Digital Privacy Act Security Breach Regulations: my representations

October 1st, 2017 by Barry Sookman Leave a reply »

Here are my representations sent to Jill Paterson, Senior Policy Analyst, Digital Policy Branch, Spectrum, Information Technologies and Telecommunications (SITT) Sector, Innovation, Science and Economic Development Canada, CD Howe Building, 235 Queen Street, Room 162D, Ottawa, Ontario K1A 0H5.

________________________________________________________

These are my representations on the draft Breach of Security Safeguards Regulations published in the Canada Gazette, Part I, August 14, 2017.

I am Barry Sookman, a senior Partner with the law firm McCarthy Tétrault. I am also an Adjunct professor of intellectual property law at Osgoode Hall law School where I teach, among other things, privacy law. My firm acts for clients that have important concerns about the draft Regulations. However, I make these representations solely on my own behalf.

I commend the Government for the manner in which it has approached promulgating the draft Regulations (the “Regulations”). The Regulations will form an integral part of the Digital Privacy Act’s (the DPA) data breach and record keeping requirements. This law makes important advances in modernizing our privacy laws and will create new rights and obligations that will affect may organizations and individuals. The approach of circulating the discussion paper, For Discussion — Data Breach Notification and Reporting Regulations (March 2016) and A Summary of Consultation Responses Data Breach Notification and Reporting Regulations (October 2016) prior to publishing the RIAS and Regulations contributed to narrowing the issues that still need to be addressed in the Regulations.

However, in my opinion, some further consideration still needs to be given to some portions of the Regulations.

Notice to the OPC

Under the DPA, an organization is required to report to the Commissioner “any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” The notice requirement is triggered if there is a breach of security safeguards which is defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.”

The report must contain the prescribed information and shall be made in the prescribed form and manner as soon as feasible after the organization determines that the breach has occurred. (emphasis added)

The Regulations would require that a report of a breach of security safeguards must be in writing and must contain

(a) a description of the circumstances of the breach and, if known, the cause;

(b) the day on which, or the period during which, the breach occurred;

(c) a description of the personal information that is the subject of the breach;

(d) an estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm;

(e) a description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm;

(f) a description of the steps that the organization has taken or intends to take to notify each affected individual of the breach in accordance with subsection 10.1(3) of the Act; and

(g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

The Regulations assume that organizations which are subject to data breaches will necessarily have all of the information required by the Regulations as soon as feasible after the organization determines the breach has occurred. In many cyber-breach situations it can take many weeks and even months before an organization can accurately obtain the information necessary to provide the detail the Regulations require. Cyber-hackers and criminals often hide their digital fingerprints and it takes even the most sophisticated forensic investigators much time to fully investigate incidents. Early theories about the scope and causes of the breaches are often proved to be wrong or incomplete. Also, in many cases the personal information would have beeen transfered to third parties for processing and these parties may be reluctant for security, legal, or other reasons to provide all of the information necessary to meet the proposed notice requirement. There is thus a substantial risk that organizations would not be able to comply with the Regulations, or would need to qualify the information provided, or to update the information provided at later points in time.

Further organizations in the vortex of responding to security breaches would be very concerned about releasing sensitive investigative information which could be used against them in later civil proceedings in Canada, or in cross border cases such as in the United States. Also, unlike the situation where notice must be given to individuals, there is no exception that would excuse providing information where prohibited by law. The Regulations also do not expressly permit organizations to provide information in password protected or encrypted formats to better protect it against security breaches during transmission or storage at the OPC. Nor is there anything in the DPA or Regulations that would protect organizations against the use of information provided in civil proceedings.

Accordingly, the notice requirement could be improved by qualifying the reporting obligations to the OPC by:

  • Limiting information to be provided to what can reasonably and practically be confirmed at the time the report must given and to enable reports to include qualifications that the information provided is still under investigation and may not be accurate or complete.
  • Enabling updates and corrections to be provided when further information becomes available or confirmed.
  • Allowing organizations not to include in any report information that cannot be provided because of legal requirements.
  • Enabling reports to be provided using password protection and in encrypted formats.
  • Developing a process to ensure that reports remain confidential and cannot be used against reporting organizations in civil proceedings.

Notification to individuals

Under the DPA, unless otherwise prohibited by law, an organization must notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. The notification must be given as soon as feasible after the organization determines that the breach has occurred.

The notification must contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. It shall also contain any other prescribed information.

The Regulations would require the notification to contain (in addition to the information set out in the DPA):

(a) a description of the circumstances of the breach;

(b) the day on which, or period during which, the breach occurred;

(c) a description of the personal information that is the subject of the breach;

(d) a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;

(e) a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;

(f) a toll-free number or email address that the affected individual can use to obtain further information about the breach; and

(g) information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner.

Here again, the Regulations assume that organizations which are subject to data breaches will necessarily have all of the information required by the Regulations as soon as feasible after the organization determines the breach has occurred. There is thus a substantial risk here again that organizations would not be able to comply with the Regulations, or would need to qualify the information provided, or to update the information provided at a later points in time.

Further organizations have been and will be concerned about providing information that could compromise investigations including where lawful authorities request that no information be made public so as not to compromise investigations. Organizations will also be concerned about releasing sensitive investigative information which could be used against them in later civil proceedings.

Accordingly, this notice requirement could be improved by qualifying the reporting obligations to individuals by:

  • Limiting information to be provided to what can reasonably and practically be confirmed  at the time the report must be given or to include qualifications that the information provided is still under investigation and may not be accurate or complete.
  • Enabling updates and corrections to be provided when further information becomes available or confirmed.
  • Allowing organizations not to include in any report information that cannot be provided because of reasonable security concerns, or to withhold information where requested by lawful authorities or where to do so could compromise an investigation.

Manner of notification to individuals

Under the DPA, the notification to individuals must be conspicuous and must be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner. (emphasis added)

The Regulations prescribe that direct notification is to be given to the affected individual

(a) by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner;

(b) by letter delivered to the last known home address of the affected individual;

(c) by telephone; or

(d) in person.

The requirement that notice may be given by email “or any other secure form of communication” only if the individual has consented to receiving the notice in that matter makes little sense. In mass data breach cases, the only practical and efficient way of providing notices and to ensure the notices are provided in the most timely manner is by sending notices electronically. Most individuals would reasonable expect to receive notices in that manner. Nor could there be any concern about violating CASL as such notices could not reasonably be considered commercial electronic messages and would also be expressly exempted under the GIC Electronic Commerce Protection Regulations as such notices would be “sent to a person…to satisfy a legal or juridical obligation”.

If the concern is that giving indirect notification by e-mail or other forms of secure communications would cause further harm to the affected individual, the right to use electronic means of notice could be so qualified. This approach is used in s.5(1) of the Regulations which stipulate when indirect notification may be given.

5 (1) For the purposes of subsection 10.1(5) of the Act, indirect notification is to be given to the affected individual by an organization in any of the following circumstances:

(a) the giving of direct notification would cause further harm to the affected individual;

(b) the cost of giving of direct notification is prohibitive for the organization;

(c) the organization does not have contact information for the affected individual or the information that it has is out of date.

Indirect notification — manner

(2) For the purposes of subsection 10.1(5) of the Act, indirect notification is to be given to the affected individual in the following manner:

(a) by a conspicuous message, posted on the organization’s website for at least 90 days; or

(b) by means of an advertisement that is likely to reach the affected individuals.

Record keeping requirements

The DPA requires organizations, in accordance with any prescribed requirements, to keep and maintain a record of every breach of security safeguards involving personal information under its control. (emphasis added) These records must be available to provide to the Commissioner, if requested.

The Regulations stipulate that “an organization must maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred”. The record “must contain any information pertaining to the breach that enables the Commissioner to verify compliance with subsections 10.1(1) and (3) of the Act.”

The record keeping obligations do not take into account the impractical scope and nature of the obligations. In this regard:

  • The term “breach of security safeguards” is defined in an extremely broad way to mean “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.” In other words it involves a breach of every security safeguard organizations have implemented or were required by PIPEDA to have implemented. This would include all physical, organizational, and technological measures used or which should have been used by the organization. It is not realistic to believe that organizations would have controls, logs and other measures in place to record every such breach.
  • The Regulations would require organizations to record, and to have or to develop systems to record, security breaches, even if they are unaware or could not reasonably have anticipated the type of security breach encountered.
  • There is no materiality requirement. This obligation is not tied to any requirement that the organization reasonably believe “that the breach creates a real risk of significant harm to an individual”, which is a limitation that applies to the notification requirements.
  • The Regulations do not assist in clarifying whether information transferred to a third party for processing (such as information stored in a cloud PAAS or SAAS solution) would be covered by the obligation, and if so, whether the record keeping obligations would be those of the organization transferring the information or those of the third party and whether the record keeping obligations could be satisfied by appropriate contractual provisions with third parties. The Regulations, as drafted, could negatively impact migration to cloud solutions which would hurt the Government’s innovation agenda.

This Regulation could be improved as follows:

  • Limit the record keeping obligations to those that are reasonable and practical. This is the approach, for example, that is used in Ontario under the Personal Health Personal Health Information Protection Act, 2004 under Regulation 329/04, where records must be provided to custodians of personal health information.
  • Limit the type of records that must be kept. Using the above Ontario regulations as an example again, the type of records that must be kept are limited to, “to the extent reasonably practical, and in a manner that is reasonably practical, keep and make available to each applicable health information custodian… an electronic record of” certain accesses of the personal health information and certain transfers of information. While these specific limitations may need to be broader to account for the scope of PIPEDA, the approach is worth considering.
  • Limit the records to those that are material. Materiality should be associated with whether the breach creates a real risk of significant harm to an individual.
  • Clarify the records that must be kept where information is transferred to a third party and whether the transferring party has any responsibility to keep, or to contract for the transferee to keep, records of data breaches while personal information is processed by the third party. Is such information considered to be under the control of the transferee or transferor, or both parties? Under PIPEDA organizations must ensure that where information is transferred to a third party, the organization must “use contractual or other means to provide a comparable level of protection while the information is being processed by a third party”. (Principle 4.1.3) Thus, the records that the transferor must maintain will not necessarily be the same as those of the transferee. Thus, even assuming that the information transferred is still under the control of the transferring party, the organization transferring the information should be limited to contracting or using other means to provide the records which the third party is required to maintain under PIPEDA.

Thank you for the opportunity to provide representations on the Regulations.

Barry Sookman

Print Friendly, PDF & Email
Advertisement