Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.

Slides:

Advertisements

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

Advertisements

Protect Our Students Protect Ourselves

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Complying with Privacy to Enable Innovation & Research

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

BC Freedom of Information and Protection of Privacy Act

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Presentation by Mark Grady Vancouver Island University June 13, 2012.

2/16/2010 The Family Educational Records and Privacy Act.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

Money Laundering 23 September Contents 1 What is money laundering? 2. The ‘primary’ money laundering offences 3. Failure to report and tipping off.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

HIPAA PRIVACY AND SECURITY AWARENESS.

Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.

Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.

Arkansas State Law Which Governs Sensitive Information…… Part 3B

Privacy and Information Management ICT Guidelines.

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.

Privacy Information for Advisors. Agenda PIPEDA Advisor Required Privacy Program Our MGA Privacy Program Recommendations for Advisors.

Your Rights! An overview of Special Education Laws Presented by: The Individual Needs Department.

Data protection—training materials [Name and details of speaker]

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.

Nassau Association of School Technologists

Protect Our Students Protect Ourselves

Protection of CONSUMER information

Privacy principles Individual written policies

Privacy & Confidentiality

Responding to a Data Breach 360° of IT Compliance

HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.

General Data Protection Regulation

Data protection issues in regulatory investigations

Overview What is a privacy breach? 2. Examples of privacy breaches 3. Consequences of privacy breaches 4. Steps to handling a privacy breach.

Data Protection Legislation

Chapter 3: IRS and FTC Data Security Rules

Notifiable data breaches Roundtable

Privacy Breach Response and Reporting

Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY

Privacy & Access to Information

Move this to online module slides 11-56

Alabama Data Breach Notification Act: What 911 Districts Need to Know

G.D.P.R General Data Protection Regulations

DATA BREACHES & PRIVACY Christine M

The new data protection rules

General Data Protection Regulation

Detecting, reporting & investigating data breaches under GDPR

Alabama Data Breach Notification Act: What County Governments Need to Know Morgan Arrington, General Counsel Association of County Commissions of Alabama.

Mandatory Breach Reporting (isn’t *that* bad)

IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004

Upcoming PIPEDA Changes

Move this to online module slides 11-56

Register of individuals with significant control

Colorado “Protections For Consumer Data Privacy” Law

Presentation transcript:

Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015

Quick facts Canada’s Digital Privacy Act received Royal Assent on June 18, 2015 The Digital Privacy Act makes the first major amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) since it was enacted Four key amendments discussed in this slide deck Breach logs Breach reports to the Office of the Privacy Commissioner of Canada Breach notifications to individuals Breach notifications to third parties July 20152

Not yet in force Some of the amendments to PIPEDA contained in the Digital Privacy Act went into force immediately See the summary here: amendments-in-forcehttp://privacyanddatasecuritylaw.com/pipeda- amendments-in-force However, regulations are still required setting out the content of breach logs and breach reports and notifications so the breach provisions are not yet in force July 20153

Safeguards refresher What is clause 4.7? That’s the provision that says that an organization must establish safeguards appropriate to the sensitivity of the information including: Physical measures: for example, locked filing cabinets and restricted access to offices; Organizational measures: for example, security clearances and limiting access on a “need-to-know” basis; and Technological measures: for example, the use of passwords and encryption. July 20154

Key term: “breach of security safeguards” “Breach of security safeguards” is the key term It is “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in cl. 4.7 of Schedule 1 or from a failure to establish those safeguards” (s. 2(1)) July 20155

New obligations New breach of security safeguards obligations: Maintain records of breach of security safeguards (no harm test/threshold) If the harm test is met: (a) report a breach of security safeguards to the OPC and (b) notify affected individuals Also must notify third parties in certain circumstances July 20156

Breach logs Organizations must keep and maintain a record of every breach of security safeguards involving personal information under the organization’s control (s. 10.3(1)) Regulations to come addressing content of the logs Copies of these records must be provided to the OPC upon request (s. 10.3(2)) Appears to be limited to an actual loss, unauthorized access to or unauthorized disclosure of personal information resulting from the breach No harm test July 20157

What can we expect the regulations to say? Expect that the breach logs will be required to contain the following types of information: Containment How the breach occurred How it was detected How it was contained Evaluation Type of personal information in issue and what can be done with it Evidence of criminal motivation What harm mitigation steps in place Reporting / Individual Notification Who was notified? How? What was the content of the notification? Lessons Remediation plan for avoiding further breaches July 20158

Key concept: “real risk of significant harm” “Significant harm” includes: bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property (s. 10.1(7)) This list is open-ended “Real risk” Factors include the sensitivity of the affected personal information, the probability that the personal information has been, is being or will be misused and any other factor prescribed by regulation (s. 10.1(8)) July 20159

Reporting to the OPC Report to the OPC any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm (s. 10.1(1)) Report must be made as soon as feasible after the organization determines that the breach has occurred (s. 10.1(2)) July

Notification of affected individuals Notification of affected individuals if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual unless notification is prohibited by law (s. 10.1(3)) Notification must contain sufficient information to allow the individual to understand the significance of the breach and to take steps to reduce the risk of harm that could result from it or to mitigate the harm (s. 10.1(4)) Notification must be conspicuous and be given directly to the individual except in prescribed circumstances (s. 10.1(5)) July

Third-party notification Notify other organizations and government organizations if the other organization may be able to reduce the risk of harm that could result from the breach (s. 10.2(1)) Notification must be made as soon as feasible after the breach is discovered (s. 10.2(2)) Notification may occur pre-emptively and without the consent of the affected individual provided that it is made solely for the purposes of reducing the risk of harm (s. 10.2(3)) July

What may we expect in the regulations? Reports to the OPC likely to require at least the following information: a description of the circumstances of the breach time period of the breach description of the personal information affected number of individuals affected assessment of the risk of harm harm mitigation efforts notification steps to affected individuals and third parties contact information for the organization July

What else can we expect in the regulations? Individual notification may require at least the following: A description of the circumstances of the breach The date of the breach or the time period during which the breach occurred A description of the affected personal information A description of any steps that the organization has taken to reduce the risk of harm (including any third parties that have been notified) Contact information for a person who can answer questions on behalf of the organization about the breach July

Questions? Timothy M. Banks Dentons Canada LLP © 2015 Dentons. Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices.