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2[.]” FIPS 140 is a US government standard that defines minimum security requirements for cryptographic modules in products and systems, as set forth in Section 5131 of the Information Technology Management Reform Act of 1996. Therefore, under the new amendment, if the information acquired was encrypted pursuant to the FIPS 140-2 standards, and the encryption key was not compromised, notification is likely not required.

Notification Clarification

The new amendment also imposes a specific time frame for completing notification, when required. Disclosure now must be made no later than 45 days from the discovery or notification of the “breach of system security,” unless a longer period of time is required due to the legitimate needs of law enforcement. Specifically, notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. This change makes Tennessee the eighth state to enact a statute that puts a specific time period on the notification requirement. The majority of states only require notification in the “most expedient time possible” or “without unreasonable delay.”

Takeaways

Cyber threat preparation and monitoring remains the first and best line of defense against data breaches. Dentons helps companies prepare for breach by formulating written incident response plans, conducting table-top exercises with key members of the incident response teams, and advising companies on compliance with data notification reporting requirements, such as the new requirements now applicable in Tennessee. Our team is ready to help you or your business navigate this complicated area of the law, and help with the growing need for encryption requirements.

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

Colorado Proposes New Cybersecurity Rules For Financial Advisers

Earlier this month, the Colorado Division of Securities released a set of proposed changes to the Colorado securities laws that would, if adopted, impose strict cybersecurity requirements on investment advisers and broker-dealers, and require both to: (1) establish and maintain written procedures designed to ensure cybersecurity; and (2) include cybersecurity as part of their risk assessment.

If adopted, the new rules would make Colorado the second state in recent months to adopt strict cybersecurity rules relating to the financial industry. Last month, the New York Department of Financial Services imposed new cybersecurity rules on financial institutions operating in the state. Those rules did not, however, apply to investment advisers and broker-dealers.

Overview of Colorado Proposed Rules

The new proposed Colorado rules would add Rule 51-4.8, entitled “Broker-Dealer Cybersecurity,” and Rule 51-4.14(IA), entitled “Investment Adviser Cybersecurity,” to the Colorado Division of Securities Rules found within the Code of Colorado Regulations. The new rules, according to the Colorado Division of Securities, would “clarify what a broker-dealer and investment adviser must do in order to protect information stored electronically.” According to the Division, the rules are intended to provide “guidance to broker-dealers and investment advisers on what factors the Division will consider when determining if the procedures by the firm are reasonably designed to ensure cybersecurity.”

Both rules contain the same language, and require broker-dealers and investment advisers to establish and maintain written procedures “reasonably designed to ensure cybersecurity.” To determine whether the cybersecurity procedures are reasonably designed, the proposed rules state that the Colorado Securities Commissioner will consider:

  • The firm’s size;
  • The firm’s relationship with third parties;
  • The firm’s policies, procedures, and training of employees with regard to cybersecurity practices;
  • Authentication practices;
  • The firm’s use of electronic communications;
  • The automatic locking of devices used to conduct the firm’s electronic security; and
  • The firm’s process for reporting of lost or stolen devices.

The cybersecurity procedures must also provide for:

  • An annual cybersecurity risk assessment;
  • The use of secure email, including use of encryption and digital signatures;
  • Authentication practices for employee access to electronic communications, databases and media;
  • Procedures for authenticating client instructions received via electronic communication; and
  • Disclosure to clients of the risks of using electronic communications.

Interplay with Federal Law

The Securities and Exchange Commission (SEC) requires financial advisers to have written policies on preventing, detecting and responding to cyberattacks. It does not, however, have a requirement for an annual cybersecurity risk assessment, as the Colorado rules propose. The Financial Industry Regulatory Authority (FINRA) also has issued guidelines to member firms. And late last year, FINRA hit 12 firms with a $14.4 million fine relating to the retention of broker-dealers’ and customers’ electronic records. The new proposed Colorado rules would add additional requirements.

Next Steps

A public hearing discussing the proposed rule changes is being held at 9:00 am on Tuesday, May 2, 2017 at the Colorado Department of Regulatory Agencies in Denver, Colorado. At the public hearing, interested parties will be afforded an opportunity to be heard and submit written data, views and arguments. Information and materials relating to the proposed rules will be available online at least five days prior to the public hearing.

The Dentons Privacy and Cybersecurity Group will continue to monitor these rule changes for further development, and is available to help you or your firm navigate this rapidly changing area of the law.

Colorado Proposes New Cybersecurity Rules For Financial Advisers