1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguards Regulations. The draft Regulations will be open for comment for 30 days. If the Regulations are not further amended by ISED, they may be registered and republished. ISED has stated that there will be a delay between finalizing the Regulations and their coming into force to permit organizations time to implement any necessary organizational changes.

ISED has drafted Regulations that hew close to similar regulations under Alberta’s Personal Information Protection Act. Far from being unsettling, this sense of  déjà vu will be welcome for organizations concerned about coping with divergent requirements.

However, there are still some important differences to note:

1.  Reporting to the regulator can focus on the cause of the breach rather than speculate about the harm

The content of the report to the Office of the Privacy Commissioner of Canada (OPC) tracks fairly close to the content required under Alberta’s law. Perhaps as a matter of clarification more than a substantive difference, the federal Regulations specify that the report should include the “cause” of the breach if known. However, one significant difference is that organizations are not required to engage in speculation about the potential harm to individuals. This will be highly appreciated by organizations who have had to deal with Alberta’s law.

2.  Organizations must make it easy on individuals to get information or to complain

The content of the notices to individuals of a breach are also similar to those in Alberta. However, ISED has included some consumer-friendly requirements. First, individuals should have a toll-free number to contact someone who can answer questions on behalf of the organization (or an email address). Second, individuals must be informed about the organization’s internal complaint process. Finally, individuals must be advised of their right to complain to the OPC about the breach.

3.  There is flexibility with respect to the manner of reporting

The federal Regulations specifically provide that notices to individuals can be provided:

  • by email or other secure forms of communication (to which the individual has consented)
  • by letter
  • by telephone
  • in person

Moreover, organizations can opt for indirect notification (without having to pre-clear this with the OPC) if direct notification would cause harm to the individual, the cost of direct notification would be prohibitive to the organization, or the organization does not have current contact information.  Indirect notification can be made by conspicuous posting of the notice on the organization’s website for 90 days (or more) or by means of an advertisement that is likely to reach the affected individuals.

4. Record-keeping is much less onerous than feared

One difference between the Alberta law and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), is that PIPEDA requires an organization to maintain a record of every breach of security safeguards even if that breach does not result in a real risk of significant harm to an individual.

The ISED has heard the concerns raised by organizations about this provision. Organizations only need to maintain records for 2 years. The form and content of the records are up to the organization provided that they contain enough information to allow the OPC to assess whether the organization was making any required reports to the OPC and required notifications to affected individuals. Since a report to the OPC containing the prescribed elements would be sufficient as a record, this appears to mean that the type of information that must be kept does not include a written assessment of the risk of harm.

Read the draft Regulations here.

, ,

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

Who’s Minding The Store?

Late last week, the office of the Privacy Commissioner of Canada announced a major breach within its own office with the loss of an unencrypted hard drive containing sensitive personal information relating to over 800 of its current and past employees.  The loss provides a test to Interim Privacy Commissioner Chantal Bernier, who recently took over the top job on an interim basis from departing Commissioner Jennifer Stoddart.

The Privacy Commissioner’s office announced that the information first went missing in mid-February during an office move, and that the breach was discovered in mid-March.  It was not until early April that it was determined that the hard drive contained sensitive financial information, including salaries.  Adding insult to injury, some of the missing personal information dated back 12 years. It is not clear what retention period should have applied to the data. Under Privacy Act regulations, the Commissioner would be required to retain the personal information for at least 2 years. Indefinite retention would be contrary to best practices; however, the Privacy Commissioner may be constrained by the provisions of the Library and Archives of Canada Act from destruction of the information without permission of the Librarian and Archivist depending on the exact nature of the records.   Likewise, the Office of the Information and Privacy Commissioner of Ontario has different obligations.  In any event, this lengthy retention raises questions about appropriate retention periods and whether the information ought to have been securely destroyed after an applicable retention period expired.

In fairness to the Commissioner’s office, it is believed that the missing information is not accessible without specialized software and technical knowledge, and that the information taken cannot result in identity theft.  But it may be a concern to Canadian entities bound by the Personal Information Protection and Electronic Documents Act as well as the Privacy Act to know that not only did the breach occur, but the Commissioner’s office did not notify employees or the media immediately, and did not file a police report.  On the good news front, Commissioner Bernier has stated that the breach gives her better insight as to what amount of time is reasonable for an organization to investigate a possible breach prior to taking action.

, ,

Who’s Minding The Store?

Supreme Court’s CAFA Ruling May Open Door To Increased State Attorney General Privacy-Related Lawsuits

The Supreme Court’s recent rejection of Class Action Fairness Act (“CAFA”) jurisdiction in parens patriae suits (suits brought by state attorneys general on behalf of the state or state’s citizens in general) will likely increase the filing of such suits asserting claims and rights of individual citizens of the state, including for monetary damages.  Such lawsuits—which are often prosecuted by private class counsel pursuant to contingency fee retainer agreements with the state attorney general—are becoming a more and more common method to avoid the impact of CAFA and recent pro-defendant class action rulings by the Supreme Court under the federal class action rule.

The Mississippi v. AU Optronics Corp. case decided by the Supreme Court involved claims filed by the state attorney general (through private retained counsel pursuant to a contingency-fee agreement) alleging price fixing in the liquid crystal display (LCD) market.  Those claims largely mirrored the claims made in a private class action that was settled by the defendants in a series of agreements for a total of approximately $1.1 billion (a settlement reached after more than 100 putative private class actions were filed asserting essentially the same claims against various groups of defendants).  The Mississippi suit sought money damages in the form of restitution based on the same purchases that would have been covered (and released) by the private class action settlements.

Given the increase of high-profile data breaches, it is likely that these “parens patriae” suits will expand into the privacy realm.  A coalition of state attorneys general have already formed to investigate the recent Target breach.  Additionally, the parens patriae loophole to CAFA may ultimately allow private class attorneys to bring data breach damages claims in state court thus not only allowing the litigation to remain in what class counsel may view as a more plaintiff-friendly jurisdiction, but also potentially avoiding the biggest obstacle to such suits thus far—federal decisions dismissing such cases based on a lack of an injury-in-fact as required for Article III standing.  Indeed, most legal analysts to discuss customer private class actions against Target have made this very point, a point that may be moot if state attorney generals simply file essentially the same claims as part of a “parens patriae” action.

, ,

Supreme Court’s CAFA Ruling May Open Door To Increased State Attorney General Privacy-Related Lawsuits

A Cautionary Tale on Slow Data-Breach Response

California Attorney General Kamala Harris has sued Kaiser Foundation Health Plan over what it considers a too-slow data breach notification.  California’s breach notification law requires notification of affected individuals “in the most expedient time possible and without unreasonable delay.”  Kaiser notified individuals of the breach in March, 2012, but California alleges in its complaint that Kaiser had sufficient information to notify between December 2011 and February 2012.

Story here

,

A Cautionary Tale on Slow Data-Breach Response

The Importance of Policies

A recent settlement with the US Department of Health and Human Services Office of Civil Rights (OCR) demonstrates the importance of privacy and security policies, even other violations of regulations do not occur.  APDerm, a Massachusetts-based dermatology practice, agreed to pay $150,000 to settle claims that it violated HIPAA and HITECH regulations by failing to have in place breach notification policies and procedures.

OCR began an investigation of APDerm after receiving a report of a lost USB thumb drive that may have included the PHI of up to 2,200 individuals.  Despite uncovering no evidence of actual harm or that PHI had been accessed, and a timely notification to potentially affected individuals, APDerm lacked written policies and procedures regarding the notification rule or to train workforce members, among other alleged HIPAA violations.

Story here

, ,

The Importance of Policies