SECURITY SAFEGUARD BREACH GUIDE

Size: px

Start display at page:

Download "SECURITY SAFEGUARD BREACH GUIDE"

Buck Bishop
5 years ago
Views:

1 SECURITY SAFEGUARD BREACH GUIDE

2 On November 1, 2018, new regulations will come into force that will require all organizations, including insurance brokers, to report breaches of security safeguards that pose a real risk of significant harm to individuals to the Privacy Commissioner and any individuals affected. It will also require brokers to keep records (for a minimum period of 24 months) of all security safeguard breaches, regardless of whether they pose real risk of significant harm or if they were reported to the Privacy Commissioner or individuals affected. These new data breach notification rules are required under the Digital Privacy Act, 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). This guide serves to inform all brokers on the new requirements, including reporting and storing requirements. This information is also applicable to their commercial clients and should be shared accordingly. However, every broker is unique and any information provided in this guide must be considered in the context of your individual situation. This guide, including attachments and links, is not intended as legal advice. You should consult your individual legal advisors when considering these contents and when setting up your own systems of monitoring, reporting, and keeping records of security safeguard breaches. What does this mean? A security safeguard includes a variety of measures taken to securely keep personal or sensitive information. This includes physical measures (e.g., locked filing cabinets and restricted access to offices), organizational measures (e.g., security clearances and limiting access on a need-to-know basis), and technological measures (e.g., the use of passwords and encryption). If any of these security safeguards have been discovered to be breached (e.g., lost, stolen, accessed or disclosed without authorization, etc.), then you must keep a record of it for a minimum period of 24 months. If this breach also involves real risk of significant harm to affected individuals, then you must also report the breach to the Privacy Commissioner and to said individuals. 1

3 What is real risk of significant harm? Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. The real risk of significant harm must be determined based on an assessment of the sensitivity of the personal information involved in the breach and the probability the personal information has been/is/will be misused. The Privacy Commissioners office has a guide that helps organizations assess whether real risk of significant harm exists with a corresponding security breach (see Resources section at the end of this guide). Note that the new regulations also stipulate that failing to establish security safeguards in the first place also qualifies as a breach of security safeguard. How does this affect me? Brokers must ensure that they have security safeguard measures in place regarding personal and sensitive information of their clients. As identified above, this can include a variety of measures that best suit each business and its needs. Brokers should also ensure that their commercial clients are aware of these measures, and that they take similar steps. In addition, brokers may also wish to use this opportunity to review appropriate cyber insurance coverages for their clients. Note that if a broker and their commercial client share personal information that is involved in a breach of security safeguards that poses real risk of significant harm, both the broker and their commercial client must report it to the Privacy Commissioner and individuals affected. Do I have to report all breaches of security safeguards? No. The law requires that you report any breach involving personal information under your control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Whether a breach affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a real risk of significant harm resulting from the breach. Though you do not need to report all breaches, you must keep a record of all breaches for a minimum period of 24 months. 2

4 What records am I required to keep? You are required to keep records of all breaches of personal information under your control whether there is a real risk of significant harm or not for a minimum period of 24 months from the date a breach has been determined to have occurred (e.g., the day you discovered the breach). Records must contain any information that enables the Privacy Commissioner to verify compliance. At minimum, a record should include: date or estimated date of the breach; general description of the circumstances of the breach; nature of information involved in the breach; whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified; and if the breach was not reported to the Privacy Commissioner/individuals, a brief explanation of why the breach was determined not to pose a real risk of significant harm. Records need not include personal details unless necessary to explain the nature and sensitivity of the information. How do I report a breach that poses real risk of significant harm to the Privacy Commissioner? The Office of the Privacy Commissioner has an online form that you can fill out to submit your report (see Resources section below for a link to the form) Note that you are required to report qualifying breaches as soon as you have determined a breach involving a real risk of significant harm has occurred. This means that you do not have to have all the information identified (e.g., the exact date of the breach), and you are always able to send new information as you become aware of it. 3

5 How do I report a breach that poses real risk of significant harm to affected individuals? Unless otherwise prohibited by law, anytime you determine that a breach poses a real risk of significant harm to an individual, you must notify the individual(s) concerned. The notification must be conspicuous and must be given directly to the individual, except in certain circumstances where indirect notification is permitted (see below for circumstances permitting indirect notification). The law requires that notification to individuals must be given as soon as feasible after you have determined a breach involving a real risk of significant harm has occurred. What is direct notification? Direct notification is when you notify an individual in person, by telephone, mail, or any other form of communication that a reasonable person would consider appropriate in the circumstances. What do I have to include in direct notifications to individuals? The notification must include enough information to allow the individual to understand the significance of the breach to them and to take steps, if any are possible, to reduce the risk of harm that could result from the breach or mitigate the harm. As well, it should not be overly legalistic and it should be easily understandable. The notification must include the following information: a description of the circumstances of the breach; the day on which, or period during which, the breach occurred or, if neither is known, the approximate period; a description of the personal information that is the subject of the breach to the extent that the information is known; a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach; a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and contact information that the affected individual can use to obtain further information about the breach. 4

6 When can I indirectly notify individuals? There are limited times when you can indirectly notify people. These are when: direct notification would be likely to cause further harm to the affected individual; direct notification would be likely to cause undue hardship for the organization; or the organization does not have contact information for the affected individual. What are examples of indirect notification? Indirect notification must be given by public communication or similar measure that could reasonably be expected to reach the affected individuals. This can include public announcements, such as advertisements in online or offline newspapers. You should use a method that is likely to reach affected individuals. For example, a mention in a corporate blog may not have the reach of a prominent and dedicated public announcement campaign. For indirect breach notifications, you should employ those measures you would for other public announcements. For example, consider how to incorporate media messaging, including a prominent notice made on your website, or other online/digital presence. Do I have to notify any other organizations? When you notify an individual of a breach involving a real risk of significant harm, you must also notify any other government institutions or organizations that you believe can reduce the risk of harm that could result from the breach or mitigate the harm. Examples include notifying law enforcement if illegal activity is involved (theft, hackers, etc.), notifying all those who process your payments (payment processors, acquiring bank, etc.) if the breach affects individuals payment card information, etc. Note that this list is not extensive. 5

7 What happens if I knowingly fail to comply with these new regulations? The Privacy Commissioner will refer information relating to a possible commission of offense to the Attorney General of Canada who will be ultimately responsible for any prosecution that may result in: (a) an offence punishable on summary conviction and liable to a fine not exceeding $10,000; or (b) an indictable offence and liable to a fine not exceeding $100,000. Resources: Detailed Guide from the Office of the Privacy Commissioner: What you need to know about mandatory reporting of breaches of security safeguards : How to assess whether breach poses real risk of significant harm: Online form to report breaches of security safeguards that pose a real risk of significant harm: 6

Best Practice: Responding to a Privacy Breach

Best Practice: Responding to a Privacy Breach Introduction The Access to Information and Protection of Privacy Act (ATIPP Act or Act) has a dual purpose: to make public bodies more accountable to the public