Insurance Insights

Government of Canada’s Proposed Data Breach Reporting Requirements

data breach

In 2015, the Digital Privacy Act amended the Personal Information Protection and Electronic Documents Act (PIPEDA) to establish new data breach reporting requirements. Recently, the Government of Canada released the proposed Breach of Security Safeguards Regulations. PIPEDA’s proposed regulations include the requirement for all organizations to disclose when they have been hit by a data breach, notifying affected individuals and reporting to the Office of the Privacy Commissioner of Canada (OPC). 

According to the proposed regulations…

Notification to affected individuals must include:

  • a description of the circumstances of the breach
  • the day(s) on which the breach occurred
  • the type of personal information that was exposed
  • the steps that the organization has taken to mitigate the potential impact to affected individuals
  • the steps that affected individuals can take to reduce the potential impact on themselves
  • contact information for affected individuals to get further information, either a toll-free number or an email address
  • information on filing a complaint to the organization and their right to complain to the OPC

Notification to the OPC must be in writing and include:

  • a description of the circumstances of the breach and the cause (if identified)
  • the day(s) on which the breach occurred
  • the type of personal information that was exposed
  • an estimate of the number of individuals affected
  • the steps that the organization has taken to reduce the potential impact on affected individuals
  • the steps that the organization has taken/plans to take to notify all affected individuals
  • the name and contact information of a person who can respond to any inquiries that the OPC will have about the breach on behalf of the organization

The regulations do allow flexibility for the means through which organizations notify individuals to ensure it is conducted in the most efficient and secure way possible (i.e. e-mail, letter, telephone, in person). Under certain circumstances where contacting affected individuals directly is not feasible or would cause further harm, the organization may be permitted to post a message on their website for a minimum of 90 days or notify through an advertisement.

Additionally, organizations would be required to maintain a record of every breach for 24 months after the day it is determined that the breach occurred. The record must contain all information the OPC would need to confirm compliance. The report to the OPC can also serve as the record of the breach.

While an enforcement date has not been announced, it is advised that organizations prepare themselves to ensure they have the capacity to comply when these regulations do come into effect. The proposed regulations follow standard recommended protocols for organizations to minimize the overall damage of a breach.

For more details on the proposed regulations, please see this page on the Canada Gazette. For information and resources on insurance and risk management, please contact us.

Get an Insurance Quote Today!