Security breach notification soon becoming mandatory in Canada 


April 2013

Privacy Law Bulletin

Businesses are not protected from incidents that may lead, for example, to forgetting documents or devices containing personal information in a public place, sending business correspondence to the wrong destination, insecure storage of material containing personal information by a service provider mandated to destroy it, or loss and theft of confidential documents. Security breaches leading to a loss of personal information or to unauthorized access, use or disclosure, may be triggered by a problem in the information technology system of an organization or by a simple error or human negligence.

With security breaches being on the rise, the requirement to have organizations notify the relevant privacy commissioners and affected individuals upon a security breach taking place is becoming increasingly important. Individuals, once notified, will be in a better position to address the potential risks of harm resulting from such breaches. For instance, if they are aware that their financial information has been compromised or disclosed to an unauthorized third party, they will ensure to monitor their banking statements and credit scores.

In Canada, the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") sets out ground rules for how private sector organizations may collect, use and disclose personal information in the course of commercial activities. The federal government may exempt organizations or activities in provinces that have their own data protection laws if they are substantially similar to the federal law. The provinces of British Columbia, Alberta and Quebec have enacted their own provincial data protection laws which have been recognized as substantially similar to PIPEDA; these provincial data protection laws therefore operate in place of PIPEDA in those three provinces for intra-provincial matters.

The only Canadian jurisdiction that has made security breach notification mandatory so far is Alberta, although in other Canadian jurisdictions, it seems like things are about to change. In Québec, the Commission d'accès à l'information du Québec ("CAI") in its 2011 Quinquennial Report entitled "Technology and Privacy, in a Time of Societal Choices" recommends to include, in both its public sector and private sector data protection laws, mandatory security breach reporting.

At the federal level, a first attempt in proposing the amend PIPEDA to include a breach notification obligation was initially introduced through Bill C-29 in May 2010 which died when the election was called in spring 2011. Bill C-12, which was identical to C-29, was then introduced in September 2011 but has not been moved forward.

Thankfully, an even better proposal which has received the support of various industry players such as, the Union des consommateurs as well as the CIPPIC (the Canadian Internet Policy and Public Interest Clinic) has now been introduced by NDP Member of Parliament Charmaine Borg last February. The private member's Bill C-475, an Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), adds clear and mandatory security breach disclosure requirements to the federal law PIPEDA along with new order making power backed by significant penalties for compliance failures.

Under such proposed Bill C-475, an organization having personal information under its control would have to notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the security breach. The notification would have to be made without unreasonable delay after the discovery of the breach. Upon the receipt of the notification, the Commissioner may require the organization to notify without unreasonable delay affected individuals to whom there is an appreciable risk of harm as a result of the breach (although nothing would preclude an organization from notifying affected individuals of the breach on a voluntary basis). The notification to the affected individuals of the loss or disclosure of, or unauthorized access to, their personal information would have to include a report of the risk of harm as it pertains to the affected individuals as well as instructions for reducing the risk of harm or mitigating that harm.

Until these proposed amendments are incorporated in the current Quebec public and private sector data protection laws and PIPEDA, both jurisdictions have adopted security breach guides. More specifically, the Quebec CAI has made available on its website a document entitled "Que faire en cas de perte ou de vol de renseignements personnels?" and the federal Office of the Privacy Commissioner has also adopted a guide entitled "Keys Steps in Responding to Privacy Breaches" which provides guidance for businesses on how to handle these breaches.

Mandatory security breach reporting is crucial as it can serve to strengthen public confidence in the public bodies and businesses that hold their personal information and it can allow the respective privacy commissioners to better play their oversight roles. Notification can also be an important mitigation strategy that has the potential to benefit both the organisation and the individuals affected by a security breach.

by Éloïse Gratton

a cautionary note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2013