November 1, 2018, was the enforcement date of a new addendum to the Personal Information Protection and Electronic Documents Act (PIPEDA), called the Electronic Documents Act (EDA).
The EDA addendum was designed so that organizations subject to PIPEDA are now required to comply with mandatory reporting of informational and/or data breaches. Businesses across the country are required to make the necessary preparations however many have not complied, and must now take this as a call to action. Below we have detailed exactly what your company needs to know, and do.
PIPEDA is a Canadian privacy law for private sector organizations which came into force in January 2001. The law sets out rules that organizations in the private sector must follow whenever they collect, use or disclose personal information in the course of their commercial activities.
Canada’s Digital Privacy Act received Royal Assent in June of 2015, and sets out the general rules that private sector organizations must follow in case of a data breach. The DPA is an amendment to PIPEDA.
On April 18th, 2018, The Government of Canada published on Canada Gazette the “Breach of Security Safeguards Regulations”. This resource details the DPA’s rules regulations that private sector organizations must follow in case of a data breach. The Government of Canada followed the publication with the order setting November 1, 2018 as the enforcement date under the DPA to allow businesses time to adjust information systems, procedures, practices and to train employees.
Under the DPA, deliberate failure to report a data breach to the Privacy Commissioner of Canada and deliberate failure to notify potentially affected individuals are considered as separate offenses and subject to separate files of up to $100,000.
Here is a succinct review of your new obligations:
The latter obligation bears repeating, as the DPA considers the deliberate failure to keep (or the destruction of) data breach records as an offense. Violators will be subject to a fine of up to $100,000.
B. Notification to Affected IndividualThe DPA regulations mandate that affected individual or individuals must be notified about the breach “as soon as feasible”. In terms of content, the required notification to affected individuals is similar to the content of the data breach report to the Privacy Commissioner of Canada.
Under the DPA regulations, notifying the affected individual can be done through direct or indirect means. Direct notification under the regulations refers to telephone, mail, email or in-person communications; while indirect notification refers to public announcements that could reasonably be expected to reach the affected individual or individuals.
Indirect notification is allowed under the regulations when any of the following condition is present:
The Government of Canada, in a statement, said that the mandatory data breach reporting has social, economic and public security benefits.
The Canadian Government said that in terms of social benefits, the mandatory breach reporting allows affected individuals to take immediate action to protect themselves in terms of economic benefits, the mandatory breach reporting creates certainty across the marketplace about how organizations notify affected individuals; and in terms of public security benefits, the mandatory breach reporting contributes positively to the security of individuals and the cybersecurity readiness of businesses in Canada.
We encourage you to become well versed on the 2018 PIPEDA update by reviewing this information. However, the best way to hedge the risk of violating the new rules and regulations of mandatory breach reporting, is to not get breached in the first place.
How do you accomplish this? Through the following:
As one of the country’s premier MSPs, SIRKit has extensive experience in helping organizations institute exacting cyber security protocols that also adhere to compliance laws in Canada, the U.S. and overseas. Contact SIRKit to learn more.