As we previously covered in our blog post PIPEDA's Breach Reporting Requirements Come into Effect on November 1, 2018, federal requirements on privacy breach reporting came into effect last year. In accordance with this update to the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations hit by a privacy breach (that meets certain conditions) must now notify affected individuals and the Office of the Privacy Commissioner. Recently, the Privacy Commissioner released new guidance targeted at informing individuals on what they should expect and what they should do after receiving a data breach notification. There is also an important takeaway for businesses regarding how they fulfill their obligations following a breach.
For Individuals
The latest guidance reaffirms what affected individuals should expect from a breach notification by an organization:
- They must be contacted as soon as feasible, either directly or indirectly (under certain specific circumstances).
- Indirect notification must be issued through a public announcement that is reasonably likely to reach affected individuals.
- The information in the notification should be easy to understand.
When read with the wording of PIPEDA itself, the notification should be easy to understand and contain sufficient information to explain the extent, significance and consequences of the breach.
Additionally, a notification must include:
- a description of the personal information that was exposed
- steps taken to minimize the risk of harm
- steps that affected individuals can take to minimize the risk for themselves
- contact information for individuals to reach someone at the organization with any further questions
Individuals are also advised to change their passwords, monitor accounts, and store notifications in a safe place.
For Businesses
The guidance reiterates to individuals that they should reach out to the organization using the contact information provided in the notification if they have any questions or concerns. The person at an organization who is designated to be the first contact for affected individuals plays an extremely important role. It is critical that they are capable of speaking to all the details of the breach, along with what the organization has done and will be doing in response (both operationally and technically).
See the complete guidance here.
Access more information about PIPEDA's breach reporting requirements here.
Businesses of all sizes are being targeted by cyber criminals and the consequences can be devastating. Cyber Liability Insurance has developed to help businesses reduce the impact, respond and recover in the aftermath of a data breach. Visit capricmw.ca/cyber to get a quote.