1-888-643-2217 Email ABEX
Keeping you updated

Federal Data Breach Regulations Take Effect Nov. 1, 2018

Overview

Starting Nov. 1, 2018, Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) will require organizations that suffer a data breach involving personal information to:

  1. Report the breach to the Privacy Commissioner of Canada (Commissioner).
  2. Give notice of the breach to affected individuals.
  3. Maintain records of data breaches that affect personal information.

In order to avoid fines and penalties, organizations will need to understand PIPEDA and its basic requirements.

Background

PIPEDA is Canada’s federal privacy law that governs the collection, use and disclosure of personal information in the course of commercial activities by private sector organizations and federally regulated businesses. In 2015, PIPEDA was amended by the Digital Privacy Act (DPA), an act that made a number of important changes to PIPEDA.

While most of the amendments contained in the DPA came into force in 2015, the mandatory data breach notification, reporting and record-keeping provisions weren’t initially enforced. Instead, the law indicated that they would be brought into force only after corresponding regulations were finalized.

On Sept. 1, 2017, the Canadian government published draft regulations relating to these requirements. The government accepted public comments on the draft regulations until Oct. 2, 2017, after which time the government completed its consultation process. The government recently published and announced that mandatory breach notifications under the PIPEDA will be enforced beginning Nov. 1, 2018.

The amended PIPEDA applies to organizations’ commercial activities across all provinces, except in provinces where equivalent privacy laws exist. To date, Alberta, British Columbia and Quebec have implemented laws deemed to be substantially similar to PIPEDA. Moreover, New Brunswick, Newfoundland and Labrador, Nova Scotia and Ontario are partially exempt from PIPEDA, as these provinces have adopted similar legislation with respect to personal health information.

Overview of the Regulations

There are effectively three major sections of PIPEDA to be aware of—reports to the Commissioner, notifications to affected individuals and record-keeping. The following is an overview of the requirements that employers need to consider:

Reports to the Commissioner

If an organization suffers a breach of security safeguards involving personal information under its control and it is reasonable to believe that the breach creates a real risk of significant harm to an individual, then the organization must report the breach to the Commissioner after the organization determines that the breach has occurred. According to the regulation, a report to the Commissioner must be made in writing and contain the following information:

  • A description of the circumstances of the breach and, if known, the cause.
  • The day on which, or the period during which, the breach occurred.
  • A description of the personal information that is the subject of the breach.
  • An estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm.
  • A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm.
  • A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach.
  • The name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

Under the regulations, data breach reports can be submitted with the best information available to the organization at the time. This allows organizations to report breaches quickly and take the appropriate actions, even when key information regarding the incident is not yet available.

Communications to the Commissioner should be made via a secure means. Companies are encouraged to refer to the key steps in responding to a privacy breach released by the Commissioner. These steps, as well as supplementary information on responding to breaches, can be found here.

Requirements for Notifying Affected Individuals of a Data Breach

If an organization suffers a breach of security safeguards involving an individual’s personal information under the organization’s control and it is reasonable to believe that the breach creates a real risk of significant harm to the individual, then the organization must notify the individual of the breach. Notifications must be given as soon as possible after the organization determines a breach has occurred.

Notification to an affected individual must contain sufficient information to allow the individual to:

  1. Understand the significance of the breach.
  2. Take any available steps to reduce the impact of the breach.

Per the regulations, a notification to an affected individual must contain the following:

  • A description of the circumstances of the breach.
  • The day or time frame the breach occurred.
  • Descriptions of the type of personal information that was compromised during the breach.
  • A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm.
  • A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm.
  • A toll-free number or email address impacted individuals can use to obtain further information regarding the breach.

Notifications must be given directly to impacted individuals through an email, letter (delivered to the last known home address of the affected individual), telephone call, in-person conversation or other secure form of communication if the affected individual consented to receiving information from the organization in that manner. Under limited circumstances, organizations will be allowed to provide affected individuals with indirect notification of a data breach. According to the regulations, organizations will be able to provide indirect notification only if:

  • A direct notification would cause further harm to the affected individual.
  • The cost of giving a direct notification is prohibitive for the organization.
  • The organization does not have contact information for the affected individual or the information that it has is out of date.

The regulations indicate that indirect notification may be given only by either a conspicuous message, posted on the organization’s website for at least 90 days, or by means of an advertisement that is likely to reach the affected individuals.

Record-keeping Requirements

PIPEDA requires organizations to maintain a record of every breach of security safeguards. The regulations state that organizations must maintain these records for a minimum of 24 months after the day on which the organization determines that the breach has occurred, and provide them to the Commissioner upon request. The record must contain sufficient information to enable the Commissioner to verify compliance with the data breach reporting and notification requirements above.

An important distinction here is that records must be maintained for every data breach, and not just those that create a real risk of significant harm. This means that organizations will be required to keep records of data breaches even if they don’t have to report the breach to the Commissioner or notify affected individuals.

Next Steps

Organizations should take the proper steps to ensure they are PIPEDA compliant. While the new reporting and record-keeping requirements appear to place an administrative burden on organizations, companies that already have cyber security protocols in place will likely experience minimal impact. Some general preparations to consider include the following:

  1. Ensure you are informed on all the new requirements.
  2. Prepare for data breach scenarios.
  3. Train your employees.
  4. Update your internal processes.
  5. Assess your data storage and response strategies.
  6. Obtain the proper insurance coverage.

To learn more about the regulations, you can read a detailed impact analysis statement and the regulation’s text through the Canada Gazette.

© Zywave, Inc. All rights reserved


Canada Ranks Third Among Countries Most Vulnerable to Cyber Attacks

According to The National Exposure Index, a report released by cyber security vendor Rapid7 Labs, Canada ranks third on a list of countries most vulnerable to cyber attacks. The goal of the report was to determine which countries are most at risk for deliberate, wide-scale breaches.

Countries were ranked based on their unencrypted services on the public internet, services on the internet that are unsuitable for public access and services that are subject to abuse. Notably, researchers found that countries with the most risk have a significant investment in, and reliance on, a safe and stable internet.

Other interesting findings include the following:

  • The top five countries in the 2018 exposure ranking were the United States, China, Canada, South Korea and the United Kingdom. Together, these countries control over 61 million servers on at least one of the ports surveyed.
  • There are 13 million exposed endpoints associated with direct database access.
  • There are about 40,000 unpatched, out-of-date servers. These servers are at risk of being targeted in future, large-scale disrupted denial-of-service attacks.
  • Mature and traditionally profitable countries are not the only ones that rely on a healthy internet. As of 2018, more than half of the entire world maintains an active internet presence.

Rapid7 Labs hopes internet service providers can use these findings, with the help of policy-makers, to create a more secure global internet. To read the full report, click here.

© Zywave, Inc. All rights reserved


Recognizing and Responding to Workplace Impairment

When workers are impaired on the job, whether by fatigue, the use of drugs or the consumption of alcohol, there can be serious consequences. Specifically, impairment of any kind can directly affect one’s ability to perform their duties in a safe manner.

As an employer, it’s your utmost responsibility to maintain a safe workplace. As such, it’s important to know how to identify and respond to workplace impairment. The following are some common signs, symptoms and behaviours to look out for:

  • Personality changes or erratic behaviour
  • A noticeable decline in appearance or personal hygiene
  • Poor performance or changes in work quality
  • Poor balance and unsteady walking
  • Consistent lateness, absenteeism or reduced productivity

When it comes to responding to impairment incidents, it’s critical to remember the scope of an employer’s obligations. It’s not an employer’s job to diagnose an employee’s dependency problem. However, employers can observe changes in attendance, performance and behaviour, and respond accordingly. Employers need to act in non-judgmental ways, provide support and practise empathy. Be sure to focus on solutions and, if disciplinary action is necessary, follow through.

Following any incident, employers and supervisors should file an incident report. In general, these reports outline the incident, identify the employee’s actions, detail what was discussed, list who was notified of the incident, note what actions were taken and recommend follow-up steps.

If you are considering building a policy around workplace substance testing, it is recommended that you seek legal counsel. If handled improperly, substance testing can infringe on employee rights and lead to serious issues and even legal recourse.

© Zywave, Inc. All rights reserved


5 Major Construction Trends

In order to stay competitive and set your construction firm up for success, the following are five major construction trends to follow this year:

  1. Technology advancements—The construction industry is notoriously slow at adopting new technologies. However, firms may soon have no choice but to pivot their business practices, as 3D printing, cloud applications and drone usage will likely boom.
  2. Modular and prefabrication construction—In 2017, modular and prefabrication construction grew in popularity due to its cost effectiveness and efficiency. This trend will likely continue, especially when you consider that material prices aren’t expected to fall.
  3. An increased focus on safety—The construction industry is consistently ranked as one of the most dangerous. Following higher levels of scrutiny, expect a continued focus on crafting better safety procedures and utilizing more safety technology.
  4. Continued labour shortages—Labour shortages in the construction industry are nothing new and will likely continue to plague firms across the country. With a small pool of qualified candidates, firms may struggle to find enough skilled craft workers to meet growing demands.
  5. Sustainability—Over the last few years, firms may have noticed a greater emphasis on green products and construction practices. Sustainability will be important throughout 2018, and companies that fail to consider their environmental impact may lose out on new projects.

Organizations can’t always predict what factors will have the greatest impact on future business. However, with the above trends in mind, companies can avoid major risks and ensure they remain competitive.

© Zywave, Inc. All rights reserved


Employment Practices Liability Insurance

From hiring new workers to assigning duties, each of your decisions affects employees in a unique way. Although these actions are critical to running your business, they also create exposures that could lead to costly claims by employees or governmental regulators. Even if they are not warranted, claims for wrongful employment practices can disrupt operations, damage your business’s reputation, hurt employee morale and negatively impact your bottom line.

Thankfully, businesses can rely on employment practices liability (EPL) insurance to protect against a wide range of wrongful employment practices claims, including wrongful termination, discrimination, sexual harassment and retaliation.

Claims Scenario: Litigation Frustration

The company: An auto dealership that relies heavily on the performance of its salespeople

The challenge: A Toronto-based auto dealership employs a number of salespeople who, when performing at a high level, contribute greatly to the company’s bottom line. One such salesperson, who had put up great numbers in the past, saw a marked decline over the last few years. In addition, this salesperson had become increasingly hostile toward customers.

After frequent warnings and poor performance reviews, the salesperson was let go. However, this salesperson quickly fired back with a wrongful dismissal lawsuit, claiming they had been fired based on their age. Cases like these often fetch well over $100,000.

EPL insurance in action: One of the key benefits of EPL insurance is how it responds to actual and alleged acts. In the example above, EPL insurance can provide ample defence cost coverage, which, in turn, protects the organization and its directors and officers.

What’s more, the type of claims EPL policies respond to are vast. In fact, EPL insurance can help organizations fight claims related to breaches of contract, wrongful terminations and non-compliance with employment laws.

Claims Scenario: Take All Complaints to Heart or Get Taken to Court

The company: A small health club with only a few employees

The challenge: A local health club employs just 10 workers, most of whom are male. While the staff members seem to get along from the employer’s perspective, one of the female trainers expressed private concerns to her manager.

Specifically, the female employee felt uncomfortable with the way her male peers spoke to each other when they were around her. In addition, she felt that she was unfairly overlooked for a recent promotion due to her sex.

Because the employer felt this employee wasn’t being treated any differently, they didn’t take any corrective action or address any of her behavioural concerns. As a result, a sexual harassment lawsuit was quickly filed against the company.

EPL insurance in action: Sexual harassment cases are becoming increasingly common and can affect businesses of all sizes. While organizations need to take reports of harassment seriously, EPL insurance can help organizations respond effectively to claims.

Furthermore, many policies provide additional resources companies can use to boost their risk management practices. Notably, EPL insurance can connect businesses to human resources consultation, which can be invaluable when avoiding legal action.

Benefits of EPL Insurance

  • Coverage for alleged acts—EPL insurance not only protects organizations from actual wrongful acts, but alleged acts as well. Specifically, EPL coverage can safeguard an organization from claims related to discrimination, harassment, retaliation and wrongful termination.
  • Timely responses to lawsuits—Employees suing their employers is common, and organizations will want to be prepared. This is especially important when you consider that there is no cap on how much a jury can award and that settlements in employment-related cases can easily reach six figures.
  • Access to legal help—Strong EPL policies provide the insured with access to legal resources. This can prove invaluable if you need advice quickly.
  • Risk management strategies—While employment-related lawsuits can arise at any time, organizations that take the time to implement basic risk controls are better equipped to avoid claims altogether. Many insurance companies provide access to risk management training and human resources consulting. These services can greatly reduce the likelihood that your company is sued by an employee.

Learn More About EPL Insurance

Business leaders make decisions each day on a range of issues including things like hiring, firing, compensation, promotions and the work environment. Every one of these decisions impacts your employees and, depending on the outcome, could result in a claim related to wrongful employment practices.

Claims for wrongful employment practices are on the rise and often lead to business interruptions and costly claims. In order to truly protect your organization, it’s critical to seek EPL insurance. To learn more, contact your insurance broker today.

© Zywave, Inc. All rights reserved


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn