With the first wave of amendments to Québec's An Act Respecting the Protection of Personal Information in the Private Sector ("PPIPS") having taken effect just over a month ago, we thought we would share some misconceptions we have encountered when discussing security incidents involving personal information – a "confidentiality incident" – and mandatory breach reporting.
As a reminder, in Québec, "personal information" is defined as any information which relates to a natural person and allows that person to be identified either directly or indirectly. A "confidentiality incident" is the access, use or communication of personal information that has not been authorized by law as well as the loss of personal information or any other breach in the protection of such information.
1. "Only a few files were affected, so we're not going to report it."
The way that Québec's personal information reporting thresholds work can seem somewhat counterintuitive to seasoned risk analysts. Unlike most other forms of operational risk analysis – in which the assessment of an event's severity and impact, and of the action that must be taken to remedy it, are usually based on the number of systems or people affected and/or on the costs to the entity – a confidentiality incident must be reported if it is believed that the incident could lead to a risk of serious injury to the person or persons whose information has been compromised.
The "risk of serious injury" assessment is based on:
- the sensitivity of the personal information,
- the anticipated consequences of its use, and
- the likelihood that such information will be used for injurious purposes.
Such assessments can lead to the conclusion that what had initially seemed like very minor breaches require notification while bigger breaches do not. For example, the compromise of a single file containing a passport number and a name will require notification, whereas the loss of a USB key containing only email addresses belonging to 150 people might not.
2. "The Information is old so we aren't going to report it."
Regardless of how "old" the personal information is, any compromise to this information that could lead to a risk of serious injury requires notification to the Québec privacy commission, the Commission d'accès à l'information ("CAI") and to the individual whose personal information has been compromised. If there is a risk of serious injury, the only three cases in which the individual need not be directly notified are:
- if sending such notice is likely to cause increased injury to the individual;
- if sending such notice is likely to cause undue hardship for the entity; or
- if the entity does not have the individual's contact information.
In each of these instances, however, the entity is required to make a public notice of the confidentiality incident, for example on its website.
3. "Only paper files were stolen, so it wasn't a confidentiality incident."
One thing we often forget is that confidentiality incidents are platform agnostic. It doesn't matter whether the personal information was recorded in a paper or a digital document: if it has been compromised, a confidentiality incident has occurred and a "risk of serious injury" assessment is triggered, along with any consequential reporting duties. The possibility of paper files being compromised and triggering notification duties is a reason that entities should not blindly rely on their cybersecurity incident response procedures for compliance with personal information protection legislation. Because of their focus on cybersecurity, those procedures frequently fail to cover compromised personal information contained in paper files.
4. "We anonymize all personal information we collect, so there's no risk."
Are you sure?
While it is true that anonymized personal information is no longer considered information about an identifiable individual and therefore, in principle, is not protected by the applicable personal information protection laws, true anonymization is impossible. What is usually meant by "anonymization" is a variation on de-identification, which is a slightly different concept in privacy law. Although de-identification reduces the level of sensitivity of personal information and – depending on the techniques used – may in fact make such information very difficult to re-identify, re-identification is, at least in theory, often possible. Before dismissing a confidentiality incident on the grounds that the personal information was de-identified, it is important to fully understand the techniques used to de-identify such information and conduct a risk analysis as to the likelihood of reidentification and subsequent risk of serious injury.
5. "We are the victims of a cyberattack, so we have to report it to the CAI."
Here is the good news – at least from a personal information protection perspective. Just because you have suffered a cyberattack does not mean that you automatically have to report it to the CAI. If the compromised files did not contain personal information or if, following an assessment of the potential risk of serious injury, it is determined that notification is not required, then an entity is under no obligation to report the attack to the CAI. If the attack involves personal information (regardless of whether such information creates a risk of serious injury), however, the entity must always log the attack and the reason for which it decided not to notify the CAI and the individuals concerned.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.