Canada Gazette, Part I, Volume 151, Number 35: Breach of Security Safeguards Regulations

September 2, 2017

Statutory authority

Personal Information Protection and Electronic Documents Act

Sponsoring department

Department of Industry

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Issues

On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) amended Canada's private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA or the Act), in a number of areas. A key change was the establishment of mandatory data breach reporting requirements.

These new provisions are set out in Division 1.1 of PIPEDA, but are not yet in force. The proposed Regulations provide further details pertaining to certain statutory requirements, and prescribe the process for the coming into force of the Regulations.

Background

Legislative framework

PIPEDA applies to the collection, use or disclosure of personal information by every organization in the course of a commercial activity. A commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or fundraising lists.

The federal government may exempt from PIPEDA organizations and/or activities in provinces that have adopted substantially similar privacy legislation. To date, Quebec, British Columbia and Alberta have adopted private sector legislation deemed substantially similar to PIPEDA. Further, Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have adopted substantially similar legislation with respect to personal health information.

Even in those provinces that have adopted legislation substantially similar to the federal privacy legislation, PIPEDA continues to apply to all interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities.

PIPEDA also continues to apply in those provinces to federally regulated organizations — “federal works, undertakings or businesses” — such as banks, and telecommunications and transportation companies.

The purpose of PIPEDA is to facilitate growth in electronic commerce through increasing the confidence of Canadians and businesses in the digital economy. The Act employs a principles-based approach that balances the privacy rights of individuals with the legitimate needs of business to use or exchange information.

Mandatory data breach reporting under PIPEDA

With the implementation of Division 1.1 of PIPEDA, organizations that experience a data breach — referred to in the Act as a “breach of security safeguards” — will have certain obligations, as follows:

Subsection 26(1)(c) of PIPEDA provides the Governor in Council with the authority to make any regulations that are required under the Act. The objective of this regulatory proposal is to provide greater certainty and specificity with respect to certain elements of the Act's data breach reporting requirements under Division 1.1.

Objectives

The objectives of the proposed Regulations are to

  1. Ensure that all Canadians will receive consistent information about data breaches that pose a risk of significant harm to them.
  2. Ensure that data breach notifications contain sufficient information to enable individuals to understand the significance and potential impact of the breach.
  3. Ensure that the Commissioner receives consistent and comparable information about data breaches that pose a risk of significant harm.
  4. Ensure that the Commissioner is able to provide effective oversight and verify that organizations are complying with the requirements to notify affected individuals of a data breach and to report the breach to the Commissioner.

Description and rationale

With regard to the statutory requirements for data breach reporting under Division 1.1 of PIPEDA, the proposed Regulations will

Recognizing the vast range of organizations that are subject to PIPEDA, the proposed Regulations are designed to provide maximum flexibility for organizations to fulfill their statutory obligations in a manner that is compatible with their particular circumstances.

Data breach report to the Commissioner

The proposed Regulations list the categories of information that must be contained in a report to the Commissioner, but do not preclude additional information from being provided by the organization, should it believe that the information is pertinent to the Commissioner's understanding of the incident.

The proposal aligns closely with what is currently recommended in guidance by the Office of the Privacy Commissioner of Canada (OPC) for voluntary data breach reporting, and with what is required for mandatory breach reporting in Alberta (see footnote 1) and in the European Union. (see footnote 2)

The proposed Regulations allow for data breach reports to be submitted with the best information available to the reporting organization at the time. This allows an organization to report breaches within an appropriate time frame, even when all information is not yet available. In these cases, organizations may provide updates to the report at a later date, if further pertinent information becomes available.

Notifying affected individuals of a data breach

The proposed Regulations also list the categories of information that must be contained in a notification to affected individuals. However, organizations are not precluded from providing additional information or designing the notice to suit the intended audience.

This approach provides some certainty to organizations as to what is required as a minimum to comply with the statutory requirements for notification. At the same time, it provides flexibility on the format, design and means of notification. This allows organizations to conduct notifications in line with established practices and expectations of their stakeholders.

The proposed Regulations identify certain commonly used forms of communication as appropriate means of direct notification to individuals, with some caveats to ensure that prompt and secure communication of the information takes place. The proposal also recognizes that notification by other unspecified means of communication may also be appropriate, if they are considered to be secure and prompt, and have been established by the organization as a means of communicating important information to the intended audience.

Circumstances where indirect notification to affected individuals would be permitted, in place of direct notification, have been listed in the proposed Regulations. These circumstances are generally considered by stakeholders to be situations where direct notification to all individuals affected by a breach may be impossible or unfeasible for the breached organization, or where direct notification may not be in the best interest of the individuals themselves. The proposed Regulations also confirm that public announcements or advertisements can be considered as appropriate for indirect notifications. Additional requirements for the use of these communication channels are prescribed to increase the probability that affected individuals will receive the information.

Data breach record-keeping

The proposed Regulations will affirm that the purpose of data breach record-keeping is to facilitate oversight by the Commissioner to ensure compliance with the requirements to report to the Commissioner and notify affected individuals of significant breaches. This in turn will encourage better data security practices by the organizations.

To this end, the proposed Regulations will require organizations to maintain sufficient information in a data breach record to demonstrate that they are tracking data security incidents that result in a breach of personal information. The proposal allows for a broad interpretation of what information would constitute a “record” for the purpose of PIPEDA.

This approach provides protection for any material, regardless of medium or form, that may be provided to the Commissioner in response to a request for data breach records. By not enumerating what constitutes a record in regulations, the Access to Information Act exemption in PIPEDA may be extended to whatever is considered a breach record for the purpose of the Act.

The proposed Regulations specify that organizations must hold data breach records for a minimum period of time; specifically 24 months. This allows the Commissioner to request and review the history of breaches experienced by a particular organization within a two-year window. The proposed time frame reflects the standard practice in most provinces for limitations on initiating civil litigation. It is intended to be a minimum requirement, providing for the retention of data breach records for longer than two years, if an organization's other obligations, practices or requirements so dictate.

For greater certainty, the proposed Regulations clarify that a data breach report provided to the Commissioner under subsection 10.1(1) of PIPEDA can also be considered a data breach record.

Coming into force

To facilitate compliance with the new data breach reporting regime under PIPEDA, the proposed Regulations provide for implementation at the same time as the related statutory requirements under Division 1.1 of PIPEDA, and allow for a lag period between the publication of final Regulations and their coming into force.

Impacts

Businesses

All organizations subject to PIPEDA will be impacted by the proposed Regulations. However, many will have already implemented data breach reporting practices that align with the proposal, given that it reflects existing best practices established by the OPC and legislative requirements in Alberta.

For those organizations that do not have established processes and procedures for tracking data breaches and reporting accordingly, the proposed Regulations provide for a delayed coming into force date after the publication of the final Regulations.

Consumers

The Canadian marketplace will see a positive impact of the proposed Regulations. Consumers will have the assurance that when they are affected by a data breach posing a risk of significant harm, they will receive the right information in an appropriate manner, regardless of where the breach occurred.

Office of the Privacy Commissioner of Canada

The responsibility for overseeing compliance with PIPEDA rests with the Commissioner. As part of its oversight of data breach reporting requirements under the Act, the OPC will receive reports on data breaches posing a real risk of significant harm, request data breach records of organizations, at its own discretion, and provide advice and guidance to organizations as to how to comply with their breach reporting obligations under the Act. Where appropriate, the Commissioner will investigate complaints pertaining to suspected contraventions of data breach reporting requirements, and conduct audits of organizational practices in this regard.

As part of its annual report to Parliament on PIPEDA, the OPC may provide information on the extent and nature of reported data breaches in an aggregate and anonymized manner.

Benefits and costs

Social benefits

The proposed Regulations are expected to contribute positively to the privacy and security of individuals. Mandatory breach reporting allows individuals who are affected by a breach to take immediate action to protect themselves against further compromise that may lead to fraud, identity theft, humiliation, loss of employment or other forms of significant harm.

The proposed Regulations are anticipated to help mitigate harm to individuals who are affected by a data breach, and to increase the protection of Canadians' personal information in general by encouraging better data security practices.

The costs to consumers stemming from data breaches are significant and far-reaching. According to Javelin Strategy and Research, which has done comprehensive annual studies of identity theft in the United States since 2006, a significant proportion of individuals who are impacted by a data breach become victims of identity theft or fraud. Beyond financial costs, the potential for humiliation and loss of opportunity resulting from breaches of personal information also exists, and has been recognized by the courts in Canada.

Mandatory data breach notification under PIPEDA provides an increased level of protection for Canadians and other consumers in the Canadian marketplace by allowing them to take steps to protect themselves from potential harm resulting from that breach.

The proposed Regulations will enhance this protection in a number of ways. By ensuring that all breach notifications contain a core set of information and are provided in an appropriate manner, the proposed Regulations will result in more effective notifications by increasing the probability that affected individuals will receive the information and understand its significance.

A minimum standard for notification also assures Canadians that they can expect a similar approach to notification by all organizations.

Economic benefits

The proposed Regulations will serve to codify existing best practices for data breach reporting and create certainty across the marketplace about how organizations notify individuals affected by a breach. They will also harmonize Canada's regime for data breach reporting with those of other jurisdictions, reducing the burden of reporting for organizations operating in multiple jurisdictions.

In particular, the proposed Regulations will specify the minimum content of a breach report to the Commissioner, ensuring that reports contain adequate and consistent information to enable the Commissioner's oversight of the requirement to notify individuals. It ensures that all organizations are held to the same standard when reporting breaches and creates a level playing field for regulated organizations across Canada.

Prescribing the content of notifications to individuals and reports to the Commissioner will align the federal private sector regime for mandatory breach reporting with equivalent provincial legislation, and those of Canada's major trading partners.

In particular, the European Union General Data Protection Regulation (GDPR), which comes into force in 2018, includes mandatory data breach reporting and requires organizations to include similar information in reports to authorities and to individuals. Also in line with the proposed Regulations, EU companies will be required to keep a record of all data breaches for the purpose of demonstrating due diligence with regard to their reporting obligations.

This alignment is important to Canada–EU trade. PIPEDA is currently deemed to provide an essentially equivalent level of privacy protection to the European Union, which allows for the free flow of personal information from the European Union to Canadian organizations.

It is also an important factor in mitigating compliance costs for organizations that operate in multiple jurisdictions. Many organizations subject to PIPEDA are also required to comply with provincial or international laws, and in the case of a data breach may be required to notify individuals in various jurisdictions. To the extent that the proposed Regulations can align data breach reporting under PIPEDA with requirements in other jurisdictions, this would reduce the burden of notification for many organizations in Canada.

Public security benefits

The proposed Regulations are expected to contribute positively to the security of individuals and the cyber security readiness of Canadian businesses. The regulatory proposal implements statutory requirements to report data breaches, which has been established as an important element of Canada's cyber security policy.

Experts in data security believe that data breaches are on the rise because organizations are not taking appropriate measures to protect the data they hold. A 2016 report by the Internet Society on the economics of data breaches surmises that the reason for this is twofold: (1) organizations do not bear all the costs of data breach (much is borne by affected individuals), and (2) there is not enough benefit to them in better protecting their users' data. (see footnote 3) Mandatory breach reporting and record-keeping provide a much needed incentive for organizations to adopt better security practices.

A requirement to maintain records of all breaches for a two-year period will incentivize organizations to track and analyze the impact of all data security incidents. Although many data breaches appear to bear no harm, there may be data security implications. The EY 2016 Global Information Security Survey found that the majority of organizations currently do not increase their cyber security spending after experiencing a breach that does not appear to do any harm. The authors of the report indicate that this is concerning given that cyber criminals often make “test attacks,” lie dormant after a breach, or use a breach as a diversionary tactic to throw organizations off the trail of what they are really up to. (see footnote 4)

The proposed Regulations will also ensure that breach reports to the Commissioner are provided in such a way that incidents can be compared and aggregated to provide a much needed repository of information on data security incidents in Canada; something that experts say will lead to a better shared understanding of cyber security threats. According to the Internet Society report, sharing this information responsibly has a number of benefits: it helps organizations globally improve their data security, helps policy-makers improve policies, helps regulators pursue attackers, and helps the data security industry produce better solutions. (see footnote 5) The report recommends that in order to reduce incidents of data breaches we must increase transparency of the issues through data breach notifications and disclosure.

Consistency in reporting will also allow for metrics to be developed for evidence-based policy-making. Currently there is little data available about the extent and nature of data breaches across the Canadian marketplace, outside of Alberta and the health sector in certain provinces.

Costs

The costs to business directly resulting from the proposed Regulations are expected to be nominal, given that the bulk of the compliance and administrative burden arises from the statutory obligations imposed by the Digital Privacy Act.

Further, the proposed Regulations reflect in large part existing best practices that have been established under the voluntary reporting initiative of the OPC, and under equivalent legislation in certain provinces. Given that these practices have been in place for several years, it is expected that many regulated organizations will have already incorporated them to some degree into their own policies and procedures.

It is anticipated that the flexible approach taken in the proposed Regulations will serve to mitigate the costs of complying with the statutory requirements for notifying individuals. The proposed Regulations allow for organizations to notify individuals indirectly where directly contacting each affected individual may prove unreasonably costly. In these cases, the proposed Regulations allow notification to take place via communication channels that are much more cost effective and efficient, greatly reducing the burden of notification. This may be particularly important for small to medium-sized organizations that may experience a data breach involving a very large number of customers.

The proposed Regulations also allow for organizations to craft notifications in a way that is appropriate for the circumstances and the audience. Though a core set of information is required to be included in notifications to individuals, the proposed Regulations are silent on their format and design.

Consultation

During Parliament's review of the Digital Privacy Act, many stakeholders representing businesses, consumers and the legal community presented their views on the proposed regime for data breach reporting. The majority were generally supportive of the Bill's approach, which proposed the use of regulations to provide details on statutory requirements.

Subsequent to the royal assent of the Digital Privacy Act, stakeholders were specifically consulted on the proposed use of regulations. Innovation, Science and Economic Development Canada (ISED) published a comprehensive discussion paper that posed a series of specific questions and invited stakeholders to provide their views on how the Government should exercise its regulatory authority. The discussion paper was posted on the Government's consultation portal (www.consultingcanadians.gc.ca) and was distributed directly to specific stakeholder groups. ISED also held bilateral and multilateral meetings and teleconferences with interested stakeholders to allow them to express their views on the proposed Regulations.

The majority of stakeholders expressed support for the use of regulations to provide more certainty around how certain statutory provisions should be interpreted. A key theme of the responses was the need for flexibility to allow organizations to implement requirements in a manner that fits their particular circumstances. The majority of business representatives were against overly prescriptive regulations and expressed the desire to make use of existing practices to meet their new obligations to the extent possible.

Another theme was the desire for harmonization with established best practices for breach reporting: in particular, existing guidance by the OPC for voluntary breach reporting and mandatory reporting requirements in Alberta and the European Union were cited.

Generally, there was some consensus on the need for regulations to clarify content and format of reports to the Commissioner and notifications to affected individuals. Likewise, there was a general desire to see further direction in regulations on record-keeping requirements. However, the majority of stakeholders indicated that guidelines may be more appropriate than regulations to provide further direction in certain areas, including the use of additional factors to be considered when conducting an assessment of risk and determining which third-party organizations should be informed of a breach.

The OPC concurred that guidance material would be appropriate in these areas to assist regulated organizations and indicated that it would take steps to provide the necessary material.

Several stakeholders called for regulations to speak to the role of encryption in a data breach: specifically, whether a data breach involving encrypted information could be presumed to carry a low risk of harm, effectively providing a “safe harbour” against mandatory notification. The OPC held an opposing view in its response, stating that there are other factors that influence the effectiveness of encryption, including the level of encryption employed and whether or not the encryption key has been compromised. As a result, despite the use of encryption there remains a possibility that personal information could be decrypted, potentially posing a real risk of significant harm to the individual involved.

Some stakeholders, including the OPC, called for data breach reports to include an assessment of the type of harm(s) that may result from the breach, in line with the approach in Alberta. However, the proposed Regulations do not prescribe this as mandatory content in order to address concerns that this type of information is speculative and hypothetical. Stakeholders also argued that it would be difficult for many small and medium-sized organizations to make such an assessment given that they may not have the expertise or resources to do so.

Some organizations proposed that the Regulations should specify which organization is required to undertake notification to individuals in situations where a breach occurs at a service provider or supplier organization. However, the majority held the view that determining which organization is responsible for conducting the notification should be in accordance with the existing Accountability Principle in Schedule 1 of PIPEDA, such that overall responsibility for ensuring compliance rests with the organization having control of the personal information in question. In some cases the term “control” does not necessarily equate to “custody,” but instead refers to overall responsibility for the personal information.

During consultations, many organizations called for a transition period between the publication of the final Regulations and the date of coming into force. They argued this would provide adequate time for organizations to implement required changes to information management systems and to train employees accordingly. Proposed transition periods ranged from 6 to 18 months.

Many organizations also raised concerns about the confidentiality of information contained in breach reports and breach records and the potential for inadvertent public disclosure of sensitive data security details or other proprietary information. It should be noted that the Digital Privacy Act amended the Access to Information Act (ATIA) to create a statutory exemption to the disclosure of any data breach record or data breach report in response to an access to information request. This amendment to the ATIA will come into force with PIPEDA's other data breach notification and reporting provisions found in Division 1.1 of PIPEDA.

Finally, some organizations called for the Regulations to reduce the scope of the statutory requirement for data breach record-keeping, such that organizations would only be required to keep records of “material” or significant breaches. However, the Government has clearly indicated that the purpose of the record-keeping provisions is to provide the Commissioner with an ability to determine whether or not organizations are tracking all breaches and complying with the requirements to report significant breaches and notify affected individuals.

“One-for-One” Rule

This regulatory proposal is not expected to directly increase the administrative burden on business and is therefore exempt from the “One-for-One” Rule.

Costs to regulated organizations resulting from this regulatory proposal are considered to be nominal, given that the administrative burden arises from the statutory obligations for reporting breaches to the Commissioner, notifying affected individuals, and for record-keeping imposed by the Digital Privacy Act. The proposed Regulations simply provide further specification on those obligations.

Small business lens

The small business lens does not apply because the estimated nationwide cost impact of this regulatory proposal is less than $1 million per year.

Implementation, enforcement and service standards

The proposed Regulations would come into effect at the same time as the statutory requirements pertaining to data breach reporting under Division 1.1 of PIPEDA. The coming into force of the statutory requirements will be established through a subsequent Order in Council once the Regulations are final.

The proposed Regulations will allow for a delayed coming into force after the publication of the Regulations. This will give regulated organizations time to adjust their policies and procedures accordingly and to ensure that systems are in place to track and record all breaches of security safeguards that they experience.

In the meantime, ISED will work with the OPC to identify areas where guidance material is required to assist organizations in interpreting and complying with their new obligations. Particular consideration will be given to providing guidance on conducting a risk assessment.

Enforcement of the proposed Regulations would reflect the existing compliance regime under PIPEDA, whereby the Commissioner is responsible for providing oversight and investigating complaints. Record-keeping plays a key role in the oversight regime — the Commissioner can conduct an audit or launch an investigation based on a record or group of data breach records. The OPC will also use data breach information to increase awareness and understanding of the extent and nature of data breaches in Canada.

New provisions for offences and fines for willful and deliberate contravention of these new requirements were imposed by the Digital Privacy Act. As per other contraventions and offences under PIPEDA, courts are authorized to impose fines pertaining to a contravention of the data breach reporting provisions and to order non-compliant organizations to change practices.

ISED will evaluate the need for amendments to the Regulations on an ongoing basis based on results of data breach reporting that are provided by the OPC, and on informal stakeholder feedback from regulated organizations.

Contact

Charles Taillefer
Director
Privacy and Data Protection Directorate
Marketplace Framework Policy Branch
Strategy and Innovation Policy Sector
Innovation, Science and Economic Development Canada
Telephone: 343-291-1774
Email: charles.taillefer@canada.ca

PROPOSED REGULATORY TEXT

Notice is given, pursuant to subsection 26(1) (see footnote a) of the Personal Information Protection and Electronic Documents Act (see footnote b), that the Governor in Council proposes to make the annexed Breach of Security Safeguards Regulations.

Interested persons may make representations concerning the proposed Regulations within 30 days after the date of publication of this notice. All such representations must cite the Canada Gazette, Part I, and the date of publication of this notice, and be addressed to Jill Paterson, Senior Policy Analyst, Digital Policy Branch, Spectrum, Information Technologies and Telecommunications (SITT) Sector, Innovation, Science and Economic Development Canada, CD Howe Building, 235 Queen Street, Room 162D, Ottawa, Ontario K1A 0H5 (email: jill.paterson@canada.ca).

Ottawa, August 14, 2017

Jurica Čapkun
Assistant Clerk of the Privy Council

Breach of Security Safeguards Regulations

Interpretation

Definition of Act

1 In these Regulations, Act means the Personal Information Protection and Electronic Documents Act.

Report to Commissioner

Report — content, form and manner

2 A report of a breach of security safeguards referred to in subsection 10.1(2) of the Act must be in writing and must contain

Notification to Affected Individual

Contents of notification

3 The notification provided by an organization, in accordance with subsection 10.1(4) of the Act, to an individual affected by a breach of security safeguards must contain, in addition to the information set out in that subsection,

Direct notification — manner

4 For the purposes of subsection 10.1(5) of the Act, direct notification is to be given to the affected individual

Indirect notification — circumstances

5 (1) For the purposes of subsection 10.1(5) of the Act, indirect notification is to be given to the affected individual by an organization in any of the following circumstances:

Indirect notification — manner

(2) For the purposes of subsection 10.1(5) of the Act, indirect notification is to be given to the affected individual in the following manner:

Record-Keeping

Record-keeping requirements

6 (1) For the purposes of subsection 10.3(1) of the Act, an organization must maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred.

Compliance

(2) The record referred to under subsection 10.3(1) of the Act must contain any information pertaining to the breach that enables the Commissioner to verify compliance with subsections 10.1(1) and (3) of the Act.

Report used as record

(3) A report to the Commissioner made under subsection 10.1(1) of the Act may be used by the organization as a record of the breach of security safeguards.

Coming into Force

S.C. 2015, c. 32

7 These Regulations come into force on the day on which section 10 of the Digital Privacy Act comes into force, but if they are registered after that day, they come into force on the day on which they are registered.

[35-1-o]