SECURITY SAFEGUARD BREACH GUIDE

Similar documents
Best Practice: Responding to a Privacy Breach

Responding to Privacy Breaches

Personal Information Protection Act Breach Reporting Guide

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

MANITOBA OMBUDSMAN PRACTICE NOTE

SBI Canada Bank Privacy Policy

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER P2012-ND-29 BP CANADA ENERGY GROUP ULC. November 8, (Case File #P2157)

Patient Breach Letter Content Requirements

Privacy and Data Breach Protection Modular application form

COPOLOFF ADVISOR COMPLIANCE GUIDANCE MANUAL

Cyber, Data Risk and Media Insurance Application form

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

OMERS Administration Corporation Privacy Statement

1.5 This policy meets the guidance provided by the ICO on data security breach management.

DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY

Guide to compliance with the Australian Privacy Principles. APP 1 Open and transparent management of personal information

H E A L T H C A R E L A W U P D A T E

Data Protection Policy. Newbury Academy Trust

METRO DIRECTION FINANCIAL INC PRIVACY POLICY

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER P2011-ND-042 PERSONALITY PROFILE SOLUTIONS INC. November 1, (Case File #P2003)

OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE

The New Zealand MARKETING ASSOCIATION

Verified by: Corporate Governance - Policy Version Date Review Page No Initial:

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

DATA COMPROMISE COVERAGE FORM

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

Cyber breaches: are you prepared?

TERMS OF USE. Your Brand Brokers Inc.

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

Canada Tables Consumer Protection Legislation

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

Credit Card Handling Security Standards

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

CYBER LIABILITY REINSURANCE SOLUTIONS

INFORMATION AND CYBER SECURITY POLICY V1.1

Negotiating Business Associate Agreements

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

Public Act No

A copy of Ontario Water Polo Association s Privacy Policy is provided to any member on request to Ontario Water Polo Association.

Privacy & Data Protection Procedure-Box Hill Institute Group

Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information. Webinar Presented by Laura Bird January 29, 2014

CHARITY LAW BULLETIN NO.28

ON24 DATA PROCESSING ADDENDUM

All Sorts UK Limited Data Protection Policy 17 th May 2018

Prairie Centre Credit Union

General terms for deposits and payment services corporate company. Part C of the Account agreement:

Recognizing Credit Card Fraud

Cyber Liability A New Must Have Coverage for Your Soccer Organization

Mobile Banking Services Agreement

Online Banking Services e-agreement (E-Banking)

Fees There are currently no separate monthly or transaction fees assessed by the Bank for use of the Online Banking Service including the External

CBSA PRIVACY POLICY. Canadian Business Strategy Association Page 1

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

Loaded Everyday card terms and conditions

HEALTH LAW ALERT January 21, 2013

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

PRIVACY BREACH GUIDELINES

Cyber Liability Insurance. Data Security, Privacy and Multimedia Protection

(c) "Subject" means the commercial enterprise about which a commercial credit report has been compiled.

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

ARE YOU HIP WITH HIPAA?

Bill S-4 Digital Privacy Act

Authorised Officer means the Company Secretary of the Company, or in his absence, the Managing Director.

DATA PROCESSING TERMS DEFINITIONS

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

Your Mastercard is issued by:

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Consumer Credit Division

HIPAA and Lawyers: Your stakes have just been raised

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

T s And C s. General terms and conditions. It s Ours. June 2018

Templeton Municipal Light and Water Plant

Data Protection Agreement

Privacy in Canada Federal Legislation: Personal Information Protection and Electronic Documents Act

INSIDER TRADING POLICY

SAFEGUARDING YOUR CHILD S FUTURE. Child Identity Theft. Protecting Your Child s Identity

CENTURYLINK ELECTRONIC AND ONLINE PAYMENT TERMS AND CONDITIONS

AonLine Service Agreement Effective July 19, By logging into AonLine, user agrees to these terms and conditions (T&C):

Compliance Steps for the Final HIPAA Rule

MINNESOTA STATE LOTTERY

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES


Open24 Online Banking Terms and Conditions

Cyber Liability Launch Event Moscow

Equifax Data Breach: Your Vital Next Steps

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

BUSINESS ASSOCIATE AGREEMENT

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Payday Lender Licence Kit

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

Cybersecurity Privacy and Network Security and Risk Mitigation

Transcription:

SECURITY SAFEGUARD BREACH GUIDE

On November 1, 2018, new regulations will come into force that will require all organizations, including insurance brokers, to report breaches of security safeguards that pose a real risk of significant harm to individuals to the Privacy Commissioner and any individuals affected. It will also require brokers to keep records (for a minimum period of 24 months) of all security safeguard breaches, regardless of whether they pose real risk of significant harm or if they were reported to the Privacy Commissioner or individuals affected. These new data breach notification rules are required under the Digital Privacy Act, 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). This guide serves to inform all brokers on the new requirements, including reporting and storing requirements. This information is also applicable to their commercial clients and should be shared accordingly. However, every broker is unique and any information provided in this guide must be considered in the context of your individual situation. This guide, including attachments and links, is not intended as legal advice. You should consult your individual legal advisors when considering these contents and when setting up your own systems of monitoring, reporting, and keeping records of security safeguard breaches. What does this mean? A security safeguard includes a variety of measures taken to securely keep personal or sensitive information. This includes physical measures (e.g., locked filing cabinets and restricted access to offices), organizational measures (e.g., security clearances and limiting access on a need-to-know basis), and technological measures (e.g., the use of passwords and encryption). If any of these security safeguards have been discovered to be breached (e.g., lost, stolen, accessed or disclosed without authorization, etc.), then you must keep a record of it for a minimum period of 24 months. If this breach also involves real risk of significant harm to affected individuals, then you must also report the breach to the Privacy Commissioner and to said individuals. 1

What is real risk of significant harm? Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. The real risk of significant harm must be determined based on an assessment of the sensitivity of the personal information involved in the breach and the probability the personal information has been/is/will be misused. The Privacy Commissioners office has a guide that helps organizations assess whether real risk of significant harm exists with a corresponding security breach (see Resources section at the end of this guide). Note that the new regulations also stipulate that failing to establish security safeguards in the first place also qualifies as a breach of security safeguard. How does this affect me? Brokers must ensure that they have security safeguard measures in place regarding personal and sensitive information of their clients. As identified above, this can include a variety of measures that best suit each business and its needs. Brokers should also ensure that their commercial clients are aware of these measures, and that they take similar steps. In addition, brokers may also wish to use this opportunity to review appropriate cyber insurance coverages for their clients. Note that if a broker and their commercial client share personal information that is involved in a breach of security safeguards that poses real risk of significant harm, both the broker and their commercial client must report it to the Privacy Commissioner and individuals affected. Do I have to report all breaches of security safeguards? No. The law requires that you report any breach involving personal information under your control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Whether a breach affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a real risk of significant harm resulting from the breach. Though you do not need to report all breaches, you must keep a record of all breaches for a minimum period of 24 months. 2

What records am I required to keep? You are required to keep records of all breaches of personal information under your control whether there is a real risk of significant harm or not for a minimum period of 24 months from the date a breach has been determined to have occurred (e.g., the day you discovered the breach). Records must contain any information that enables the Privacy Commissioner to verify compliance. At minimum, a record should include: date or estimated date of the breach; general description of the circumstances of the breach; nature of information involved in the breach; whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified; and if the breach was not reported to the Privacy Commissioner/individuals, a brief explanation of why the breach was determined not to pose a real risk of significant harm. Records need not include personal details unless necessary to explain the nature and sensitivity of the information. How do I report a breach that poses real risk of significant harm to the Privacy Commissioner? The Office of the Privacy Commissioner has an online form that you can fill out to submit your report (see Resources section below for a link to the form) Note that you are required to report qualifying breaches as soon as you have determined a breach involving a real risk of significant harm has occurred. This means that you do not have to have all the information identified (e.g., the exact date of the breach), and you are always able to send new information as you become aware of it. 3

How do I report a breach that poses real risk of significant harm to affected individuals? Unless otherwise prohibited by law, anytime you determine that a breach poses a real risk of significant harm to an individual, you must notify the individual(s) concerned. The notification must be conspicuous and must be given directly to the individual, except in certain circumstances where indirect notification is permitted (see below for circumstances permitting indirect notification). The law requires that notification to individuals must be given as soon as feasible after you have determined a breach involving a real risk of significant harm has occurred. What is direct notification? Direct notification is when you notify an individual in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances. What do I have to include in direct notifications to individuals? The notification must include enough information to allow the individual to understand the significance of the breach to them and to take steps, if any are possible, to reduce the risk of harm that could result from the breach or mitigate the harm. As well, it should not be overly legalistic and it should be easily understandable. The notification must include the following information: a description of the circumstances of the breach; the day on which, or period during which, the breach occurred or, if neither is known, the approximate period; a description of the personal information that is the subject of the breach to the extent that the information is known; a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach; a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and contact information that the affected individual can use to obtain further information about the breach. 4

When can I indirectly notify individuals? There are limited times when you can indirectly notify people. These are when: direct notification would be likely to cause further harm to the affected individual; direct notification would be likely to cause undue hardship for the organization; or the organization does not have contact information for the affected individual. What are examples of indirect notification? Indirect notification must be given by public communication or similar measure that could reasonably be expected to reach the affected individuals. This can include public announcements, such as advertisements in online or offline newspapers. You should use a method that is likely to reach affected individuals. For example, a mention in a corporate blog may not have the reach of a prominent and dedicated public announcement campaign. For indirect breach notifications, you should employ those measures you would for other public announcements. For example, consider how to incorporate media messaging, including a prominent notice made on your website, or other online/digital presence. Do I have to notify any other organizations? When you notify an individual of a breach involving a real risk of significant harm, you must also notify any other government institutions or organizations that you believe can reduce the risk of harm that could result from the breach or mitigate the harm. Examples include notifying law enforcement if illegal activity is involved (theft, hackers, etc.), notifying all those who process your payments (payment processors, acquiring bank, etc.) if the breach affects individuals payment card information, etc. Note that this list is not extensive. 5

What happens if I knowingly fail to comply with these new regulations? The Privacy Commissioner will refer information relating to a possible commission of offense to the Attorney General of Canada who will be ultimately responsible for any prosecution that may result in: (a) an offence punishable on summary conviction and liable to a fine not exceeding $10,000; or (b) an indictable offence and liable to a fine not exceeding $100,000. Resources: Detailed Guide from the Office of the Privacy Commissioner: What you need to know about mandatory reporting of breaches of security safeguards : https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-pb/gd_pb_201809/ How to assess whether breach poses real risk of significant harm: https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-pb/gd_pb_201809/#_part_6 Online form to report breaches of security safeguards that pose a real risk of significant harm: https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-pb/gd_pb_201809/#_report 6

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback