Canada’s PIPEDA Breach Notification Regulations Are Finalized!

Canada’s PIPEDA Breach Notification Regulations Are Finalized!

While the US — post-Target, post-Sony, post-OPM, post-Equifax — still doesn’t have a national data security law, things are different north of the border. Canada, like the rest of the word, has a broad consumer data security and privacy law, which is known as the Personal Information Protection and Electronic Documents Act (PIPEDA).

For nitpickers, there are also overriding data laws at the provincial level — Alberta and British Columbia’s PIPA — that effectively mirror PIPEDA.

Data Security and Privacy: It’s Better In Canada With PIPEDA

In any case, PIPEDA is a consumer-friendly law that’s based on Canadian-born Privacy by Design (PbD) principles. The law has privacy rules requiring consumer consent when collecting personal information and giving consumers the right to access and change their data when incorrect. And companies are obligated to put in place security safeguards and practices, such as data minimization, to limit risks and protect their data. Not surprisingly, PIPEDA is also similar to another PbD- inspired law, the EU GDPR.

Like the GDPR, PIPEDA’s definition of personal information is quite broad: it includes any data about an individual. Along with name, and other obvious identifiers, PIPEDA counts as personal information employee files, credit records, medical records, blood type, social status, and more.

Breach reporting must-haves as spelled out in the new regulation.

In June 2015, the Digital Privacy Act amended PIPEDA to include breach notification requirements. The Act defines a “breach of security safeguards” as a loss or unauthorized access or disclosure of personal information resulting from a breach of the organization’s security safeguards.

Those of you who’ve been following along with our coverage of various breach notification laws know that the use of “or” above is significant. In short: a breach can involve unauthorized access alone without disclosure, and that means hacking into systems and touching personal information counts as a breach. And in particular, a ransomware attack would be considered a breach under PIPEDA.

Under PIPEDA, organizations are required to notify affected the Privacy Commissioner of Canada and affected individuals “as soon as feasible” when there is a breach that creates a “real risk of significant harm” — which can include mere reputational harm — to an individual. It also requires them to record a record of each breach of safeguards involving personal information, regardless of whether the breach results in a risk of significant harm.

With the breach notification law passed, Canadians had to wait for the Canadian government to finalize the nitty gritty details in new regulations yet to be written, and to set a date for the rules to go into effect. And wait.

PIPEDA’s Breach Notification Rule Goes Into Effect (in November)

A mere three years later, the government finally released the fine print of the regulation in January. If you’re truly interested, you can read the details here (skip past all the regulations on fisheries to page 149).

I scanned this riveting legal prose, so I can save you some time. If after analysis of an incident, it’s decided the breach will cause significant harm, the regulatory authority and the individuals affected will have to be notified with the breach details, including a description of the incident, the personal information accessed or taken, and what the company is doing about the breach (see the above legale-ese from the regulation).

But even if the risk to the affected individuals doesn’t merit a notification, the company still has to record basic information about the breach and retain if for 24-months.

These breach reporting rules will go into effect on November 1, 2018.

Varonis and PIPEDA

As with the GDPR and many other data security and privacy laws, Varonis can also help you comply with PIPEDA. You can learn more about how we support its key principles here.

For the new breach notification rules, our DatAlert product can monitor sensitive personal information and alert IT when this data is accessed, modified, or copied in an abnormal way. More specifically, our UBA threat models can catch ransomware as it accesses and encrypts files.

Want to lean more about how Varonis helps with breach monitoring and reporting? Ask for a free demo today!

 

 

 

Get the latest security news in your inbox.