Discussion document on data breach notification and reporting regulations

Submission to Innovation, Science and Economic Development Canada

June 10, 2016

M. John Clare
Director, Data Protection and Privacy Policy Directorate
Innovation, Science and Economic Development
235 Queen Street
Ottawa, Ontario
K1A 0H5

Dear Mr. Clare:

I am pleased to provide the Office of the Privacy Commissioner of Canada’s (OPC) views on elements of the Personal Information Protection and Electronic Documents Act (PIPEDA) data breach reporting and notification requirements that may be prescribed in regulations.

You will recall that during his appearance before the House of Commons Standing Committee on Industry, Science and Technology (INDU), Privacy Commissioner, Daniel Therrien, expressed support for the new measures, indicating that mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information.

We appreciate the opportunity to provide our views on important regulatory specifications, particularly in light of our oversight function and role in developing guidance for organizations.

To the extent necessary, the Office will develop guidelines on responding to data breaches, to complement parameters set out in regulations and further assist organizations comply with their new responsibilities under PIPEDA.

Real Risk of Significant Harm

The analysis that organizations must perform to determine whether a breach of security safeguards involves a real risk of significant harm is at the core of PIPEDA’s new reporting and notification requirements. The OPC recognizes that ISED may wish to provide organizations, particularly small- and medium-sized firms, with more certainty on factors that are relevant in conducting this assessment. However, we note that the factors identified under subsection 10.1(8) of the Act already captures the key elements that organizations would need to consider in making their risk determination. If additional factors become necessary as we gain more experience with notifications, OPC guidance could outline these or, if necessary, the regulations could be amended.

To that end, we would suggest that additional assistance to organizations on conducting an assessment of risk can be provided in OPC guidance.

The discussion paper asks if the regulations should specify a presumed “low risk” in data breaches where appropriate encryption has been used. Similarly, comments are requested on how an appropriate level of protection should be defined. The OPC would take the position that appropriate use of encryption can indeed form part of a broader range of considerations when evaluating the probability that the personal information “has been, is being or will be misused”.

From that standpoint, the risk of harm associated with the loss, theft or inappropriate access of personal information may be significantly lowered by the use of appropriate encryption^{Footnote 1}. However, while appropriate encryption plays a significant role in reducing or eliminating the risk of harm associated with a breach, other considerations may influence its effectiveness.

For instance, as algorithms evolve, encryption standards once deemed strong may be eventually be rendered decipherable. Alternatively, organizations may also suffer compromise of its key management systems. In either case, personal information could then be easily decrypted^{Footnote 2}.

We also recognize that not all organizations will have the systems, resources or ability to map all vulnerabilities and risks, or be in a position to effectively mitigate these with encryption. They may not be able to confirm that information has not been rendered unusable, unreadable or indecipherable, or they may not even know whether a key has been breached. In such circumstances, the use of encryption should not be equated with a low risk to individuals.

Reports to the Privacy Commissioner of Canada

Reports to the Commissioner will perform a critical function in supporting the Commissioner’s oversight responsibilities with respect to how organizations respond to breaches. Accordingly, these reports should provide sufficient information so that the Office may effectively assess whether organizations are appropriately notifying individuals and evaluate whether they have applied appropriate measures to contain breaches, mitigate the risk of harm to individuals and prevent future breaches of a similar nature. Contents of the reports should also help identify and address systemic security and information-handling weaknesses.

To that end, we would suggest that the following elements be included in reports to the Commissioner:

Name of responsible organization;
Contact information of an individual who can answer questions on behalf of the organization;
Description of the known circumstances of the breach, including:

Estimated number of individuals affected by the breach;
Description of the personal information involved in the breach;
Date of the breach, if known, or alternatively estimated date or date range within which the breach is believed to have occurred;
A list of other organizations involved in the breach, including affiliates or third party processors;

An assessment of the risk of harm to individuals resulting from the breach;
A description of any steps planned or already taken to notify affected individuals, including:

date of notification or timing of planned notification;
whether notification has been or will be undertaken directly or indirectly and, when applicable, rationale for indirect notification;
a copy of the notification text or script;

A list or description of third party organizations that were notified of the breach, pursuant to s. 10.2(1) of PIPEDA, as well as Privacy Enforcement Authorities from other jurisdictions;
A description of mitigation measures that have been or will be undertaken to contain the breach and reduce or control the risk of harm to affected individuals,
A description of the organization’s relevant security safeguards, taking into consideration any improvements made or committed to, to protect against the risk of a similar breach reoccurring in the future.

You will note above that we suggest including in the report to the Commissioner a summary of the organization’s risk assessment. In addition to the utility to organizations of reporting on this assessment, the information would prove useful to the OPC in observing whether organizations are over-reporting and over-estimating the risk of harm associated with certain breaches. This description could also inform the OPC’s eventual development of complementary guidance to that effect.

We would also advise that reports to the Commissioner be undertaken in written form, with appropriate flexibility with respect to actual digital or paper format. As well, while organizations should undertake every effort to ensure that the content of original reports to the Office are complete and accurate, they should also be required to provide updated information and to submit addendums to reports, as soon as feasible, when substantial information provided in the original report has changed or has been found to be inaccurate or incomplete.

Notification to Individuals

The prescription of additional content requirements for notifications to individuals would provide important clarity and certainty about the type of information that organizations should communicate to individuals. With this additional information, individuals may be better able to understand the significance of the breach to them and reduce or mitigate the risk of harm.

The OPC’s “Key Steps for Organizations in Responding to Privacy Breaches” document provides a comprehensive list of elements to be included in individual notifications, and has proven effective in ensuring that individuals are provided with necessary information about breaches. Consistent with our “Key Steps” document, we would also note that the content of notifications should be permitted to vary depending on the particular breach and the method of notification chosen. Based on this document^{Footnote 3}, we would propose that the following elements be specified in regulations:

Description of the circumstances of the breach incident;
Date of the breach, if known, or alternatively estimated date or date range within which the breach is believed to have occurred;
Description of the personal information involved in the breach;
Description of the steps taken by the organization to control or reduce the harm;
Steps the individual can take to reduce the harm or further mitigate the risk of harm;
Contact information of an individual who can answer questions about the breach on behalf of the organization;
Information about right of recourse and complaint process under PIPEDA.

Organizations should be permitted to use a variety of communication methods to directly notify individuals, including but not limited to, in-person discussions, telephone calls, emails or mailed letters, depending on the circumstances. The regulations should be technology neutral, such that other effective digital means of communications, including those that could be developed in the future may also be used. Methods employed must be documented, verifiable, and the notice given must be in plain language and stated in such a manner that an individual can reasonably understand the information provided.

Whether in the content of the notification itself, or in selecting the method or methods of notification, organizations should ensure that they do not increase the risk of harm to the individual associated with the breach.

The discussion document seeks views on whether the regulations should set-out specific requirements for notifications to be conspicuous and distinct from other communications. Given the variety of methods that can be used to notify individuals and the highly context-specific nature of these communications, we would suggest that information on how to make notifications clearly visible and design them in a way to attract attention, might lend itself better to guidance.

Indirect notification

The Office would propose that organizations only be permitted to notify individuals indirectly in specific circumstances:

When direct notification is likely to cause undue further harm, for example when direct notification may alert others, such as family members of the purchase of a product or access to a service by the individual which the individual would wish to keep confidential;
When giving direct notification to every affected person on an individual basis would involve prohibitive costs to the organization and unreasonably interfere with its operations;
When the contact information for affected individuals is not known, for instance when the contact information is unavailable, out of date, incomplete or inaccurate.

Once organizations have demonstrated that they may validly use indirect notification, they should have flexibility in how they indirectly notify affected individuals. The ways in which individuals may be indirectly notified is highly context-specific and as such, we would recommend against prescribing specific methods of indirect notification. Rather, there should be flexibility in methods used, in order to ensure that the information reaches the intended audience. To that end, our understanding is that organizations could engage in both direct and indirect notification of individuals.

We propose that a number of functional characteristics may be specified to assist organizations in maximizing the probability that indirect notification will reach affected individuals. For instance:

The method used should reflect the geographic market of the organization’s commercial activities along with the geographic distribution of affected individuals;
It should also be relevant to the type of product or service provided by the organization and appropriate to the nature of the interaction between the organization and the individual;
The notice should be posted for a sufficient length of time. As well, notices should be in clear and plain language, and stated in a manner that an individual can reasonably understand the information provided;
Regulations should, in certain circumstances, permit indirect notification through a guardian or authorized representative where appropriate;
As well, consideration should be given to the possibility of allowing organizations to use a third party to notify on their behalf, provided measures are taken to ensure that the accountability for notifying remains with the organization and that any disclosure and use of personal information necessary to enable notification is compliant with the Act.

Notification to Third Parties

As drafted, subsection 10.1(2) is sufficiently broad and would allow an adequate range of third party organizations to be notified in support of the measure’s policy objectives.

We would not suggest that further conditions be prescribed to require organizations to notify third parties of breaches. As a privacy protection statute, PIPEDA does not compel disclosures. Rather, it is permissive in nature.

Record-Keeping

The new record-keeping requirement will provide the OPC with a useful window into how organizations respond to breaches of security safeguards. As noted in the ISED Discussion Paper, it will “… provide a mechanism for the Privacy Commissioner to provide oversight of the data breach reporting and notification requirements set out in Section 10.1 of the Act.”

In his opening statement to the House of Commons Standing Committee on Industry, Science and Technology (INDU) on Bill S-4, the Digital Privacy Act, Commissioner Therrien emphasized the important role to be played by the new record keeping requirement. In particular, he noted that “…Requiring organizations to keep a record of breaches and provide a copy to my Office upon request will give my Office an important oversight function with respect to how organizations are complying with the requirement to notify.”

To that end, records kept and maintained by organizations should include sufficient information to demonstrate compliance with PIPEDA’s new notification requirements and should contain sufficient information to enable the Office to effectively perform its oversight functions. The content of these records should also assist the OPC in understanding the process through which organizations determine whether or not to notify affected individuals.

Consequently, we believe that the following data elements should be included in records of breaches:

Date or estimated date of the breach;
General description of the circumstances of the breach;
Nature of information involved in the breach;
Summary and conclusion of the organization’s risk assessment leading to its decision whether to notify/report or not.

Note that records need not contain personal information.

All breaches, including those reported to the OPC, should be documented and recorded on an individual, non-aggregated basis. With respect to retention, we would suggest that records be maintained for a period of five years from the date of creation of the record, after which records could be destroyed, unless they are the object of or are relevant to a Commissioner investigation, audit or compliance agreement or if the matter is the object of a hearing before the Federal Court.

In the discussion document, ISED asks whether regulations should clarify that the obligation to maintain a data breach record applies only to data breaches for which the organization has actual knowledge. In our view, this would not be necessary and may in fact raise some risks. For one, such language risks organizations not putting in place measures to detect and assess breaches. It also risks them taking unnecessary steps or discussions with our Office about whether the organization knew or not about a breach.

Other Issues

In response to ISED’s stated interest in hearing about any other issues that should be considered in the drafting of the regulations, the Office would suggest that in developing regulations, ISED should consider and reflect situations where affected individuals reside in jurisdictions outside of Canada. In light of the borderless nature of commercial activity, particularly in the online world, organizations that are subject to PIPEDA may collect personal information which pertains to individuals who reside outside of Canada. Generally, organizations are required by the Act to protect the personal information under their control of all individuals, regardless of where they reside. As such, the data breach notification and reporting requirements should consider the extent to which organizations may have to notify individuals outside of Canada who may be affected by a data breach undergone by an organization subject to PIPEDA. Regulations should therefore be crafted to ensure that they do not create any barriers to or inhibit any cross-border notifications that may be required. While we would not recommend the following as a regulatory requirement, we would generally advise organizations that, when they have actual knowledge that individuals affected by a breach of security safeguards reside outside of Canada, they should consider the breach notification laws of those jurisdictions. Further, organizations should also consider notifying the relevant Privacy Enforcement Authority in those jurisdictions, where practicable and feasible.

As well, while notification aims to allow affected individuals to understand the impact of the breach to them and take steps to reduce the risk of harm or mitigate the harm, there may be challenges associated with language. It may be reasonable to require that notification to affected individuals in other jurisdictions be made in the same language as that used during their interactions with the organizations.

Finally, we note that the discussion document indicates that the new data breach requirements will come into force once the Government passes final regulations. As you develop and finalize the regulations, we would be prepared to develop guidelines that will complement the content of regulations and provide additional compliance assistance for organizations. We look forward to engaging with ISED and other stakeholders in the development of these guidelines.

Sincerely,

Original signed by

Barbara Bucknell
Director, Policy and Research

Footnotes

Footnote 1

In considering an appropriate level of protection, the definition of “encrypted” in California’s Data Security Breach Reporting law, (California Civil Code Section 1798.82 at subsec. 1798,.82(i)(4)) may be useful: “… “encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security”.

Return to footnote 1

Footnote 2

For reference see breach notification guidance issued by the U.S. Department of Health and Human Services: “Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.”

Return to footnote 2

Footnote 3

This is also consistent with Subsection 19.1(1) of Alberta’s Personal Information Protection Act Regulation, Alberta Regulation 366/2003.

Return to footnote 3

Date modified:: 2016-06-22

Language selection

Search and menus

Search