Breach of Security Safeguards Regulations

Submission to Innovation, Science and Economic Development Canada

October 2, 2017

Jill Paterson
Senior Policy Analyst
Digital Policy Branch
Spectrum Information Technologies and Telecommunications (SITT) Sector
Innovation, Science and Economic Development Canada
CD Howe Building, 235 Queen Street, Room 162D
Ottawa, Ontario K1A 0H5

Dear Ms. Paterson,

Re: Breach of Security Safeguards Regulations

The Office of the Privacy Commissioner of Canada (OPC) appreciates the opportunity to provide comments on the data breach regulations published in Part 1 of the Canada Gazette, dated September 2^nd 2017.^{Footnote 1}

The draft regulations posted in the Canada Gazette address some of the recommendations our Office made to the Department of Innovation, Science and Economic Development (ISED)^{Footnote 2} in response to their March 2016 breach discussion document.^{Footnote 3}

That said, a number of key issues recommended in our submission are absent in the regulations. We believe this may challenge the regulations’ ability to fully achieve the sought-after benefits to organizations, individuals and the Digital Economy.

In our view, the data breach reporting and notification regulations are a key instrument to improve security practices and consumer trust.

As a result, the OPC urges the Government to consider the following:

Content of Breach Reports to the Privacy Commissioner

Our Office believes that breach reports to the OPC provide the Privacy Commissioner with information necessary to assess the quality of organizations’ safeguards. Without this, our Office’s ability to improve security practices will be substantially hampered.

Omitting the requirement to report on the state of relevant safeguards sends a signal that prevention of breaches is less important than mitigation of breach impact after the fact.

As well, such information would give our Office the opportunity to supplement information obtained through breach records, allowing us to develop a broad understanding of the overall challenges with respect to security safeguards and breaches in the marketplace. In turn, this would support our ability to more effectively advise and guide organizations on how to improve their security practices and better protect Canadians’ personal information.

As recommended in our Office’s submission to the 2016 ISED discussion paper, we would once again urge the Government to consider that reports to the Privacy Commissioner contain an organization’s assessment of the risk of harm caused by the breach.

We believe that this crucial assessment requirement should be reflected in the data breach regulations. As the RIAS notes that the proposed requirements align with those of Alberta and the EU, we would note that this type of requirement, in some fashion, can be found in both those jurisdictions.^{Footnote 4}

If the intent of the data breach regulations is indeed to align the laws in Canada with those in other jurisdictions to standardize an organization’s reporting requirements and promote economic interests, as the RIAS states, our Office recommends that reports to the Privacy Commissioner should include similar assessments.

In addition to the data elements required to be reported to the Privacy Commissioner in the regulations, we refer to our 2016 submission to ISED and are of the position that these reports should include:

An assessment of the risk of harm to individuals resulting from the breach;
A list or description of third party organizations that were notified of the breach, pursuant to s. 10.2(1) of PIPEDA, as well as Privacy Enforcement Authorities from other jurisdictions;
A description of mitigation measures that have been or will be undertaken to contain the breach and reduce or control the risk of harm to affected individuals. Knowing what measures are being taken to prevent a further breach will be helpful from our perspective; and
A description of the organization’s relevant security safeguards, taking into consideration any improvements made or committed to, to protect against the risk of a similar breach reoccurring in the future.

As well, we note that the RIAS suggests that the data breach reports have broader public security benefits and will play a role in terms of a “much needed repository of information on data security incidents in Canada….” While we indeed support this objective, the utility of such a repository may be impacted if reports to the Commissioner do not contain key data elements, such as the assessment of harm.

Furthermore, while the RIAS suggests that organizations can provide additional information in a report to the Privacy Commissioner if they choose to, it is unclear to what extent organizations will voluntarily report on their assessments of real risk of significant harm (RROSH) or their assessment of the types of harms.

Record Keeping Requirements Require Clarity

The RIAS notes: “The proposed regulations will affirm that the purpose of data breach record-keeping is to facilitate oversight by the Commissioner to ensure compliance with the requirements to report to the Commissioner and notify affected individuals of significant breaches. This in turn will encourage better data security practices by the organizations.”

In order for recordkeeping to fulfill the intent identified in the RIAS, it would be important to have a set of prescribed data elements to facilitate oversight by the Privacy Commissioner and help organizations to approach record keeping in a consistent manner. We would like to reference our 2016 submission to ISED and are of the position that the following data elements should be recorded for any breach:

Date or estimated date of the breach;
General description of the circumstances of the breach;
Nature of the information involved in the breach; and
Summary and conclusion of the organization’s risk assessment leading to its decision whether to notify/report or not.

We also note that recordkeeping requirements have only been set for a minimum of twenty four (24) months, as opposed to five (5) years, as our Office had recommended. Part of the rationale for this retention period, as per the RIAS, is that twenty four (24) months aligns with limitations on initiating civil litigation. Our Office, though, believes that if the purpose of the regulations is to support economic interests, organizational health, and consumer trust, then reliance on a retention standard based on civil liability may overlook the benefits a slightly longer retention period will provide for companies, individuals, and the digital marketplace.

Our Office also believes that two (2) years is not a sufficient time frame to develop a wholesome assessment, as five (5) years will provide a clearer picture of how the various aspects of the breach are and have been addressed by an organization. In addition, five (5) years will allow the OPC and organizations to have a better understanding of risks – this would help improve the intelligence and analytical capabilities required for the OPC to identify any systemic issues and more effectively guide organizations develop better security practices.

Coming into Force

While we understand that the coming into force of the regulations has not yet been determined, our Office notes that ISED has heard from stakeholders that this should range from six (6) to eighteen (18) months.

The OPC understands that while there may indeed be an implementation window that is required, we would also note that organizations have been aware of the overall, upcoming mandatory data breach reporting and notification requirements since the updates to the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force in June 2015.

As other jurisdictions in Canada have long had data breach reporting and notification for the private sector, and the 2018 coming into force of the GDPR has macro-level economic and political considerations, the OPC is of the view that eighteen (18) months is too long, and recommends that a shorter time period be given in order to improve the landscape for organizations and individuals and bring Canada into line globally.

Concluding Remarks

As mentioned in the RIAS, ISED has offered to work with the OPC to identify areas where guidance material is required to assist organizations in interpreting and complying with their new obligations. The OPC appreciates this offer and looks forward to our on-going positive working relationship with ISED. We believe this collaboration will be particularly helpful as guidance is developed on reports to the Privacy Commissioner, risk assessment, and record keeping.

We await the finalization of the regulations, and their imminent coming into force, and the Government’s effort and commitment to improving the privacy landscape for all stakeholders in Canada.

Sincerely,

(Original signed by)

Barbara Bucknell
Director, Policy and Research

Footnotes

Footnote 1

Canada Gazette, Vol. 151, No. 35 — September 2, 2017

Return to footnote 1

Footnote 2

Office of the Privacy Commissioner of Canada, “Submission to Innovation, Science and Economic Development Canada: Discussion document on data breach notification and reporting regulations”, June 10th 2016

Return to footnote 2

Footnote 3

Innovation, Science and Economic Development Canada, “For Discussion — Data Breach Notification and Reporting Regulations”, March 4th 2016.

Return to footnote 3

Footnote 4

Alberta Personal Information Protection Act Regulation, Alberta Regulation 366/2003, with amendments up to and including Alberta Regulation 51/2010 requires that a notice provided by an organization to the Commissioner must be in writing and include “an assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure” (Section 19(30(d)). In addition, the General Data Protection Regulation states that in the case of a data breach the controller shall notify the personal data breach to the supervisory authority and amongst other things, shall describe the likely consequences of the personal data breach (Article 33(c)).

Return to footnote 4

Date modified:: 2017-10-10

Language selection

Search and menus

Search