Recently, the Office of the Privacy Commissioner of Canada, provided details (see https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/) in respect of the new mandatory reporting requirements where breaches of security safeguards have occurred.
As of November 1, 2018, organizations subject to The Personal Information Protection and Electronic Documentation Act (PIPEDA), including small businesses, will be required to report breaches involving personal information that pose a “real risk of significant harm to individuals”, to the Privacy Commissioner of Canada. Also, standards for notification of affected individuals and retention of breach records must be followed.
Small businesses do not receive any particular exclusion or exception from the rules.
A “breach of security safeguards” is unauthorized access to, or unauthorized disclosure of, personal information resulting from a breach of an organization’s security safeguards, or from failure to establish safeguards. “Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit records, and damage to or loss of property. The “real risk of significant harm” is determined in respect of the sensitivity of the personal information and the probability that it has been or will be misused.
Medical and income records are almost always considered sensitive, however, other information could also meet the definition.
When examining probability of misuse, one should consider the scope of information exposed, whether the breach was intentional, who likely has access to it, and how usable or protected that information was.
ACTION ITEM: Be prepared by reviewing protocol and obligations in respect of client information hacks and losses. Quick response can assist in rectifying the integrity of the data and the relationship with the client.