Canada: Security Breach Notification Soon Becoming Mandatory In Canada

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.mondaq.com/canada/x/234780/Antitrust+Competition/Security+Breach+Notification+Soon+Becoming+Mandatory+In+Canada

Businesses are not protected from incidents that may lead, for
example, to forgetting documents or devices containing personal
information in a public place, sending business correspondence to the
wrong destination, insecure storage of material containing personal
information by a service provider mandated to destroy it, or loss and
theft of confidential documents. Security breaches leading to a loss
of personal information or to unauthorized access, use or disclosure,
may be triggered by a problem in the information technology system of
an organization or by a simple error or human negligence.

With security breaches being on the rise, the requirement to have
organizations notify the relevant privacy commissioners and affected
individuals upon a security breach taking place is becoming
increasingly important. Individuals, once notified, will be in a
better position to address the potential risks of harm resulting from
such breaches. For instance, if they are aware that their financial
information has been compromised or disclosed to an unauthorized third
party, they will ensure to monitor their banking statements and credit
scores.

In Canada, the federal Personal Information Protection and Electronic
Documents Act ("PIPEDA") sets out ground rules for how private sector
organizations may collect, use and disclose personal information in
the course of commercial activities. The federal government may exempt
organizations or activities in provinces that have their own data
protection laws if they are substantially similar to the federal law.
The provinces of British Columbia, Alberta and Quebec have enacted
their own provincial data protection laws which have been recognized
as substantially similar to PIPEDA; these provincial data protection
laws therefore operate in place of PIPEDA in those three provinces for
intra-provincial matters.

The only Canadian jurisdiction that has made security breach
notification mandatory so far is Alberta, although in other Canadian
jurisdictions, it seems like things are about to change. In Québec,
the Commission d'accès à l'information du Québec ("CAI") in its 2011
Quinquennial Report entitled "Technology and Privacy, in a Time of
Societal Choices" recommends to include, in both its public sector and
private sector data protection laws, mandatory security breach
reporting.

At the federal level, a first attempt in proposing the amend PIPEDA to
include a breach notification obligation was initially introduced
through Bill C-29 in May 2010 which died when the election was called
in spring 2011. Bill C-12, which was identical to C-29, was then
introduced in September 2011 but has not been moved forward.

Thankfully, an even better proposal which has received the support of
various industry players such as Openmedia.ca, the Union des
consommateurs as well as the CIPPIC (the Canadian Internet Policy and
Public Interest Clinic) has now been introduced by NDP Member of
Parliament Charmaine Borg last February. The private member's Bill
C-475, an Act to amend the Personal Information Protection and
Electronic Documents Act (order-making power), adds clear and
mandatory security breach disclosure requirements to the federal law
PIPEDA along with new order making power backed by significant
penalties for compliance failures.

Under such proposed Bill C-475, an organization having personal
information under its control would have to notify the Commissioner of
any incident involving the loss or disclosure of, or unauthorized
access to, personal information, where a reasonable person would
conclude that there exists a possible risk of harm to an individual as
a result of the security breach. The notification would have to be
made without unreasonable delay after the discovery of the breach.
Upon the receipt of the notification, the Commissioner may require the
organization to notify without unreasonable delay affected individuals
to whom there is an appreciable risk of harm as a result of the breach
(although nothing would preclude an organization from notifying
affected individuals of the breach on a voluntary basis). The
notification to the affected individuals of the loss or disclosure of,
or unauthorized access to, their personal information would have to
include a report of the risk of harm as it pertains to the affected
individuals as well as instructions for reducing the risk of harm or
mitigating that harm.

Until these proposed amendments are incorporated in the current Quebec
public and private sector data protection laws and PIPEDA, both
jurisdictions have adopted security breach guides. More specifically,
the Quebec CAI has made available on its website a document entitled
"Que faire en cas de perte ou de vol de renseignements personnels?"
and the federal Office of the Privacy Commissioner has also adopted a
guide entitled "Keys Steps in Responding to Privacy Breaches" which
provides guidance for businesses on how to handle these breaches.

Mandatory security breach reporting is crucial as it can serve to
strengthen public confidence in the public bodies and businesses that
hold their personal information and it can allow the respective
privacy commissioners to better play their oversight roles.
Notification can also be an important mitigation strategy that has the
potential to benefit both the organisation and the individuals
affected by a security breach.

The foregoing provides only an overview. Readers are cautioned against
making any decisions based on this material alone. Rather, a qualified
lawyer should be consulted.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.