Effective November 1, 2018, there are updates to the Personal Information Protection and Electronic Documents Act (PIPEDA) that will affect your business. The reporting requirements have been changed and it’s important to understand how a data breach would affect your clients and your company. We will discuss these reporting updates as well as the support your business insurance can provide you in the event of a data breach.
PIPEDA Reporting Requirement Updates
The federal government has updated PIPEDA reporting requirements as follows:
If a data breach occurs and has the risk of causing significant harm you must:
- Report the breach to the Office of the Privacy Commissioner of Canada as soon as possible.
- Notify the individuals affected preferably directly (in person or by phone email or mail).
- Notify organizations such as banks and law enforcement if they can help mitigate harm.
In Alberta, this action is taken by the provincial authorities.
Companies are responsible for third-party breaches. This includes documentation even if a contract states the third party is responsible for covering costs associated with a breach.
You must also keep records of every breach for a period of 24 months. This includes:
- Date of the breach (or estimated date)
- General description of circumstances of the breach
- Nature of the information involved in the breach
- General description of what has been done since the breach was discovered
- Risk of harm analysis
- Legal analysis
- If the breach was reported; if not provide an explanation as to why
There is no need to include personal details unless necessary to explain the circumstances of the breach.
What is considered significant harm?
Significant harm includes bodily injury personal injury (including humiliation damage to reputation or relationships loss of employment) damage to or loss of property identity theft financial loss negatively impacted credit record and more.
The best practice is to report. You do not have to have all the details beforehand – you can provide updates as you learn of the nature and extent of the breach.
Penalties for Failure to Uphold PIPEDA
Failure to follow the 3 step process above can result in up to $100 000 in fines as well as lawsuits and class-action lawsuits.
Notification of Individuals Affected by a Data Breach
Direct notification in person or by phone email or mail is preferred. However indirect notification by public announcement or notice is acceptable if it is to the direct benefit of those impacted (i.e. can be communicated to them quicker or is less cost-prohibitive).
The notification must include the following:
- Description of the circumstances surrounding the breach
- When the breach occurred
- Description of the steps taken to reduce the risk of harm since the breach was discovered
- Description of the steps the individual can do to reduce the risk or mitigate harm
- Contact information for further details
Please visit https://www.priv.gc.ca/en/for more details.
Data Breach Insurance
Data breach insurance (sometimes known as cyber liability or cybersecurity insurance) can help you deal with a data breach incident. This coverage can be included in your business insurance (usually as an endorsement or add-on) and some companies offer it as a standalone product.
Prevention and preparation are emphasized with this type of coverage; you generally get access to resources that will allow you to learn how to protect your business from a data breach and how to prepare a plan of action in the event one does occur. You will also receive support to respond to a breach.
This type of coverage will also generally cover litigation and regulatory matters. Claims include invasion of privacy economic harm emotional distress and more.
Keep in mind that you must follow the law when it comes to privacy protection security and reporting. If you fail to do so you may not be covered. Remember to talk to your broker about your coverage’s exclusions and limits as understanding your policy is an important part of your success in risk management.