1-888-643-2217 Email ABEX
Keeping you updated

Tag Archives: data breach

Federal Data Breach Regulations Take Effect Nov. 1, 2018


Starting Nov. 1, 2018, Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) will require organizations that suffer a data breach involving personal information to:

  1. Report the breach to the Privacy Commissioner of Canada (Commissioner).
  2. Give notice of the breach to affected individuals.
  3. Maintain records of data breaches that affect personal information.

In order to avoid fines and penalties, organizations will need to understand PIPEDA and its basic requirements.


PIPEDA is Canada’s federal privacy law that governs the collection, use and disclosure of personal information in the course of commercial activities by private sector organizations and federally regulated businesses. In 2015, PIPEDA was amended by the Digital Privacy Act (DPA), an act that made a number of important changes to PIPEDA.

While most of the amendments contained in the DPA came into force in 2015, the mandatory data breach notification, reporting and record-keeping provisions weren’t initially enforced. Instead, the law indicated that they would be brought into force only after corresponding regulations were finalized.

On Sept. 1, 2017, the Canadian government published draft regulations relating to these requirements. The government accepted public comments on the draft regulations until Oct. 2, 2017, after which time the government completed its consultation process. The government recently published and announced that mandatory breach notifications under the PIPEDA will be enforced beginning Nov. 1, 2018.

The amended PIPEDA applies to organizations’ commercial activities across all provinces, except in provinces where equivalent privacy laws exist. To date, Alberta, British Columbia and Quebec have implemented laws deemed to be substantially similar to PIPEDA. Moreover, New Brunswick, Newfoundland and Labrador, Nova Scotia and Ontario are partially exempt from PIPEDA, as these provinces have adopted similar legislation with respect to personal health information.

Overview of the Regulations

There are effectively three major sections of PIPEDA to be aware of—reports to the Commissioner, notifications to affected individuals and record-keeping. The following is an overview of the requirements that employers need to consider:

Reports to the Commissioner

If an organization suffers a breach of security safeguards involving personal information under its control and it is reasonable to believe that the breach creates a real risk of significant harm to an individual, then the organization must report the breach to the Commissioner after the organization determines that the breach has occurred. According to the regulation, a report to the Commissioner must be made in writing and contain the following information:

  • A description of the circumstances of the breach and, if known, the cause.
  • The day on which, or the period during which, the breach occurred.
  • A description of the personal information that is the subject of the breach.
  • An estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm.
  • A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm.
  • A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach.
  • The name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

Under the regulations, data breach reports can be submitted with the best information available to the organization at the time. This allows organizations to report breaches quickly and take the appropriate actions, even when key information regarding the incident is not yet available.

Communications to the Commissioner should be made via a secure means. Companies are encouraged to refer to the key steps in responding to a privacy breach released by the Commissioner. These steps, as well as supplementary information on responding to breaches, can be found here.

Requirements for Notifying Affected Individuals of a Data Breach

If an organization suffers a breach of security safeguards involving an individual’s personal information under the organization’s control and it is reasonable to believe that the breach creates a real risk of significant harm to the individual, then the organization must notify the individual of the breach. Notifications must be given as soon as possible after the organization determines a breach has occurred.

Notification to an affected individual must contain sufficient information to allow the individual to:

  1. Understand the significance of the breach.
  2. Take any available steps to reduce the impact of the breach.

Per the regulations, a notification to an affected individual must contain the following:

  • A description of the circumstances of the breach.
  • The day or time frame the breach occurred.
  • Descriptions of the type of personal information that was compromised during the breach.
  • A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm.
  • A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm.
  • A toll-free number or email address impacted individuals can use to obtain further information regarding the breach.

Notifications must be given directly to impacted individuals through an email, letter (delivered to the last known home address of the affected individual), telephone call, in-person conversation or other secure form of communication if the affected individual consented to receiving information from the organization in that manner. Under limited circumstances, organizations will be allowed to provide affected individuals with indirect notification of a data breach. According to the regulations, organizations will be able to provide indirect notification only if:

  • A direct notification would cause further harm to the affected individual.
  • The cost of giving a direct notification is prohibitive for the organization.
  • The organization does not have contact information for the affected individual or the information that it has is out of date.

The regulations indicate that indirect notification may be given only by either a conspicuous message, posted on the organization’s website for at least 90 days, or by means of an advertisement that is likely to reach the affected individuals.

Record-keeping Requirements

PIPEDA requires organizations to maintain a record of every breach of security safeguards. The regulations state that organizations must maintain these records for a minimum of 24 months after the day on which the organization determines that the breach has occurred, and provide them to the Commissioner upon request. The record must contain sufficient information to enable the Commissioner to verify compliance with the data breach reporting and notification requirements above.

An important distinction here is that records must be maintained for every data breach, and not just those that create a real risk of significant harm. This means that organizations will be required to keep records of data breaches even if they don’t have to report the breach to the Commissioner or notify affected individuals.

Next Steps

Organizations should take the proper steps to ensure they are PIPEDA compliant. While the new reporting and record-keeping requirements appear to place an administrative burden on organizations, companies that already have cyber security protocols in place will likely experience minimal impact. Some general preparations to consider include the following:

  1. Ensure you are informed on all the new requirements.
  2. Prepare for data breach scenarios.
  3. Train your employees.
  4. Update your internal processes.
  5. Assess your data storage and response strategies.
  6. Obtain the proper insurance coverage.

To learn more about the regulations, you can read a detailed impact analysis statement and the regulation’s text through the Canada Gazette.

© Zywave, Inc. All rights reserved

Only 4 in 10 Businesses Have Data Breach Policies in Place

Last year, the Office of the Privacy Commissioner of Canada (OPC) ordered a telephone survey—2017 survey with Canadian businesses on privacy-related issuesof around 1,014 Canadian businesses. The goal of this survey was to learn how knowledgeable organizations are on privacy issues and requirements, understand the types of privacy policies and practices they have in place, and determine their privacy information needs.

The following were some key findings from the survey:

  • Only 4 in 10 companies surveyed have policies or procedures in place in the event of a breach.
  • When asked to rate their level of concern regarding a future data breach, the results were split. Overall, nearly half (48 per cent) expressed at least a moderate level of concern while 50 per cent expressed low or no concern at all. The OPC said that this data indicates concern over data breaches has decreased among Canadian businesses over previous years.
  • Around 68 per cent of respondents placed an emphasis on protecting their customers’ personal data. In addition, according to data from previous OPC reports, consumer concern about privacy breaches remains high. In fact, 85 per cent of Canadians indicated that news reports about privacy breaches affected their willingness to share personal information.

Among other things, the OPC survey illustrates a disconnect between organizational beliefs regarding data protection and the existence of real privacy policies. Despite continued, high-profile cyber breaches and increasing customer concern, many companies surveyed remain complacent with their level of security.

The OPC will use these survey results to enhance its outreach efforts and more effectively guide organizations on their privacy responsibilities.

© Zywave, Inc. All rights reserved

Up to 100,000 Bell Customers Impacted by Data Breach

Bell Canada, one of the nation’s largest telecommunications companies, announced Tuesday, Jan. 23 that up to 100,000 customers were affected by a data breach. The company has said that hackers likely obtained sensitive customer information, including subscriber names, phone numbers, account names and email addresses. At this time, there is no indication that credit card numbers or other banking information was compromised.

The company is advising customers to change their passwords and security questions. Affected users should also be on the lookout for suspicious activity, as cyber criminals will likely use the lost email addresses and user profiles to carry out more harmful phishing and social engineering scams.

Bell is currently working with law enforcement and the Office of the Privacy Commissioner of Canada to investigate the event. Officials are looking to determine how the breach occurred, what Bell is doing to mitigate the situation and potential follow-up actions.

This latest breach comes just eight months after 1.9 million customer emails were stolen from Bell’s database by an anonymous hacker. High-profile cyber security events are becoming commonplace, and organizations must continue to conduct security audits, review their record retention polices and provide employee training if they are to prevent future breaches. While customers can’t prevent companies from being hacked, they can take the following steps to reduce the risk of losing personal information:

  • Encrypt data whenever possible.
  • Back up data.
  • Use anti-malware protection.
  • Update phones and computers regularly.
  • Secure wireless networks.
  • Use a firewall.
  • Make passwords complex and change them often.
  • Avoid clicking suspicious links or navigating to deceptive websites.

To read the official statement from Bell regarding its most recent data breach, click here.

© Zywave, Inc. All rights reserved

What Should Canadians Affected by Equifax Data Breach Do?

Equifax, one of the largest credit reporting agencies in the United States, was recently the victim of a massive cyber attack—an attack that may have compromised the personal information of 143 million people.

Impacted individuals were not simply limited to the United States either, as the hackers gained unauthorized access to personal information of certain Canadian and U.K. residents. Initial reports suggest 209,000 credit card numbers were stolen in the attack, some of which may belong to international customers.

The breach itself occurred between mid-May and July 2017 when cyber criminals gained access to sensitive data by exploiting a weak point in website software. In the United States, sensitive information like Social Security numbers, birthdays, addresses and driver’s licence numbers were compromised.

The recent attack on Equifax is the third major cyber security threat the organization has experienced since 2015 and one of the largest risks to personally sensitive information in recent years. The attack is so severe, in fact, it’s likely that anyone with a credit report was affected.

If you are concerned that you may have been impacted by the breach, Equifax has set up a website to help individuals determine if any of their personal information may have been stolen.

It should be noted that it may not be obvious that you are a customer of Equifax, as the company gets its data from credit card companies, banks and lenders that report on credit activity. As such, it’s important to follow the appropriate steps and check to see if your information was compromised.

Additionally, you should review your online bank and credit card statements on a weekly basis. This will help you monitor any suspicious activity.

Equifax will work with regulators in Canada and the United Kingdom to determine appropriate next steps.

© Zywave, Inc. All rights reserved

Is Your Organization Ready for Mandatory Data Breach Notifications?


On June 18, 2015, the Digital Privacy Act (DPA) received royal assent and became law. Among other things, the DPA amended the Personal Information Protection and Electronic Documents Act (PIPEDA) by revising consent requirements, introducing mandatory breach notification and record-keeping requirements, and adding significant fines for non-compliance.

While many of the measures introduced by the DPA have been in force since the bill was first enacted, the government held off on imposing mandatory breach reporting until the proper regulations were implemented.

Such regulations could be in place as early as fall 2017, and organizations will want to ensure that they know what is expected of them in order to remain compliant and avoid costly fines as high as $100,000.

Mandatory Data Breach Notifications

The DPA imposes reporting requirements for every organization in Canada that suffers a data breach, particularly if that data breach creates a real risk of significant harm to the personal information of one or more individuals. While the full extent of the reporting requirements will not be known until the corresponding regulations are published, the DPA defines significant harm broadly to include the following:

  • Bodily harm
  • Humiliation
  • Damage to reputations or relationships
  • Loss of employment, business or professional opportunities
  • Financial loss
  • Identity theft
  • Negative effects on credit records
  • Damage to or loss of property

Most often, the existence of “a real risk of significant harm” will be based on the sensitivity of the personal information involved in the breach, the probability that the personal information will be misused and additional factors that may be prescribed by the forthcoming regulations.

If a breach causing significant harm to one or more individuals occurs, the affected organization must do the following, as soon as feasible:

  • Report the incident to the Office of the Privacy Commissioner of Canada (Privacy Commissioner).
  • Notify affected individuals of the breach and provide them with information on how they may minimize the harm caused by the breach.
  • Inform other organizations and government entities of the breach, especially if they believe that doing so could reduce risks or mitigate harm.

Notices must contain enough information to help affected individuals fully understand the extent of harm caused by the breach. Additionally, notices must be conspicuous and provided directly to affected individuals. However, in limited circumstances, indirect notices may be permitted. Once again, more detail will be available to organizations once the forthcoming regulations are published.

Record-keeping Requirements

Another key change under the DPA will be the requirement that organizations keep records of all security breaches involving personal information. While it is still unclear the level of detail these records will need to contain, it is clear that the Privacy Commissioner will have the right to request and review these records at any time.

Penalties for Non-compliance

Under the DPA, fines up to $100,000 may be imposed against organizations that knowingly violate the mandatory breach notification requirements or breach record-keeping requirements. Until the regulations are finalized, it will remain unclear if a violation will include a single incident (for example, a single failure to notify all individuals impacted by a breach) or each incident (for example, each failure to notify each individual impacted by a breach). However, it is clear that the Privacy Commissioner now has the ability to impose significant fines for non-compliance.

What Does this Mean for Organizations?

Mandatory data breach notifications could impact any organization that is at risk of a cyber attack. Given the reach of the DPA and upcoming regulations, all organizations should consider doing the following:

  • Review and update existing protocols and policies to account for detecting, responding and reporting data breach incidents internally.
  • Assess the types of information—personal information, intellectual property, supplier data, etc.—they hold and how they would respond in the event of a breach.
  • Create a data breach incident response plan if one does not already exist. Such a plan should include methods for notifying the Privacy Commissioner and any impacted individuals.
  • Ensure that they have sufficient insurance in place and have taken the steps to mitigate any litigation exposures. Such steps often include requiring employee training, performing security audits and identifying cyber security vendors.

Organizations should review the DPA to ensure they are compliant with all aspects of the legislation.

© Zywave, Inc. All rights reserved



Receive notifications of new posts automatically.


Like us on Facebook

Connect with us on LinkedIn