Hard on the heels of legislation requiring mandatory reporting of data breaches for the private sector come recommendations for a similar overhaul of the public sector. The introduction of an explicit requirement by the federal government to force companies to publicly admit to breaches will enable swift responses from the class actions bar when they occur.
“Generally, federal and provincial legislation seem to be going towards two things — mandatory reporting to the privacy commissioner and mandatory notification to individuals,” says Patrick Hawkins of Borden Ladner Gervais LLP in Toronto.
In relation to the private sector, s. 10.1 of the federal Personal Information and Electronic Documents Act requires mandatory reporting of data breaches that pose a substantial risk of harm to individuals. The new legislation was passed in 2015, underwent a consultation period in 2016 and is expected to come into force once regulations have been passed. The Ministry of Innovation, Science and Economic Development Canada advises that regulations will be published this year and will be subject to public consultation and a transition period.
Ted Charney of Charney Lawyers of Toronto considers these legislative changes to be an “absolute necessity.”
“Just as a defective product requires mandatory reporting, by analogy, a privacy breach poses a risk to consumers, and the company is not in a position to assess the degree of risk because of their self-interest,” says Charney.
He has observed that most privacy breaches go unreported.
“To the extent that organizations do not divulge, customers do not become aware of the breach. If they suffer identity theft or fraud or some other privacy breach, they don’t know it’s related to a particular organization,” he says.
The Office of the Privacy Commissioner of Canada has a voluntary data-breach reporting program, and some organizations subject to PIPEDA participate as a matter of best practice.
“Probably every month there are six to 12 privacy breaches that go undetected and unreported,” Charney estimates. “That’s a figure I know because businesses that assist insurance companies and other organizations get six to 12 new cases on a monthly basis, whereas the degree of reporting to the Privacy Commission is one or two a month.”
One aspect of the changes to PIPEDA is that there is a threshold for the reporting requirement to kick in. Section 10.1 provides that organizations must determine if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. They must consider the sensitivity of the personal information involved and the probability that the personal information is being, or will be, misused.
“We have to see how that gets interpreted by the Privacy Commissioner and the courts,” says Hawkins. “Not every potential breach gets triggered. It’s a meaningful threshold.”
Jillian Swartz of Allen McDonald Swartz LLP of Toronto points out that if a company has decided to notify its customers or clients about a breach, it has admitted that it’s reasonable in the circumstances to believe that the breach creates reasonable risk. “That will be music to class action lawyers’ ears,” she says.
“This will open up a whole new niche area in class actions.”
In fact, Charney has some concerns about it being left up to the organization to decide what constitutes “reasonable circumstances,” as is laid out in PIPEDA.
“Reporting should be mandatory for all breaches and then it’s up to the privacy commissioner whether to notify the customers or not,” he says.
“If companies are not prepared to notify them voluntarily, the decision should be made by the commissioner.”
In relation to the public sector, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled a report in December 2016 entitled “Protecting the Privacy of Canadians: Review of the Privacy Act.”
It includes recommendations “to create an explicit requirement for government institutions to report material breaches of personal information to the Office of the Privacy Commissioner of Canada in a timely manner” and “to notify affected individuals of material breaches of personal information, except in appropriate cases, provided that the notification does not compound the damage to the individuals.”