Following the Office of the Privacy Commissioner of Canada’s announcement that it will be conducting breach record inspections this summer, McCarthy Tétrault LLP offered several tips to help organizations prepare for the upcoming checks.
The deputy commissioner said that five to eight businesses will be subject to record inspections. The organizations are located across Canada but in a single sector that was not named.
Under the Personal Information Protection and Electronic Documents Act, organizations are required to “maintain a record of every breach of security safeguards involving personal information under its control,” the firm explained in an advisory on its website. A “breach of security safeguards” means any “loss of unauthorized access to or unauthorized disclosure of personal information” resulting from a breach of security safeguards or failure to establish security safeguards.
Organizations are required to keep a record of each breach of security safeguards, irrespective of the scope of the breach or the sensitivity of the personal information involved. The organization must record any breach, no matter how small, even if it determines that there is no “real risk of significant harm” to the organization and other stakeholders. In case of a real risk of significant harm, the organization is obligated to report to the commissioner and notify the affected individuals and, potentially, certain third parties.
McCarthy listed the following tips for organizations:
1. Verify that the organization is keeping records of each actual or potential breach of security safeguards, including:
a. records that contain everything that must included in a report to the commissioner had the organization reported the breach (as set out in the Breach of Security Safeguard Regulations); and
b. a framework for assessing whether a breach of security safeguards results in a real risk of significant harm to the affected individual, including the basis for determining why it was not necessary to report the breach.
2. Audit breach records to verify that they include all of the information that is required by the Breach of Security Safeguard Regulations.
3. Consider how many potential breaches of security safeguards the organization’s privacy/legal/compliance departments have investigated. If the number is low or zero, investigate if breaches are going unreported. Common breaches include lost or stolen devices (phones, laptops, hard drives, etc.), misdirected emails and phishing attempts.
“One challenge with breach notifications is that employees do not always know that they must report the breach,” the firm said. “Another problem is that many security teams treat breaches of security safeguards simply as a security issue and fail to escalate to legal or the other members of a multi-disciplinary incident response team. Accordingly, it is critically important that your incident response plan include proper employee training and clear incident response and escalation guidelines.”