Canada’s Breach Notification Regulation Goes into Effect Today

Canada’s Breach Notification Regulation Goes into Effect Today

Canada’s Breach Notification Regulation Goes into Effect Today 848 476 SethJaffe

Back in April, Canada adopted additional regulations related to its cyber security law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The new regulations dictate requirements for reporting a data breach and they go into effect November 1, 2018. Specifically, a report to Canada’s Office of the Privacy Commissioner must contain:

  • a description of the circumstances of the breach and, if known, the cause;
  • the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
  • a description of the personal information that is the subject of the breach to the extent that the information is known;
  • the number of individuals affected by the breach or, if unknown, the approximate number;
  • a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
  • a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act; and
  • the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

A notification to an individual affected by the data breach must contain:

  • a description of the circumstances of the breach;
  • the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
  • a description of the personal information that is the subject of the breach to the extent that the information is known;
  • a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
  • a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
  • contact information that the affected individual can use to obtain further information about the breach.

The text of the regulation can be found here, along with its accompanying Regulatory Impact Analysis Statement, which clarifies a number of issues, including the meaning of “significant harm.” Baker Hostetler’s Melinda McLellan posted additional analysis on the DataPrivacyMontior blog, available here.

Companies maintaining personal data of Canadian residents should consider reviewing their incident response plans in light of this new law.