(i.e., do the circumstances of the breach make the information more or less sensitive) and how to assess the probability of misuse (i.e., was the information expose to individuals who have a low likelihood of sharing the information in a way that could cause harm, such as in the case of an accidental disclosure to unintended recipients). In cases where there is no real risk of significant harm, notification is not required irrespective of how many peoples’ information is involved in the incident.
Under PIPEDA, as amended, if notification to individuals is required, it must be done “as soon as feasible” after the company determines a breach has occurred, and must be conspicuous and contain sufficient information to allow the individual to understand the significance of the breach and take steps to mitigate the harm. The OPC’s draft guidance explains that such written notification should avoid legalese and be easy to read. Under the OPC’s regulations, the notification must also include an explanation of what happened and when it happened, what personal information was involved, what the organization has done in response to the breach, and provide contact information where people can get more information.
In addition to notifying the impacted individuals, under PIPEDA (as amended), organizations will also have to notify the OPC and any other organization (governmental and private) that could help minimize the risk of harm. In its draft guidance, the OPC explains that these other organizations could include law enforcement, banks, and credit card processors. Like notification to impacted individuals, notification to the OPC must occur as soon as feasible after the breach. The OPC’s draft guidance explains that such notice should occur “as soon as feasible” even if not all the information (e.g., the cause or planned mitigation measures) is known or confirmed. The OPC guidance further clarifies that organizations may add or correct information as it becomes available. Under PIPEDA, the obligation to notify the OPC extends to a breach involving any personal information that an organization has “under its control,” which means that in cases where a company’s information is breached while in the hands of a vendor, both the vendor and the company would need to notify the OPC. To make notification to the OPC easier and uniform, the OPC guidance attaches a breach reporting form to be used when reporting breaches to the OPC.
Finally, under PIPEDA, regardless of whether an incident is reportable, an organization must document the breach and analysis and keep the record for two years. The record must include a description of the incident, including when it happened and what information was involved. It must also document whether notification was made, and if not, why it was determined that there was not a real risk of serious harm.
PUTTING IT INTO PRACTICE: While the PIPEDA amendments have been pending for three years, and the OPC has offered further promulgating regulations, the OPC’s September 17th announcement indicates there is still uncertainty around what exactly will be required of companies that experience a breach. Companies that hold or control information on Canadian residents have one more opportunity to impact the final requirements or pose questions for clarity in the OPC’s guidance, and should submit their views before the October 2nd deadline.
Louisiana’s Breach Notification Law Update Now In Effect
Posted on August 1, 2018
As we wrote when the law passed, Louisiana updated its data breach notification statute earlier this year. The new law becomes effective today (August 1), and comes close on the heels of the July 20th effective date of Arizona’s update to its breach law. As modified, the Louisiana law adds biometric information as well as state ID and passport numbers to the definition of personal information. It also joins a trend that imposes a specific notification timeline by requiring that notice be made (namely within 60 days of the discovery of the breach). The law also requires that companies keep written records of unreported breaches for five years. Companies must provide that record to the state Attorney General if requested.
PUTTING IT INTO PRACTICE: Companies with breach notice plans should keep in mind the 60 day requirement, the record keeping requirement, and the modification to the definition of personal information under the now- amended law.
                    23 Eye on Privacy 2018 Year in Review