Security Breach Notices for Canadian Data
There’s some Canadian data on that lost laptop or hacked server. Do you have to notify individuals or authorities in Canada, as you are often required to do in the United States?
The US model of security breach notice laws has not been widely emulated abroad, although several jurisdictions are considering similar measures. Nevertheless, a duty to give notice of significant security breaches has been inferred in some cases from general principles found in comprehensive privacy and data protection laws in Europe, Canada, Japan, and elsewhere. Privacy commissioners in Canada have applied such general principles in publishing guidelines for companies suffering a data leak involving personal information. In addition, the province of Ontario expressly requires notice to individuals if their personal health information is compromised.
More recently, Special Commissions at the federal level and in the provinces of Alberta and British Columbia have recommended amending privacy legislation to mandate notification of material security breaches. Alberta is the first to act on this recommendation. Bill 54, amending Alberta’s Personal Information Privacy Act, will soon require organizations to notify potentially harmful security breaches to the Alberta Privacy Commissioner – who may then dictate the terms of notice to affected individuals.
As readers of this blog are no doubt aware, security breach notice laws have proliferated in the United States since California’s SB 1386 came into effect in 2003. Forty-five states, the District of Columbia, Puerto Rico, the Virgin Islands, and the US federal government (with respect to medical and financial data) have established obligations to notify potentially affected individuals, and sometimes relevant authorities, when there is reason to believe that the security of certain kinds of personal information has been compromised.
The focus in the US has been on the kinds of information most likely to be abused for purposes of identity theft and fraud. The “standard set” of personal information covered by state breach notice laws is limited to unencrypted, name-linked Social Security Numbers, driver’s license or other official state identification numbers, and bank account or payment card numbers (if the access code is compromised as well). The federal HITECH Act requires notice in many cases where personally identifiable medical information has been compromised, and several states require notice of security breaches involving health-related information or other data elements beyond the “standard set,” ranging from date of birth and mother’s maiden name to employer and tribal ID numbers.
American companies, nonprofits, and public entities are becoming familiar with breach notice obligations and consequences in the US, but some of the same security incidents also compromise data concerning individuals residing in other countries, most commonly Canada. US-based enterprises often ask how a data leak including protected information about Canadians should be handled.
While I am not a Canadian lawyer, I have had occasion to help clients determine how to address international data leaks, often with assistance from qualified Canadian counsel. Here are some important background facts and guiding principles gleaned from these experiences and from recent developments in Canadian law and official guidance:
PIPEDA and Provincial Privacy Laws
While Canada has not (yet) adopted federal breach notice legislation, relevant obligations are found in the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), which came fully into effect in 2004. PIPEDA’s Schedule 1 states ten “fair information principles” articulated by the Canadian Standards Association (CSA) for the collection, use, or disclosure of personal information. Unlike the American approach of protecting only specific kinds of personal information, PIPEDA defines personal information broadly as any information about an identifiable individual except business contact information.
PIPEDA applies to federal works, undertakings, or businesses (“FWUBs,” notably banks, telecommunications firms, transportation companies, and enterprises operating in the territories), as well as to inter-provincial and international commercial activities and to commercial activities within provinces that have not enacted similar privacy legislation.
However, under Canada’s constitution, employment matters are traditionally left to provincial law, so PIPEDA normally does not govern an employer’s handling of employee data unless the employer is an FWUB. Provincial law rather than PIPEDA also applies if the federal Governor in Council determines that provincial legislation is “substantially similar” to PIPEDA and incorporates the CSA fair information principles. So far, Alberta and British Columbia have enacted personal information protection acts (“PIPAs”) based on PIPEDA, and Quebec has an older personal data protection statute based on broadly similar principles. Ontario enacted a Personal Health Information Protection Act in 2004 modeled on PIPEDA’s approach to personal information, although the act concerns only health-related information. These four laws have been deemed “substantially similar” to PIPEDA.
The federal and provincial privacy commissioners are authorized to investigate compliance issues, including security breaches, as well as offering interpretation and guidance on the application of privacy laws. The commissioners may refer suspected violations to prosecutors. The commissioners’ guidance documents are not legally binding, but they serve to establish “best practices” in industry and are likely to be influential in court.
So, an American company suffering a data leak involving Canadian consumers normally looks to PIPEDA and guidance from the federal Privacy Commissioner, because the company is typically engaged in international or inter-provincial commerce. To the extent that the data leak involves Canadian employee data, the American company normally looks to provincial law, and only Alberta, British Columbia, and Quebec have PIPAs (and guidance from provincial privacy commissioners) governing employee privacy. If the incident involves health information in Ontario, the Ontario Personal Health Information Protection Act generally applies. (As in the US, there may also be liability for a security incident under tort or contract law, but the focus here is on laws and guidance concerning breach notice.)
Is Breach Notice Required under Canadian Privacy Laws?
PIPEDA does not explicitly address security breach notice to affected individuals or to the relevant privacy commissioner. However, PIPEDA (like the provincial PIPAs) regulates the authorized “collection, use or disclosure” of personal information, and lost or stolen personal information may be deemed an unauthorized collection or use of data, or, from the perspective of the responsible organization, an unauthorized “disclosure” of personal information.
Specifically, PIPEDA holds an organization “responsible for personal information under its control” (Sch. 1, sec. 4.1) and requires the organization to designate one or more individuals who are “accountable” for the organization’s compliance (Sch. 1, secs. 4.1.1, 4.1.2). The Act requires the organization to ensure a comparable level of protection, contractually or by other means, when the information is handled by a third party (Sch. 1, sec. 4.1.3). The consent of the individual is required for the collection, use, or disclosure of personal information, except where consent would be “inappropriate” (Sch. 1, sec. 4.3). Personal information is not to be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law (Sch. 1, sec. 4.5). Organizations must protect personal information with “security safeguards appropriate to the sensitivity of the information” (Sch. 1, sec. 4.7). A security breach might be viewed as a violation of any or all of these principles.
PIPEDA does not explicitly include a requirement to notify privacy commissioners or individuals of instances of noncompliance. Organizations are not required to register or report to privacy commissions, as in many European countries, although PIPEDA (like the provincial PIPAs) empowers the privacy commission to “audit” the personal information management practices of any organization if the commission has “reasonable grounds” to suspect a violation (PIPEDA sec. 18). The “openness” principle of PIPEDA and the provincial PIPAs directs organizations to make their personal information “policies and practices” readily available to individuals (PIPEDA Schedule 1, sec. 4.8), and the law provides that organizations must have procedures for receiving and responding to requests for information and complaints (Sch. 1, secs. 4.9, 4.10). Arguably, this may imply openness about known, substantial security failures, and it certainly means that the organization must have procedures in place for fielding any questions about an announced or suspected security breach involving personal information.
Privacy Commissioner Guidelines
Following widely publicized data breaches at a unit of the Canadian Imperial Bank of Commerce and Canadian subsidiaries of the US-owned TJX retail group, the federal Privacy Commissioner, in collaboration with the Privacy Commissioners of Alberta, British Columbia, and Ontario, issued a document entitled “Key Steps for Organizations in Responding to Privacy Breaches” (the “Guidelines”) in late 2007. The Guidelines define a breach as “an unauthorized access to, or collection, use or disclosure of, personal information.” “Unauthorized” refers to an act in violation of PIPEDA or similar provincial legislation, thus tying security breaches to compliance with the laws for which the privacy commissions are responsible. The Privacy Commissioner of Ontario issued similar guidance for health information custodians under the Ontario Personal Health Information Protection Act.
According to the federal Guidelines, an organization that becomes aware of an unauthorized access to personal information should consider the following steps and implement them to the extent necessary to mitigate harm:
1. Breach containment and preliminary assessment (shutting down systems, recovering records, designating a lead investigator, determining who needs to be notified inside and outside the organization, notifying the police of suspected criminal activity, preserving evidence)
2. Risk evaluation (kinds of data involved, causes and risk of further exposure, number and names of affected individuals, who received access to the data and what kind of harm could result)
3. Notification (see below)
4. Prevention of future breaches (security audit, assessment of policies, employee training)
Notification is to be determined on a case-by-case basis including the following factors:
• Individuals should be notified if the breach poses a risk of personal harm, including physical injury, identity theft, fraud, financial loss, loss of business or employment opportunities, humiliation, or damage to reputation or relationships.
• Individuals should be notified “as soon as possible” following assessment and evaluation of the breach.
• The preferred form of notification is direct – by phone, email, or postal mail. Indirect methods (such as media announcements) are appropriate only where direct notification could cause further harm.
• The organization with a direct relationship with the individuals should normally be the one to notify them.
• Notices should generally include descriptions of:
o The incident
o The information compromised
o Actions taken by the organization to mitigate harm
o Resources to help the individuals take protective measures.
• Notification may also be appropriate to other parties such as
o Privacy commissioners
o Police
o Licensing or other regulatory bodies
o Affiliates or business units
o Trade unions
o Third-party contractors affected by the breach
o Insurers
o Credit card issuers.
Unlike American breach notice statutes and regulations, which are legally enforceable, the Guidelines themselves do not have the force of law. Canadian lawyers emphasize, however, that courts are likely to defer to the expert commissions and consult the Guidelines in deciding whether an organization suffering a security breach has violated PIPEDA or a provincial PIPA, or whether the organization has met contractual expectations or a duty of reasonable care under tort law.
Other notable differences between the Canadian approach and US breach notice laws:
• Scope: US laws require breach notice for only certain kinds of unencrypted personal information, with an emphasis on preventing ID theft or protecting medical data. Canada’s PIPEDA and provincial PIPAs cover all personally identifiable information and all forms of harm.
• Encryption: Unlike US laws, Canada’s PIPEDA and PIPAs, as interpreted by privacy commissioners, do not expressly offer a “safe harbor” for encrypted data. However, encryption presumably should be taken into consideration in determining whether there has been “unauthorized access” to the data and whether there is a material risk of future harm.
• Notice to authorities: Some US laws mandate notice to specified authorities, such as law enforcement, regulatory, or consumer protection agencies. The Canadian laws are silent on this, but the Guidelines “encourage” organizations to report to the relevant privacy commission(s) and, where appropriate, to police and regulatory authorities and affected third parties.
• Notice to individuals: US laws make breach notice mandatory under specified conditions, while the Canadian Guidelines simply list factors to consider in determining whether notice is necessary.
• Form of notice: The Guidelines show a strong preference for direct notice to the affected individuals, delivered by the party with the closest relationship to the individuals. Many of the US breach notice laws permit (or require) mass media announcements where large numbers of individuals are involved or it is “impractical” to notify individuals directly.
Ontario’s Personal Health Information Protection Act
Although Ontario has not yet enacted a comprehensive PIPA, its Personal Health Information Protection Act already includes breach notice requirements for custodians of personal health information (sec. 12(2)):
“a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons.”
The Act appears to hold a health information custodian in Ontario responsible for breach notice regardless of where the breach occurs. A security breach at an American affiliate or service provider, for example, could trigger notice obligations on the part of the Canadian health information custodian.
Alberta’s Bill 54
While the federal government continues to consider proposed PIPEDA amendments, including provisions that would introduce specific breach notice requirements, the province of Alberta has gone ahead with Bill 54, amending Alberta’s PIPA. The bill, adopted by the legislature last year, has already received Royal Assent and will come into force on proclamation, which is likely to occur in the near future.
Bill 54 is significant for companies operating in Alberta or otherwise handling data concerning Alberta customers or employees. It increases penalties for noncompliance, imposes a duty to destroy personal information when it is no longer needed, and requires notice to individuals before transferring personal information to a foreign service provider, a practice that must also be described in the organization’s personal information management policies and procedures.
Importantly, Bill 54 also requires an organization to notify the Privacy Commissioner of Alberta if personal information under its control is lost, accessed, or disclosed to a third party without authorization and if “a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.” The details to be included in such a notice will be prescribed by regulation, and the Commissioner may request additional information concerning the breach.
Once notified, the Privacy Commissioner is authorized to require that the organization provide notice to affected individuals, under terms and conditions that the Commissioner deems appropriate in the circumstances, following an “expedited” procedure. The law expressly permits organizations to notify individuals on their own initiative, but the Commissioner may require additional notice.
If Alberta’s new law is a good indicator of where federal and provincial legislation is headed, companies can expect that significant data breaches in the future will typically involve a prompt notice to the relevant privacy commissioner(s) and some colloquy with their offices before sending notices to individuals in Canada. This represents a level of official involvement beyond what is common in the United States outside the investigation of potentially criminal acts of theft or fraud.