Whenever you suffer a data breach or a hack in Canada you have a responsibility to report this breach to the proper authorities. In the unfortunate situation your company suffers a data breach It’s important that you understand who to report the data breach to as well as the support that you have available to you for getting the breach resolved.
Office of the Privacy Commissioner of Canada (OPC): This is the privacy office that oversees Canada’s major data privacy legislation PIPEDA. The Personal Information Protection and Electronic Document Act (PIPEDA) is a regulatory requirement that applies to private sector organizations that collect personal information in Canada (this includes countries that are headquartered abroad but have a real and substantial business presence in Canada). It’s designed to ensure the protection of personal information in the course of commercial business.
When do I need to report a breach?
PIPEDA requires that you report any breach of security safeguards that involve personal information under your control if you reasonably believe that this breach creates a real risk of significant harm to an individual.
The OPC defines significant harm as the following “includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
PIPEDA has also provided two main factors that you can use to evaluate this risk.
- Sensitivity: While PIPEDA doesn’t give a definition of this, they give the example of things like medical records, income records, ethnic and racial origins, genetic and biometric material as well as an individual’s sex life or sexual orientation. To best determine sensitivity you want to examine what information was breached and the circumstances around it. It also matters how easily this information can be leaked to an individual person.
- Probability of misuse: You want to evaluate how likely it is that someone will be able to use this information to harm someone, commit fraud, is there evidence of malicious intent, who could have accessed this information etc.
How to submit a breach report to the OPC and affected individuals
The process for submitting a report to the OPC is simple, you can submit a breach report to the OPC using the “PIPEDA breach report form” found on their website. When it comes to notifying affected individuals there isn’t one set method but you are required to notify any individual whose personal information has been leaked if you believe it creates a real risk of significant harm to the individual. You are required to notify them directly (telephone, mail, email etc) and it must be conspicuous (not overly legalistic and easily understandable). It should include enough information for the individual to understand the significance of the breach and to take steps to reduce the risk of harm to themselves. The notification to individuals must include the following information:
- a description of the circumstances of the breach;
- the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
- a description of the personal information that is the subject of the breach to the extent that the information is known;
- a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
- a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
- contact information that the affected individual can use to obtain further information about the breach.
Under PIPEDA organizations are required to notify the Privacy Commissioner of Canada and affected individuals “as soon as feasible” whenever there is a data breach that has a “real risk of significant harm”. You are also required to keep a record of each breach of safeguards involving personal information, regardless of if it is reported or has a real risk of significant harm. This record should be kept for at least 24 months.
How to get more free content
If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.