Federal Data Breach Regulations Take Effect Nov. 1, 2018

Updated:
February 6, 2019

Beginning November 1, 2018, Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA) will require organizations that suffer a data breach involving personal information to report the breach to the Privacy Commissioner of Canada, give notice of the breach to affected individuals, and maintain records of data breaches that affect personal information.

In order to avoid fines and penalties, organizations will need to understand PIPEDA and its basic requirements.

Overview of PIPEDA Regulations

There are essentially three major sections of PIPEDA to be aware of - reports to the Commissioner, notifications to affected individuals, and record-keeping. The following is an overview of the requirements that employers need to consider.

Reports to the Commissioner

If an organization suffers a breach of security safeguards involving personal information under its control and it is reasonable to believe that the breach creates a real risk of significant harm to an individual, then the organization must report the breach to the Commissioner after the organization determines that the breach has occurred. According to the regulation, a report to the Commissioner must be made in writing and contain the following information:

  • A description of the circumstances of the breach and, if known, the cause.
  • The day on which, or the period during which, the breach occurred.
  • A description of the steps the personal information that is the subject of the breach.
  • An estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm.
  • A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm.
  • A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach.
  • The name and contact information of a person who can answer, on behalf of the organization, the Commissioner's questions about the breach.

Under the regulations, data breach reports can be submitted with the best information available to the organization at the time. This allows organizations to report breaches quickly and take the appropriate actions, even when key information regarding the incident is not yet available.

Communications to the Commissioner should be made via a secure means. Companies are encouraged to refer to the key steps in responding to a privacy breach released by the Commissioner. Click this link for these steps, as well as supplementary information on responding to privacy breaches.

Requirements for Notifying Affected Individuals of a Data Breach

If an organization suffers a breach of security safeguards involving an individual’s personal information under the organization’s control and it is reasonable to believe that the breach creates a real risk of significant harm to the individual, then the organization must notify the individual of the breach. Notifications must be given as soon as possible after the organization determines a breach has occurred.

Notification to an affected individual must contain sufficient information to allow the individual to:

  1. Understand the significance of the breach.
  2. Take any available steps to reduce the impact of the breach.

Per the regulations, a notification to an affected individual must contain the following:

  • A description of the circumstances of the breach.
  • The day or time frame the breach occurred.
  • Descriptions of the type of personal information that was compromised during the breach.
  • A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm.
  • A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm.
  • A toll-free number or email address impacted individuals can use to obtain further information regarding the breach.

Notifications must be given directly to impacted individuals through an email, letter (delivered to the last known home address of the affected individual), telephone call, in-person conversation or other secure forms of communication if the affected individual consented to receive information from the organization in that manner. Under limited circumstances, organizations will be allowed to provide affected individuals with indirect notification of a data breach.

According to the regulations, organizations will be able to provide indirect notification only if:

  • A direct notification would cause further harm to the affected individual.
  • The cost of giving a direct notification is prohibitive for the organization.
  • The organization does not have contact information for the affected individual or the information that it has is out of date.

The regulations indicate that indirect notification may be given only by either a conspicuous message, posted on the organization's website for at least 90 days, or by means of an advertisement that is likely to reach the affected individuals.

Record-keeping Requirements

PIPEDA requires organizations to maintain a record of every breach of security safeguards. The regulations state that organizations must maintain these records for a minimum of 24 months after the day on which the organization determines that the breach has occurred, and provide them to the Commissioner upon request. The record must contain sufficient information to enable the Commissioner to verify compliance with the data breach reporting and notification requirements above.

An important distinction here is that records must be maintained for every data breach, and not just those that create a real risk of significant harm. This means that organizations will be required to keep records of data breaches even if they don’t have to report the breach to the Commissioner or notify affected individuals.

Next Steps...

Organizations should take the proper steps to ensure they are PIPEDA compliant. While the new reporting and record-keeping requirements appear to place an administrative burden on organizations, companies that already have cyber security protocols in place will likely experience minimal impact. Some general preparations to consider include the following:

  1. Ensure you are informed on all the new requirements.
  2. Prepare for data breach scenarios.
  3. Train your employees.
  4. Update your internal processes.
  5. Assess your data storage and response strategies.
  6. Obtain the proper insurance coverage.

To learn more about the regulations, you can read a detailed impact analysis statement and the regulation’s text through the Canada Gazette. Scrivens Insurance and Investment Solutions will continue to monitor legislative changes and provide updates as necessary.

FAQs

What is financial advising?

Financial advising involves providing guidance and advice to individuals, families, or businesses to help them make informed decisions about their financial matters. This can include various aspects such as investment planning, retirement planning, tax planning, estate planning, and more. Financial advisors analyze their clients' financial situations, goals, and risk tolerance to create customized strategies that align with their objectives.

Why is financial planning important?

Financial planning is crucial for several reasons:

Goal Achievement: It helps individuals set and achieve financial goals, whether they are short-term, such as buying a home, or long-term, like funding a comfortable retirement.

Risk Management: Financial planning addresses risks by considering insurance, emergency funds, and other protective measures.

Budgeting and Saving: It promotes responsible money management through budgeting and saving, fostering financial stability.

Wealth Building: Effective financial planning can lead to wealth accumulation and the creation of a secure financial future.

Can financial advisors help with debt?

Yes, financial advisors can help with debt management. They can assess your overall financial situation, create a budget, and develop strategies to pay down debt efficiently. They may also negotiate with creditors on your behalf, provide debt consolidation recommendations, and offer guidance on prioritizing and managing debt repayment.

What exactly does a financial advisor do?

The specific responsibilities of a financial advisor can vary, but generally, they:

  1. Conduct a thorough analysis of a client's financial situation, including income, expenses, assets, and liabilities.
  2. Develop personalized financial plans based on the client's goals, risk tolerance, and time horizon.
  3. Provide investment advice and portfolio management services.
  4. Offer guidance on retirement planning, estate planning, tax planning, and insurance.
  5. Monitor and adjust financial plans as needed based on changes in the client's life or market conditions.
  6. Educate clients on financial matters and empower them to make informed decisions.
What is the average fee for a financial advisor?

The fees charged by financial advisors can vary widely based on factors such as the advisor's experience, the services provided, and the region.

Common fee structures include:

Hourly Fees: Advisors charge an hourly rate for their services.
Flat or Fixed Fees: A set fee is charged for specific services or a comprehensive financial plan.
Asset-based Fees: Fees are a percentage of the assets under management (AUM).
Commission-based Fees: Advisors earn commissions on financial products they sell.
Combination of Fees: Advisors may use a combination of the above fee structures.

It's important to discuss and clarify fee arrangements with a potential financial advisor before engaging in their services.