On November 1, 2018, previously-announced amendments to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) came into force. These new provisions require organizations subject to PIPEDA to give notice of any breach of data security that could reasonably create "a real risk of significant harm to an individual." Such notice must be made as soon as possible after the breach is detected, both to the Privacy Commissioner (using a prescribed form) and to the individual whose personal information was breached. Each such individual must generally be notified directly, although indirect notification (e.g., newspaper or online advertising) can be permitted if direct notification is impossible, impractical or inadvisable.

The amendments define the concept of "real risk of significant harm" very broadly: "significant harm" includes physical, mental, reputational, professional and economic damage, while relevant factors in gauging whether there is a real risk include the sensitivity of the information and the probability of its misuse. As a result, organizations should take great care before deciding that a breach creates no real risk of significant harm, and therefore, does not trigger the notice requirement. Even if is determined that no report is required, PIPEDA now requires that organizations keep a record of all breaches for a period of at least 24 months after their detection.

In addition to mandating notice to the Commissioner and to the individuals concerned, PIPEDA now also requires that an organization whose data is breached notify any other organization (including a government institution), if doing so might help reduce or mitigate the risk of harm. For example, a business whose customers' data is stolen may need to contact law enforcement if there is reason to believe that their assistance would be useful in preventing the data from being misused.

The Commissioner has released a helpful guidance document titled, What you need to know about mandatory reporting of breaches of security safeguards, which clarifies the Commissioner's interpretation of certain aspects of the new requirements. Among other things, it takes the position that if data is breached while in the possession of a third-party service provider (e.g., a credit card processor or hosting services provider), the responsibility for reporting the breach generally lies with the organization that originally collected the personal information, rather than the third party. In addition, the document provides additional guidance on what might constitute "sensitive" information, and how to determine whether there is a real probability of breached data being misused.

It is important to recall that British Columbia, Alberta and Québec each have their own provincial equivalents of PIPEDA that govern organizations subject exclusively to the laws of those provinces. Such organizations are not subject to PIPEDA and, as such, these new rules do not apply to them. Note that the Alberta legislation includes mandatory reporting requirements of its own.

We suggest three best practices to prepare yourself for a security breach: first, ensure that you have an action plan that clearly attributes responsibilities and sets forth the procedures to apply in your business as soon as there is a hint of such a breach. Second, distribute that plan to your staff so that they can implement it properly. Third, think of the challenges related to a security incident as an opportunity to display your ethics and your resilience.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.