Rules tighten for reporting data breaches

If ‘real risk of significant harm,’ intrusions must be reported

Rules tighten for reporting data breaches
Thousands of CBC employees suffered a major data breach earlier this year. Credit: Google Street View

As of Nov. 1, the Personal Information and Electronic Documents Act (PIPEDA) will require federally regulated organizations to provide notifications when there’s reason to believe a breach of an employee’s personal data creates a real risk of significant harm to the individual.

The breach will need be reported to the privacy commissioner of Canada and the employer in question will have to notify affected individuals and other organizations if they can help reduce the risk of harm. Companies failing to comply with the new regulations could face fines up to $100,000.

“Breach reporting requirements of PIPEDA were actually passed in June of 2015 with the Privacy Act, but the reporting and notification provisions don’t come into force until Nov. 1 because the government was formulating a set of regulations to accompany the change in the law,” said Wendy Wagner, partner at Gowling’s Ottawa office, and leader of the firm’s privacy and data protection group.

Lost laptops, hackers

Breaches are defined in PIPEDA as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards… or from a failure to establish those safeguards.”

In the workplace, breaches can happen in many ways.

“You hear so much about cybersecurity and hacking and sophisticated criminal intrusion into IT systems,” said Wagner.

“Those do happen, but the reality is most data breaches are caused by leaving laptops in vehicles and having them stolen, or loss of data keys, or less sophisticated electronic attacks like phishing.”

“I’ve heard statistics that say an excess of 80 per cent of all data breaches are actually caused by employee inadvertence or accidental loss of info.”

Some people think it’s OK to share passwords with a colleague, but there have been reported cases in Alberta where breaches have occurred, said Lyndsay Wasser, a partner in employment and labour relations, and co-chair of privacy and data protection at McMillan in Toronto. 

Still, other breaches are more intentional.

“Employee snooping can be a real problem in some organizations,” she said. “Employees might disclose personal information about others to colleagues who don’t have any need to (see) that information for their employment duties.”

Occasionally, external parties go to great lengths to access data, said David Fraser, privacy and technology lawyer at McInnes Cooper in Halifax.

“Every organization has vulnerabilities,” he said. “Someone wanting to gain access to data might dress up like a technician and walk out with a laptop under his arm… Or someone will claim to be calling from the help (desk) and ask you to help them remotely access your computer so they can resolve a problem.”

Considering risks

If an organization’s breach assessment indicates there is a “real risk of significant harm,” it must be reported to Canada’s privacy commissioner, whether it impacts one person or 1,000 people, according to the updated regulations. The employer is also required to notify affected individuals. 

There’s some subjectivity when considering the risk of significant harm, in any given breach. But Canada’s privacy commissioner has offered examples that would qualify including health information, financial information and sensitive identifiers such as social insurance or passport numbers.

“Generally, there’s just an assessment based on the level of risk associated with the loss of that info,” said Wagner.

“For example, a breach of health information can affect employment, reputation, finance. And loss of financial information can lead to fraud and impact credit ratings.”

Employers will have to have a system in place to determine if the thresholds have been met for reporting, said Fraser.

“Somebody is going to determine whether the breach creates real risk of significant harm, and they’re going to need to be consistent about that, following the guidelines.” 

Even if the data breach incident doesn’t reach the level of risk where employers must report or notify individuals, there’s still a record-keeping requirement of all incidents, said Wagner.

And staff will need to be trained on how to prepare and secure those records.

“It’s important to make sure access to those records is properly restricted,” said Wasser. “They also shouldn’t contain any confidential information, but should contain all the information the privacy commissioner will be looking for… Under the new legislation, the commissioner can demand access to those records.”

It’s recommended employers seek legal advice in the event of a breach when they need to submit records, said Fraser.

“These records you keep for the privacy commission inspection are not privileged, so they need to be pretty carefully prepared so as not to include extraneous information that could come back to haunt you.”

Policy, training changes

While it’s important to develop  policy and procedures around data security and data breaches, organizations should conduct a big-picture assessment first, said Wagner.

“Even before the formulation of a policy, know where personal information resides within the organization, who has access to it, how sensitive that information is, how it’s communicated to employees and how they are trained with respect to protection of that personal information,” she said. “You can’t figure out where the gaps are until you know what you’ve got.”

Employers should also take a look at what physical, organizational and technological safeguards are in place, and consider whether or not they are sufficient, said Wagner.

“Obviously, the goal of most organizations is to prevent breaches so they don’t have anything to record or report, so start with evaluating what’s in place now.”

The second step is remediation, so fixing the gaps, and part of that is making sure the policies and procedures are in place, she said.

“The policy would be similar to any other internal policies in terms of identifying who in the organization is responsible for various different tasks in the event of a breach incident,” she said.

“It would also include an escalation procedure and identify the different regulators or organizations that would need to be notified in the event of a breach incident, as well as any other steps the organization would take.”

Employee training can prevent breaches, or help workers know how to handle them when they happen, said Wasser.

“It’s important that employees are trained and know how to manage personal information and how to recognize threats like phishing emails,” she said. “Generally, Canadian privacy laws aren’t that prescriptive in terms of what an organization needs to do to protect personal information, but one of the things the privacy commissioners have consistently emphasized is the importance of training — and ongoing training — within an organization. It should be a program of employee training, rather than just one course.” 

“From an HR perspective, the most important thing to do right now is put a communication plan in place to make sure employees understand that these obligations are coming into force, and that privacy breaches can lead to reputational damage and class-action litigation,” said Wasser.

Culture shift

For a lot of organizations, this is going to require a culture shift because privacy breaches, even small ones, often happen all over an organization, said Fraser.

“Even if the breach seems trivial — someone on a plane sees an employee’s laptop screen or an employee leaves a file with sensitive data on his desk overnight — every single one of those events is going to need to be documented.”

Encouraging employees to come forward and report breaches as they happen will require a fine balance, he said.

“Organizations will need to be able to take appropriate disciplinary measures when necessary, but also have a culture where employees feel like the can report a breach, rather than cover it up,” said Fraser.

“Ideally, there is a culture that reduces the risk in the first place, lets employees know what their responsibilities are for reporting, and empowers them to do that without fear of unreasonable reprisals.”

Melissa Campeau is a freelance writer based in Toronto.

Latest stories