Record Your Breaches: Prepare for Breach Record Inspections from Federal Privacy Commissioner
At a recent presentation, the Deputy Commissioner (Compliance) of the Office of the Privacy Commissioner of Canada (“Commissioner”) stated that his office would be conducting breach record inspections this summer. Five to eight businesses will be subject to record inspections. The Deputy Commissioner said the inspections will be across Canada but in a single sector, though did not name the sector.
Under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), organizations are required to “maintain a record of every breach of security safeguards involving personal information under its control”. A “breach of security safeguards” means any "loss of, unauthorized access to or unauthorized disclosure of personal information” resulting from a breach of security safeguards or failure to establish security safeguards. Organizations are required to keep a record of each breach of security safeguards, irrespective of the scope of the breach or the sensitivity of the personal information involved. The record keeping obligation is triggered by any breach, even if the organization determines that there is no “real risk of significant harm” arising from the breach (a real risk of significant harm is what triggers the obligation to report to the Commissioner and notify the affected individuals and, potentially, certain third parties). Organizations are also required to “provide the Commissioner with access to, or a copy of, a record” on request (Section 10.3 of PIPEDA). The record retention period is two years and the record must include “any information that enables the Commissioner to verify compliance” with the mandatory breach notification provisions of PIPEDA (Section 6 of the Breach of Security Safeguard Regulations). Knowingly contravening the mandatory breach notification provisions is an offence that carries a penalty of up to $100,000.
How to Prepare
To prepare for breach record inspections, we recommend organizations take the following steps:
- Verify that your organization is keeping records of each actual or potential breach of security safeguards, including:
- records that contain everything you must include in a report to the Commissioner had your organization reported the breach (as set out in the Breach of Security Safeguard Regulations); and
- your framework for assessing whether a breach of security safeguards results in a real risk of significant harm to the affected individual, including your basis for determining why it was not necessary to report the breach (that is, on what basis you concluded that, in the circumstances you did not believe that the breach created a real risk of significant harm to the affected individual).
- Audit your breach records to verify that they include all of the information that is required by the Breach of Security Safeguard Regulations.
- Consider how many potential breaches of security safeguards that your privacy/legal/compliance departments have investigated. If the number is low, or zero, investigate if breaches are going unreported. Common breaches include lost or stolen devices (phones, laptops, hard drives, etc.), misdirected emails and phishing attempts. One challenge with breach notifications is that employees do not always know that they must report the breach. Another problem is that many security teams treat breaches of security safeguards simply as a security issue and fail to escalate to legal or the other members of a multi-disciplinary incident response team. Accordingly, it is critically important that your incident response plan include proper employee training and clear incident response and escalation guidelines.