If your business collects personal information of any kind, you're likely using third party services to process that data. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have certain legal obligations in the event that your service provider suffers a data breach.
Under PIPEDA, third party data processing refers to organizations collecting personal information and providing third party access to that data for the purpose of carrying out certain services for the organization. Some common examples include paying for cloud services to store customer and employee information, outsourcing payroll, procuring employee benefits plans through insurance providers, outsourcing customer service to call centres, etc.
Mandatory data breach reporting came into effect across Canada on November 1, 2018. Organizations hit by privacy breaches (that meets certain conditions) are legally required to affected individuals and the Office of the Privacy Commissioner. You can learn more about these requirements in our previous blog post. If a third party data processor you use suffers a breach that meets the threshold for reporting, one may assume that the data processor would be accountable for fulfilling reporting and notification requirements under PIPEDA.
In fact, the onus falls on the organization that controls the data - your business would be legally responsible to notify affected individuals and the Privacy Commissioner.
To minimize your liability and ensure compliance with PIPEDA, it is critical that your contracts with these service providers properly address the cybersecurity measures they should have in place and the policies and procedures for responding to a data breach. At a minimum, your contract should stipulate that your service provider:
- notifies your business of a breach within the timeframes required by PIPEDA
- provide all necessary information to meet your reporting and notification obligations
- complies with appliable privacy laws
- limits their use of personal data for specific purposes
- protects data under their care from third party or authorized access
- investigates and takes action to minimize the impact of breaches
Source: "What Businesses Need to Know About Their Legal Obligations When Outsourcing Data Processing to Third-Party Service Providers" by David McHugh of Segev LLP.
For more information on how you can protect your business against the impact of a data breach, contact a CapriCMW Risk Advisor.
