According to the Canadian Chamber of Commerce, in 2016, 53% of Canadian businesses were victims of sensitive data loss. In recent years, millions of Canadians discovered that their personal data had been stolen from Bell Canada, Equifax, Uber, CIBC, Winners, and others.
These breaches have led the government to oblige companies to systematically disclose any incidents that may have affected the personal information they hold on their customers.
On November 1, 2018, the Digital Privacy Act will come into force, adding provisions to the Personal Information Protection and Electronic Documents Act, better known by its acronym “PIPEDA”.
Keeping and maintaining a “register”
The Act requires organizations to keep a record of all “breaches of security measures” for 24 months after the date of the breach, which must be available to the Privacy Commissioner at all times.
“Breach of security measures” means any loss, unauthorized access or unauthorized disclosure of personal information. This could be the loss or theft of a USB key, a hard drive or a computer that had personal information1. Or, the discovery of an attempt to hack a server or a virus that affected a computer or network on which such data was located. It may also be the discovery that an employee accessed such data without following proper procedures.
Companies must, therefore, document every security problem affecting personal information, whether it is computerized, material or human and whether or not there has been any damage.
Informing the authorities
In addition, an organization must notify the Privacy Commissioner as soon as a breach of security measures could result in “serious harm”.
The definition of “serious harm” is much broader than we might think. This includes “bodily injury, humiliation, damage to reputation or relationships, financial loss, identity theft, adverse effect on the credit file, property damage or loss, and loss of employment opportunities or business opportunities or professional activities “2.
Your company must, therefore, perform a risk assessment for each incident to determine the harm by considering, in particular, the sensitivity of the personal information in question and the likelihood that the information will be misused.
For example, if you are an SMB, you will have to proceed with notifications, if any or all of the following situations occurs:
- you have discovered a virus affecting the server or computer where your database is located;
- your website has been the victim of a hacking attempt;
- an employee did not follow a procedure;
- a former employee took personal data with them
Of course, there are many situations that could lead to “security breaches” in organizations collecting personal information, and a complete enumeration of such information is impossible.
Notifying those affected
When you discover that an incident may have resulted in the disclosure of personal data, you must inform everyone whose data has been compromised. Even if you are not sure if their data has been disclosed.
It is never pleasant to tell customers that one has mismanaged their information and that it may have been compromised. But if it’s done the right way and, most importantly, quickly, your customers will appreciate your diligence in sparing them the consequences.
The content of the notifications
Notices informing the data subject and the Privacy Commissioner of the infringement must contain specific information allowing them to be informed about the measures to be taken to reduce the risk of harm. The notice to your customers must include the following, at the very minimum:
- the circumstances of the incident;
- the date or period of the incident;
- the nature of the personal information affected by the incident;
- what steps the organization has taken to reduce the risk of harm;
- measures that any interested party can take to reduce the risk of harm;
- contact information allowing the individual to inquire further about the incident.
The notice to the Commissioner must have the same content except that it must include the number of individuals affected by the infringement.
Aligning with Europe’s GDPR
These latest amendments are binding on businesses, but by adopting them, Canada is moving closer to the obligations imposed in Europe since May 25 by the GDPR, which will facilitate the transfer of information between European organizations and Canadian ones.
For all things security, prevention has always been the best form of protection. Conducting an audit of your personal information management policies and practices as part of implementing a Canadian Anti-Spam Act compliance program, is both, a practical and cost-effective way to get you up to speed quickly, protected from lawsuits, fines and other obligations that could greatly affect the trust of your clients towards you and your business.