For any company that stores user data online, a data breach is far more than just an internal issue. It has long been a best practice to contact users promptly after a breach, even when the full extent of the breach has not yet been determined. As more information is gathered, users should then be provided with transparent updates on the nature of a breach and the amount of data that has been accessed without permission. These protocols for responding to a data breach are routinely set out in a company’s online privacy policy, which users are required to review and approve before engaging with the site and uploading data.
Revamped Federal Privacy Laws
Starting in November 2018, updates to the Personal Information Protection and Electronic Documents Act (PIPEDA) mandate that a data breach is no longer just an issue between a company and its users. Depending on the severity and nature of the breach, the federal government might also need to be included in the response to a data breach.
Under the updates to PIPEDA, any data breach that could lead to a “real risk of significant harm” to users must be reported to the Privacy Commissioner of Canada. This is in addition to any existing obligations to inform users, which exist at law or in the company’s privacy policy.
Determining whether “significant harm” could arise from a data breach is a somewhat murky issue, which will require a judgment call on the part of the company.
How to determine a significant breach?
To assist companies in determining whether a data breach is significant enough to alert the Privacy Commissioner, the federal government has provided two helpful qualifiers:
- First, the company should consider the nature of any personal information involved in the data breach. If the breach leads to the disclosure of sensitive personal information, there is a higher risk that users could suffer significant harm.
- Second, companies must consider the likelihood that the breached data could be misused once it has been improperly disclosed. While financial data (such as credit card information), could be easiest to misuse, companies should avoid downplaying the potential opportunities for hackers to misuse data. Even seemingly benign identifying information (such as names and addresses) can aid in identify theft.
If you need to report a privacy breach at your office, click here to access the government form.
The heightened reporting requirements for data breaches provide an opportunity for companies to consider their data collection strategies and privacy policies. Companies should regularly consider the nature of the information they are gathering from users. Given the increased reporting requirements and risks to users, it is best not to gather any user data that is not necessary for business purposes.
While these new requirements do add an additional consideration in the face of a data breach, nothing will assist companies as much as a clear privacy policy prominently displayed on the website.
Privacy law continues to be largely based on principles of consent. So long as users understand and agree to share their data, no company will be expected to have an absolutely foolproof security infrastructure. If a data breach does occur, the company, its users, and now the federal government will have clear expectations for how a response should be managed.
This article offers general information only, is current as of the date of publication, and is not intended as legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. While the information presented is believed to be factual and current, its accuracy is not guaranteed and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the author(s) as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by RBC Ventures Inc. or its affiliates.