New Data Breach Reporting Regime May Increase Data Breach Class Actions
On November 1, 2018 the “Breaches of Security Safeguards” provisions of the Digital Privacy Act are set to come into effect. McCarthy Tétrault has previously summarised the provisions here, which will add a new division to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The provisions will introduce mandatory requirements to report and notify affected individuals of data breaches. One impact of these new reporting obligations could be an increase in class proceedings against organisations that fail to protect the personal information of their clients and customers.
As more personal data is digitised and as organisations continue to move their interactions with clients online, the potential for inappropriate use of that data increases. The new reporting regime aims to protect individuals by requiring that all breaches of security safeguards involving personal information be reported to the Privacy Commissioner and the affected individuals where there is a “real risk of significant harm to an individual”. Until now, no such mandatory reporting obligations existed, the onus being upon individuals to file complaints with the Privacy Commissioner if they suspected a contravention of PIPEDA.
The reporting obligations can be quite broad. The definition of significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
As a result of the new requirements, individuals who may have, in the past, been unaware of a breach will now receive a detailed notification from the organisation if their personal data has been compromised in a manner that gives rise to a real risk of significant harm. These mandatory notifications will greatly increase the public’s awareness of data breaches, which may, in turn, increase the prevalence of class action litigation against impugned organisations.
In addition, for every breach of security safeguards involving personal information under an organisation’s control - even those that do not require mandatory notifications - that organisation will be required to keep and maintain adequate records of the breach for a minimum of two years after the incident. It is conceivable that these records might be producible in class action litigation, exposing the organisation to scrutiny for past breaches, and raising the spectre of additional litigation.
Large technology, communications and health care organizations are particularly at risk given the sensitivity of the data they hold and the media attention that any data breach will likely attract. Proactive plans to implement policies and processes to manage data safely and effectively are key to protecting against breaches and may help avoid costly class action litigation.