Everyday hundreds of businesses across Canada have data incidents. From lost bins to hacked computers, businesses need to be aware of their privacy obligations they owe to their customers and clients. Indeed, businesses are now asking themselves not what if I have a data breach, but when will I have a data breach?
This new reality forces us to reflect upon a few questions:
1. What is personal information?
Personal Information under is any data which is about an identifiable individual. It can be subjective or factual, and it does not have to be recorded.
For example, this may include opinions, reviews, social insurance numbers, ethnicity, and financial information such as credit scores. It does apply to information about real people, not corporations.
2. What governs privacy breaches?
The Personal Information Protection and Electronic Documents Act is the main law that governs privacy in Canada. Ontario and other provinces have their own public sector legislation; however, private-sector Ontario businesses still need to follow PIPEDA requirements.
3. When do you have to report a data incident?
Generally, there are three reasons as to why your business should report a data incident. Firstly, because it is required by the law. PIPEDA sets out time deadlines to notify customers, and a real risk of substantial harm test (RROSH test).
Secondly, you may have contractual obligations to do so. Sometimes contracts have clauses in them which oblige your business to disclose any data incidents.
Thirdly, best business practice. Even if you are not required by law to disclose a data incident, you may want to tell your clients anyways. You may want to alert your customers or clients to be vigilant of any potential threats to their personal information. Some businesses go so far as to offer complementary identity theft protection through third parties.
So, if I don’t have to report anything, that means I can get away without having to do anything? No. Though you do not need to disclose a data loss incident, you must keep a log according to PIPEDA. This log should include:
- date of the breach
- description of the breach
- nature of the information involved
- whether or not individuals were notified.
- analysis of the RROSH test
4. What can be done to limit data incidents?
Beyond the tried and true advice of switching up lengthy passwords every 90 days, there are a few other less obvious ways to limit data incidents.
Firstly, multi-factor/two-factor authentication is essential. This has been a key development to help protect accounts, as it adds an extra layer of security which generally requires the user to actively authorize access through their phones. Twitter has it, Google has it, Facebook has it, and so should you.
One other best practice which is often overlooked, is to create a transfer log. Transfer logs serve to better track the location and status of data. It should serve as a record which details who picked up what, where, and at what time. All individuals should sign off on the log and confirm receipt. The benefit of this is that when a data-sensitive object is lost you can quickly track down who was the last person controlling the object.
Businesses therefore need to work closely with their IT teams, data handlers, and processors to ensure adequate safeguards are in place. Businesses also need to work closely with a cybersecurity lawyer that can guide them through PIPEDA to make sure they are following the letter of the law. Failure to do so may result in an up to $100,000 fine. For more information, please feel free to contact me.