PIPEDA's Breach Reporting Requirements Come into Effect on November 1, 2018

The federal requirements on privacy breach reporting has been finalized and will come into force on November 1, 2018.
Categories: Business Insights
Jun 6th, 2018 | By: CapriCMW

Canadians have long been anticipating the implementation of federal privacy breach reporting requirements. Originally passed on June 18, 2015, Bill S-4 - the Digital Privacy Act, included amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Most of the amendments are already in force with the exception of those pertaining to privacy breach reporting.  As of November 1, 2018, organizations hit by a privacy breach (that meets certain conditions) will be required to notify affected individuals and the Office of the Privacy Commissioner. 

According to the Act, organizations must report any breach where there is a "real risk of significant harm to the individual." The term "significant harm" is defined as "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on (one’s) credit record and damage to or loss of property."

Notifying the Commissioner

Notice to the Commissioner must be in the form of a written report that includes: 

  • the circumstances and cause (if known) of the breach 
  • the day (or time period) the breach occurred
  • the personal information that was exposed
  • an estimate of the number of individuals affected
  • the steps the organization has taken to minimize the risk to affected individuals 
  • the steps the organization has taken (or will take) to notify affected individuals 
  • the name and contact information of the representative of the organization who will respond to inquiries on the breach
Notifying Affected Individuals

Notice to affected individuals must be delivered by email, letter, telephone or in person except in cases where the direct notification could cause further harm to affected individuals or undue hardship to the organization, or where current contact information for affected individuals is unavailable. Under these circumstances, the organization is permitted to provide indirect notification through public announcements or advertising. The notice must include: 

  • the circumstances of the breach
  • the day (or time period) the breach occurred
  • the personal information that was exposed
  • the steps that the organization has taken to minimize the risk to affected individuals
  • the steps that affected individuals can take to minimize the risk for themselves
  • contact information that affected individuals can use for further information about the breach
  • the organization’s internal complaint process and rights of affected individuals to file complaints with the Commissioner

In circumstances where notifying other organizations or government institutions could help minimize the risks to affected individuals of a breach, the organization is required to do so as well. 

Record-Keeping

For any privacy breach that occurs, regardless of whether or not notice is required, organizations must maintain records for 24 months from the date the breach is discovered. The Commissioner can request access to the breach records at any time to determine if the organization is complying with PIPEDA. Organizations will want to include as much evidence as possible of their compliance to avoid penalties.

Penalties for Violations

 Violations of the privacy breach reporting requirements could lead to fines of up to $100,000 for each violation. 

Leading up to the November 1 enforcement date, it is important for all organizations to:

  • conduct a thorough review of existing cybersecurity measures
  • enhance safeguards where necessary to protect personal information
  • implement formal, written policies and procedures for identifying and responding to breaches

For further details about the regulations, see the Government of Canada's release on the Breach of Security Safeguards Regulations.

Recent Blog Posts

Personal Insurance / fine art, private collection
Guide to Insuring Your Fine and Decorative Art

While some art enthusiasts take pride in making sure their collections are protected in case of…

Aug 13th, 2020 | By: Chubb
Business Insurance / Cyber Insurance, cybersecurity, COVID-19, remote working
Cybersecurity Risks of Employees Working From Home

Following the outbreak of COVID-19, the growing trend of employees working from home has become the…

Aug 5th, 2020 | By: CapriCMW
Business Insurance / equine, COVID-19
Embracing Change: How Businesses Can Thrive in COVID-19 Times

With the coronavirus pandemic expected to continue for an unspecified length of time, horse industry…

Jul 28th, 2020 | By: CapriCMW
photo-10.jpg

Confidence and Freedom

At CapriCMW, we provide personalized insurance and custom risk solutions to give you the confidence and freedom to focus on what matters to you. Talk to an Advisor or get a quote today.

Get a Quote    Or call 1-800-670-1877

Can’t find what you are looking for? Ask us!