Focus: Mandatory reporting of breaches spreads

Hard on the heels of legislation requiring mandatory reporting of data breaches for the private sector come recommendations for a similar overhaul of the public sector. The introduction of an explicit requirement by the federal government to force companies to publicly admit to breaches will enable swift responses from the class actions bar when they occur.

“Generally, federal and provincial legislation seem to be going towards two things — mandatory reporting to the privacy commissioner and mandatory notification to individuals,” says Patrick Hawkins of Borden Ladner Gervais LLP in Toronto.

In relation to the private sector, s. 10.1 of the federal Personal Information and Electronic Documents Act requires mandatory reporting of data breaches that pose a substantial risk of harm to individuals. The new legislation was passed in 2015, underwent a consultation period in 2016 and is expected to come into force once regulations have been passed. The Ministry of Innovation, Science and Economic Development Canada advises that regulations will be published this year and will be subject to public consultation and a transition period.

Ted Charney of Charney Lawyers of Toronto considers these legislative changes to be an “absolute necessity.”

“Just as a defective product requires mandatory reporting, by analogy, a privacy breach poses a risk to consumers, and the company is not in a position to assess the degree of risk because of their self-interest,” says Charney.

He has observed that most privacy breaches go unreported.

“To the extent that organizations do not divulge, customers do not become aware of the breach. If they suffer identity theft or fraud or some other privacy breach, they don’t know it’s related to a particular organization,” he says.

The Office of the Privacy Commissioner of Canada has a voluntary data-breach reporting program, and some organizations subject to PIPEDA participate as a matter of best practice.

“Probably every month there are six to 12 privacy breaches that go undetected and unreported,” Charney estimates. “That’s a figure I know because businesses that assist insurance companies and other organizations get six to 12 new cases on a monthly basis, whereas the degree of reporting to the Privacy Commission is one or two a month.”

One aspect of the changes to PIPEDA is that there is a threshold for the reporting requirement to kick in. Section 10.1 provides that organizations must determine if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. They must consider the sensitivity of the personal information involved and the probability that the personal information is being, or will be, misused.

“We have to see how that gets interpreted by the Privacy Commissioner and the courts,” says Hawkins. “Not every potential breach gets triggered. It’s a meaningful threshold.”

Jillian Swartz of Allen McDonald Swartz LLP of Toronto points out that if a company has decided to notify its customers or clients about a breach, it has admitted that it’s reasonable in the circumstances to believe that the breach creates reasonable risk. “That will be music to class action lawyers’ ears,” she says.

“This will open up a whole new niche area in class actions.”

In fact, Charney has some concerns about it being left up to the organization to decide what constitutes “reasonable circumstances,” as is laid out in PIPEDA.
“Reporting should be mandatory for all breaches and then it’s up to the privacy commissioner whether to notify the customers or not,” he says.

“If companies are not prepared to notify them voluntarily, the decision should be made by the commissioner.”

In relation to the public sector, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled a report in December 2016 entitled “Protecting the Privacy of Canadians: Review of the Privacy Act.”

It includes recommendations “to create an explicit requirement for government institutions to report material breaches of personal information to the Office of the Privacy Commissioner of Canada in a timely manner” and “to notify affected individuals of material breaches of personal information, except in appropriate cases, provided that the notification does not compound the damage to the individuals.”

Free newsletter

Our daily newsletter is FREE and keeps you up to date on all the developments in the Ontario legal community. Please complete the form below and click on subscribe for daily newsletters from Law Times.

Recent articles & video

‘Insurmountable’ access to justice issues could come from Ontario’s Crown immunity change

CLUC welcomes new members

Laila Paszti joins Norton Rose Fulbright as of counsel

Ontario should switch to no-cost class actions, law commission says

AG names nominating authority for construction disputes

Fasken’s Sarah Graves joins Kidney Cancer Canada board

Most Read Articles

Lawyer's negligence case sheds light on rules for expert witnesses

Citing blog post, judge says lawyer withheld key case law

Small claims court judges have little sway on anti-SLAPP cases

Orlando Da Silva named chief administrator of ATSSC