On November 1st 2018, the Government of Canada will be enforcing important changes to the Personal Information Protection and Electronic Documents Act (PIPEDA). These amendments will apply to most private-sector organizations conducting commercial activities throughout most of Canada. This motion comes in light of recent adaptions to the United Kingdom’s privacy laws that have emphasized a need for Canadian restructuring.
Canada’s Privacy Commissioner enforces two laws – the Digital Privacy Act of 2015 and PIPEDA. Made under the Digital Privacy Act, changes to PIPEDA include mandatory breach reporting and record keeping. Organizations will be required to report to affected individuals and the Privacy Commissioner on any security breach involving personal information that creates a “real risk of significant harm.”
A recent survey conducted by the federal Privacy Commissioner’s office revealed that most businesses are drastically unprepared to handle this fast-approaching directive. This is a staggering finding considering the substantial amount of breaches occurring and the growing number of Canadians who are apprehensive about trusting businesses with their personal data. The survey also found that smaller enterprises were less aware of their privacy obligations than large-scale companies. Regardless of business size, potential fines for non-compliance could reach up to $100,000.
In this series, we will examine the fundamental elements that business owners need to know to successfully adapt and reduce their risk of non-compliance. We will guide you through the impending changes and the challenges they may present to your business. We will continue to explore the vulnerabilities, reputational consequences and hidden costs of a breach along with practical preventative strategies in the coming articles. If your business is among the many that are ill equipped for these changes, let us help you to better understand your roles and responsibilities.
Mandatory Breach Reporting:
Following the date of enforcement, organizations will be required to report to both the Privacy Commissioner’s office and the affected individuals (unless prohibited by law) if a data breach occurs where it is reasonable to believe that it may put the individuals at “real risk of significant harm”. Humiliation, damage to reputation, loss of employment or professional opportunities and identity theft are examples that can be defined as “significant harm”. “Real risk” entails the consideration of the information’s sensitivity, the probability of misuse and any other specified factor.
Written reports to the Privacy Commissioner must describe:
- The cause of the breach (if it can be identified)
- The estimated number of people at in danger of significant harm
- The type of information compromised
- The strategies the organization is exercising to resolve the issue
- The plan for notifying affected individuals
- The designated contact person whom the Privacy Commissioner can forward questions to
Notifications to the affected individual must fully detail:
- The circumstances of the breach
- The time period in which the breach occurred
- The personal information that is the subject of the breach
- The steps that the organization has taken to reduce the risk of harm to the affected individual
- The steps that the affected individual could take to reduce the risk of harm or to decrease such harm
- Contact information that the affected individual can use to obtain further information about the breach
- Information about the organization’s internal complaint process and about the affected individual’s right to file a complaint with the Privacy Commissioner
Organizations are compelled by law to act quickly. This intensifies the pressure on businesses to disclose data breaches and provide transparency to their customers and the Privacy Commissioner.
New stipulations require organizations to keep record of every breach of personal information that happens under their control. It is specified that organizations must maintain a record of every breach of security safeguards for 24 months after the day on which they have determined that the breach occurred. The orderliness and accuracy of these records is crucial, as they must be made available to the Privacy Commissioner to verify compliance. Insufficient record keeping can put companies in jeopardy.
Payment Card Industry Data Security Compliance:
The Payment Card Industry Data Security Standard (PCI DSS) holds all companies to a set of standards for transmitting credit card information. All merchants fall into one of the four merchant levels based on the number of transactions they sustain over a 12-month period. Merchants who have suffered a breach that resulted in account data violation may be escalated to a higher validation level.
Luckily, PCI compliancy is relatively simple. A merchant must pass quarterly remote vulnerability scans by Visa and MasterCard on all Internet connection points. A merchant must also successfully complete a security self-assessment questionnaire that provides validation of the safety of their internal practices. As long as you are committed to protecting your customers, compliancy is obtainable.
In the next article, we will be taking a look at the destructive effects that data breaches can cause for both companies and their trusting customers. We will investigate the legal and reputational penalties at stake during this shift in policy. Is non-compliance a risk that you can afford to take?