On November 1, 2018, mandatory breach reporting and recordkeeping obligations for Canadian businesses will come into force under the Personal Information Protection and Electronic Documents Act (PIPEDA).
What does this mean for your business?
The mandatory recordkeeping provisions require organizations to:
- Notify individuals about privacy breaches if it would be reasonable to believe that the breach creates a “real risk of significant harm” to the affected individual. The notification must include elements specified in the regulations;
- Report the breach to the Office of the Privacy Commissioner of Canada and, in certain circumstances, other organizations and government institutions.
- REGARDLESS of whether the incident reaches the threshold of a “real risk of significant harm” to individuals, organizations MUST keep for 2 years records (“breach file”) of any loss of, unauthorized access to, or unauthorized disclosure of, personal information, resulting from a breach of an organization’s security safeguards.
What should your business do?
Understand your obligations under the new laws and regulations;
- Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-at-your-business/
- Government of Canada: http://gazette.gc.ca/rp-pr/p2/2018/2018-04-18/html/sor-dors64-eng.html<
- Review, update or develop policies and procedures to meet your new obligations, including: risk assessment; notification to individuals; reports to regulatory bodies; notices to third parties; and, especially, record keeping;
- Review your incident response plan. It should have a clear framework to identify the steps your business will take when a breach occurs;
- Identify outside specialists who can assist your business in preparing and responding to breaches;
- Implement appropriate training and awareness programs for anyone in your organization that handles sensitive information on behalf of the organization;
- Ensure you have sufficient Cyber Liability Insurance.
Traditional insurance policies are not enough. Policies for property, business interruption, general liability, and crime either specifically exclude cyber-related losses or provide coverage only in very limited, specific circumstances. With no insurance in place, the cost of recovering from a cyber breach may be significant.