The government of Canada has unveiled new regulations that specify how organizations must report and respond to a data breach.

On 18 April, the Governor General of Canada released the Breach of Security Safeguards Regulations (SOR/2018-64).

The rules require organizations to submit a comprehensive report to the Privacy Commissioner of Canada (“the Commissioner”) if and when they detect a breach. That report should include the circumstances/causes of the breach, types of information compromised by the security incident, the day on which the event occurred, how many individuals it estimates were affected and what steps it took to mitigate the threat.

Organizations may use “secure means of communication,” including encrypted channels, to send their report to the Commissioner. They must then keep a record of every breach of security safeguards for 24 months from the time that they detect an incident.

Under the Regulations, victim companies must issue a similarly detailed notice to affected individuals. They should endeavor to directly notify affected persons via email, mail or telephone. But they can do so indirectly if notifying the individual would cause undue harm to the individual or to the organization.

These standards, which will enter into force on 18 November 18, fall under Division 1.1 of the Personal Information Protection and Electronic Documents Act (PIPEDA).

This legislation requires that a victim organization conduct a risk assessment to determine if a security incident threatens affected individuals with “real risk of significant harm.” If it does, that victim organization must notify all affected individuals and report the incident to the Commissioner “as soon as feasible.”

As part of PIPEDA, breached companies must also notify any other organization that can mitigate harm to the affected individuals as well as keep records of the data (Read more...)