Presentation is loading. Please wait.

Presentation is loading. Please wait.

Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.

Published byMeryl Osborne Modified over 7 years ago

Similar presentations

Presentation on theme: "Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015."— Presentation transcript:

1 Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015

2 Quick facts Canada’s Digital Privacy Act received Royal Assent on June 18, 2015 The Digital Privacy Act makes the first major amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) since it was enacted Four key amendments discussed in this slide deck Breach logs Breach reports to the Office of the Privacy Commissioner of Canada Breach notifications to individuals Breach notifications to third parties July 20152

3 Not yet in force Some of the amendments to PIPEDA contained in the Digital Privacy Act went into force immediately See the summary here: http://privacyanddatasecuritylaw.com/pipeda- amendments-in-forcehttp://privacyanddatasecuritylaw.com/pipeda- amendments-in-force However, regulations are still required setting out the content of breach logs and breach reports and notifications so the breach provisions are not yet in force July 20153

4 Safeguards refresher What is clause 4.7? That’s the provision that says that an organization must establish safeguards appropriate to the sensitivity of the information including: Physical measures: for example, locked filing cabinets and restricted access to offices; Organizational measures: for example, security clearances and limiting access on a “need-to-know” basis; and Technological measures: for example, the use of passwords and encryption. July 20154

5 Key term: “breach of security safeguards” “Breach of security safeguards” is the key term It is “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in cl. 4.7 of Schedule 1 or from a failure to establish those safeguards” (s. 2(1)) July 20155

6 New obligations New breach of security safeguards obligations: Maintain records of breach of security safeguards (no harm test/threshold) If the harm test is met: (a) report a breach of security safeguards to the OPC and (b) notify affected individuals Also must notify third parties in certain circumstances July 20156

7 Breach logs Organizations must keep and maintain a record of every breach of security safeguards involving personal information under the organization’s control (s. 10.3(1)) Regulations to come addressing content of the logs Copies of these records must be provided to the OPC upon request (s. 10.3(2)) Appears to be limited to an actual loss, unauthorized access to or unauthorized disclosure of personal information resulting from the breach No harm test July 20157

8 What can we expect the regulations to say? Expect that the breach logs will be required to contain the following types of information: Containment How the breach occurred How it was detected How it was contained Evaluation Type of personal information in issue and what can be done with it Evidence of criminal motivation What harm mitigation steps in place Reporting / Individual Notification Who was notified? How? What was the content of the notification? Lessons Remediation plan for avoiding further breaches July 20158

9 Key concept: “real risk of significant harm” “Significant harm” includes: bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property (s. 10.1(7)) This list is open-ended “Real risk” Factors include the sensitivity of the affected personal information, the probability that the personal information has been, is being or will be misused and any other factor prescribed by regulation (s. 10.1(8)) July 20159

10 Reporting to the OPC Report to the OPC any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm (s. 10.1(1)) Report must be made as soon as feasible after the organization determines that the breach has occurred (s. 10.1(2)) July 201510

11 Notification of affected individuals Notification of affected individuals if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual unless notification is prohibited by law (s. 10.1(3)) Notification must contain sufficient information to allow the individual to understand the significance of the breach and to take steps to reduce the risk of harm that could result from it or to mitigate the harm (s. 10.1(4)) Notification must be conspicuous and be given directly to the individual except in prescribed circumstances (s. 10.1(5)) July 201511

12 Third-party notification Notify other organizations and government organizations if the other organization may be able to reduce the risk of harm that could result from the breach (s. 10.2(1)) Notification must be made as soon as feasible after the breach is discovered (s. 10.2(2)) Notification may occur pre-emptively and without the consent of the affected individual provided that it is made solely for the purposes of reducing the risk of harm (s. 10.2(3)) July 201512

13 What may we expect in the regulations? Reports to the OPC likely to require at least the following information: a description of the circumstances of the breach time period of the breach description of the personal information affected number of individuals affected assessment of the risk of harm harm mitigation efforts notification steps to affected individuals and third parties contact information for the organization July 201513

14 What else can we expect in the regulations? Individual notification may require at least the following: A description of the circumstances of the breach The date of the breach or the time period during which the breach occurred A description of the affected personal information A description of any steps that the organization has taken to reduce the risk of harm (including any third parties that have been notified) Contact information for a person who can answer questions on behalf of the organization about the breach July 201514

15 Questions? Timothy M. Banks Dentons Canada LLP timothy.banks@dentons.com 416-863-4424 © 2015 Dentons. Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices.

Download ppt "Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Complying with Privacy to Enable Innovation & Research

Complying with Privacy to Enable Innovation & Research
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
BC Freedom of Information and Protection of Privacy Act

BC Freedom of Information and Protection of Privacy Act
Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.
Presentation by Mark Grady Vancouver Island University June 13, 2012.

Presentation by Mark Grady Vancouver Island University June 13, 2012.
2/16/2010 The Family Educational Records and Privacy Act.

2/16/2010 The Family Educational Records and Privacy Act.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
Money Laundering 23 September 2014. Contents 1 What is money laundering? 2. The ‘primary’ money laundering offences 3. Failure to report and tipping off.

Money Laundering 23 September Contents 1 What is money laundering? 2. The ‘primary’ money laundering offences 3. Failure to report and tipping off.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Similar presentations

Ads by Google