The Government of Canada published the final version of its breach of security safeguards regulations on April 18, 2018 as an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA) of 2000.
Starting Nov. 1, 2018, PIPEDA will require organizations that suffer a data breach involving personal information to:
- Report the breach to the Privacy Commissioner of Canada.
- Give notice of the breach to affected individuals.
- Maintain records of data breaches.
PIPEDA is a federal statute and currently, BC’s privacy legislation does not require data breach reporting. However, if your business engages in inter-provincial and international transactions you must comply with the the data breach notification under PIPEDA.
So, what is a data breach according to PIPEDA?
A breach of security safeguards refers to “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.”
Organizations must implement safeguards that protect personal information from:
- Loss or theft
- Unauthorized access
Under the new rules, organizations must notify individuals “as soon as feasible” after a breach has occurred. Failing to report a data breach, or deliberately failing to keep a record of the data breach, can lead to fines of up to $100,000 for each offense. Organizations must keep records of security breaches for at least two years after discovery.
To determine what sensitive information needs to be safeguarded consider the impact of a potential breach. Could a breach at your organization result in significant harm, such as bodily harm, humiliation, damage to reputation, financial loss, credit record, loss of employment or relationship?
What type of sensitive information do you collect and store? Where is the data stored and who has access to it? What security measures are in place to protect personal information?
If you haven’t already done so, conduct a review and identify the risks. Assess your data backup solution and re-evaluate your IT security. A multi-layered cybersecurity defense is the best way to protect against unauthorized access, use and copying of personal information.
Smart Dolphins can assist you in protecting your client’s personal information by delivering a technology solution that helps prevent security breaches and ensures technical compliance with the PIPEDA.