Privacy breach: Reporting is mandatory. Are you ready?
What you need to know with the new provisions now in force.
The government released new provisions came into force on Nov. 1.
Any manufacturer holding private information of an employee, client or customer that experiences a digital breach must report the incident according to PIPEDA rules. Here’s what the changes mean for your business.
Which breaches must be disclosed? Both affected individuals and the privacy commissioner are to be notified when breaches pose a “real risk of significant harm.” Significant harm is defined as a risk of bodily harm, humiliation, financial loss, identity theft, damage to reputation or relationships, loss of employment or professional opportunities, negative effects on their credit, or damage to/loss of property. Early indications are the privacy commissioner is taking an aggressive stance on what type of data loss meets this standard.
When must breaches be disclosed? When it’s determined a breach has occurred, the affected individuals must be notified “as soon as feasible.”
What should be included in the notifications?
Affected individuals must receive notifications that contain:
• a description of the circumstances of the breach;
• the day or the period during which the breach occurred;
• a description of the personal information that was breached;
• a description of the steps taken to reduce or mitigate the risk of harm to the individual;
• a description of the steps the individual can take to reduce or mitigate the risk of harm;
• a toll-free number or e-mail address the individual can use to learn more about the breach; and
• information about the organization’s internal complaint process, and the individual’s right to file a complaint with the privacy commissioner.
Manufacturers must also provide the privacy commissioner with a written report that describes: the breach and its cause (if it’s known); an estimate of the number of people at risk of significant harm; a description of the personal information that was compromised; details of how the organization is working to resolve the breach and reduce risk of harm; a description of how the organization plans to reach each of the affected individuals; and a contact person who can answer more questions about the breach.
How must individuals be notified? They are to receive notification directly by e-mail, mail, phone or in person. That said, there are three cases where indirect notification is permitted if: issuing a direct notification is cost prohibitive; the affected individual would suffer further harm; or the organization doesn’t have direct contact information for the affected individual.
Where direct notification is impossible, manufacturers must still take steps to provide indirect notification – either by posting a “conspicuous message” on the company website for 90 days or by placing an ad likely to reach the affected individuals.
What exposure does a company face? The privacy commissioner may choose to launch an investigation. Similarly, an affected individual may have the right to launch a civil lawsuit, which is why companies are expected to keep records of the breach for two years. Finally, organizations that fail to notify affected individuals following a breach could face financial penalties and legal action.
As data security incidents mount, the likelihood of privacy breaches will only rise. No organization is immune, but robust incident response planning and processes will help your company validate, assess, contain and remedy data breaches with minimal disruption, publicity and cost.
Sandy Boucher is a senior manager, advisory services at Grant Thornton LLP, a Canadian accounting, tax and advisory firm. Call (416) 369-7027. E-mail Sandy.Boucher@ca.gt.com. Visit www.grantthornton.ca.