Navigating Data Breaches: A Business’ Guide for Legal Compliance in Canada

In 2019, The Desjardins Group faced a major cybersecurity breach. Personal information of millions of its members, including names, addresses, birthdates, social insurance numbers, and more, were breached. This incident not only exposed the vulnerability of even the most robust cybersecurity systems but also shed light on the impacts of data breaches for both clients and businesses of all sizes.

For businesses, being vigilant about potential security breaches is not only a good practice but also a legal obligation. In this blog post, we will share key steps and considerations for dealing with a data breach in Canada, ensuring compliance with privacy legislation, and proactively protecting your clients and business from potential security breaches.

1. Adopting a Proactive Approach to Cybersecurity

In the digital age, where data breaches are unfortunately common, adopting a proactive approach to cybersecurity is your first line of defense. Ensuring your business has a cybersecurity provider, and understanding relevant privacy legislation, such as the Personal Information Protection and Electronic Documents Act (hereinafter referred to as “PIPEDA”), lays the foundation for a proactive approach to cybersecurity.

2. Communicating with your Cybersecurity Provider in the Event of a Breach

In the event of a data breach, requesting information from your cybersecurity provider is a critical first step. Ask your cybersecurity provider about the nature of the breach, the specific individuals affected, and the types of data that may have been breached. As you engage in these communications with your cybersecurity provider, ensure you document the conversation. Take note of details such as the date and time of the communications, key points discussed, and any commitments made by your cybersecurity provider. Written documentation will serve as tangible evidence of your proactive efforts to gather details about the incident.

3. To Report or Not to Report

Not all security breaches need to be reported to your clients and the Office of the Privacy Commissioner of Canada (hereinafter referred to as “OPC”). Only breaches that pose a real risk of significant harm must be reported. Real risk of significant harm is determined by the sensitivity of the information involved and the probability of misuse. A security breach presents a real risk of significant harm if the personal information is, has been, or will be misused, and if the breach can lead to bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative impacts on credit records, or damage to or loss of property. According to federal government guidelines, certain information such as income records is generally considered sensitive, while names and addresses are typically not.

Based on your communications with your cybersecurity provider and your research into the nature of the security breach, evaluate whether informing the client and reporting to the OPC are necessary.

4. OPC Reporting & Notice to the Client

If, based on the information provided by your cybersecurity provider and your research into the nature of the security breach, you determine that reporting the breach to both your clients and the OPC is warranted, you must notify your clients and submit a report to the OPC.

Notices to the Client can be done by email, and should include the following details:

• A description of the circumstances of the breach;
• The day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
• A description of the personal information that is the subject of the breach to the extent that the information is known;
• A description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
• A description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
• Contact information that the affected individual can use to obtain further information about the breach.

When reporting the security breach to the OPC, you must complete the PIPEDA Breach Report Form and submit the report through the Secure Breach Reporting Portal System.

5. Record Keeping: A Two-Year Obligation

Regardless of whether the breach is disclosed to your clients or the OPC, you must maintain a record of every security breach within your organization for a minimum of two years, in compliance with sections 10.1(1) and (3) of PIPEDA. Your records should include the following information:

• Date or approximate date of the breach;
• General description of the breach circumstances;
• Nature of the information involved in the breach;
• Whether the breach was reported to the OPC and if any individuals were notified.

Your records should include sufficient details for the OPC to evaluate whether your organization accurately applied the real risk of significant harm standard and fulfilled its reporting and notification obligations in cases where a breach genuinely presented a risk of significant harm. If you decided not to report the breach to the OPC or your clients, a brief explanation should be included in your records.

In summary, adopting a proactive approach to cybersecurity involves open communication with your cybersecurity provider, detailed recordkeeping of all data breaches or potential data breaches, and informed decision-making on the necessity of reporting the breach to the OPC and your clients. Remember, understanding and complying with PIPEDA guidelines is not just a legal obligation but an essential step in safeguarding the trust and privacy of your clients.

If you have any questions or need further clarification, our legal team is here to help. Let us assist you in adopting a proactive approach to cybersecurity for your business and ensuring you comply with relevant legislation in the event of a data breach.