This document summarizes key points from a presentation on current cybersecurity legal risks and requirements in Canada. It discusses the evolving privacy litigation landscape and lessons learned from privacy breach cases. Recent amendments to PIPEDA introduced mandatory breach notification requirements, including notifying affected individuals and the Privacy Commissioner if a breach creates a real risk of significant harm. Organizations must also keep records of all breaches. Non-compliance can result in penalties such as fines. The presentation emphasizes having an incident response plan and being prepared to properly respond to and document any privacy breaches.
5. Lessons from cases
“After the data breach was discovered, there was no cover up,
and Home Depot responded as a good corporate citizen to
remedy the data breach. …Unless one wishes to play pretend,
Home Depot was the successful party in resisting a pleaded claim of
$500 million.”
- Lozanski v. Home Depot, 2016 ONSC 5447
7. Lessons from the cases
• Condon v Canada, 2018 FC 522
• “This settlement will serve as a benchmark for future
privacy breach class actions and encourage
organizations throughout Canada to take privacy
seriously, for fear of facing serious litigation
consequences for a privacy breach.”
8. Lessons from the cases
• Condon v Canada, 2018 FC 522
• Lost drive affecting 583,000 individuals (including.
name, SIN, address, student loan)
• Response:
• Notification of breach to individuals
• Six years of fraud flagging from Equifax and Transunion
• Forensic investigation and darkweb searches
9. Lessons from the cases
• Condon v Canada, 2018 FC 522
– $17.5 million settlement fund for:
• $5.25 million to plaintiff counsel
• Cost of administering settlement
• $60 per individual for wasted time
– Unlimited compensation for any actual losses
11. Lessons from the cases
• Have an Incident Response Plan
• Internal incident and crisis teams
• External team may include:
• legal counsel “breach coach”
• forensic investigation and incident response teams
• crisis communications/public relations experts
• other providers (e.g. IT teams, ransom payment,
notification provider, call centre, identity protection)
12. Incident response plan template
• Define incident response process:
1. Identification and escalation
2. Containment and restoration
3. Communication and notification
4. Record keeping and prevention
13. Privacy framework in Canada
• PIPEDA applies to commercial activity but not
employee personal information of law firms
• BC, Alberta and Quebec have privacy laws
• Health and public sector privacy laws will apply
to some
14. What’s new with PIPEDA?
• Mandatory breach notification, reporting and
recording keeping provisions came into force
on November 1, 2018, pursuant to the Digital
Privacy Act
15. Triggering Event
• Notification must be made in the event of a
breach of security safeguards involving
personal information under an organization’s
control if it is reasonable in the circumstances
to believe that the breach creates a real risk of
significant harm to an individual
17. “Real Risk of Significant Harm”
• “Significant” harm includes:
• bodily harm
• humiliation
• damage to reputation or relationships
• loss of employment, business or professional opportunities,
• financial loss
• identity theft
• negative effects on the credit record and
• damage to or loss of property
18. “Real Risk of Significant Harm”
• Relevant factors in determining risk
• Sensitivity of the personal information
• The probability that the personal information has
been, is being or will be misused
19. Who Must Report the Breach?
• The organization with control of the information
must report and notify
• Be mindful of whether your firm has “control” or
if the client is in control
20. Notification requirements
• Notification to the Commissioner, affected
individuals and potentially others is mandatory
if the triggering event applies
• Exception: where notifying affected individuals
would be prohibited by law
• Keep in mind confidentiality obligations
21. Notification to Organizations
• Organizations must also inform another
organization or government institution of the
breach if they may be able to reduce the risk of
the harm that could result from it or mitigate
that harm
• Keep in mind confidentiality obligations
22. Timing of Notification
• Notification to the Commissioner, individuals,
and other organizations, if any, must be given
as soon as feasible after the organization
determines that the breach has occurred
23. Content of Notification: Commissioner
• Circumstances and if known, the cause
• Day or period when breach occurred
• Personal information breached
• Number of individuals affected
• Steps taken to reduce risk of harm
• Steps taken to notify affected individuals
24. Content of Notification: Individuals
• Circumstances
• Day or period when breach occurred
• Personal information breached
• Steps taken to reduce risk of harm
• Steps individuals could take
• Contact information
25. Method of Notification: Individuals
• Direct notification is required, unless:
• (a) it would be likely to cause further harm to the
affected individual;
• (b) it would be likely to cause undue hardship for the
organization; or
• (c) the organization does not have contact
information for the affected individual
26. Keeping Records of All Breaches
• Keep records of all breaches of information in
your control, whether there is a real risk of
significant harm or not, for two years
• Provide the Commissioner with access to, or a
copy of, a record, if requested
27. Penalties
• Offence under section 28 punishable on
summary conviction and liable to a fine not
exceeding $10,000, or an indictable offence
and liable to a fine not exceeding $100,000
29. Regulators
• Privacy Commissioner of Canada
• Other privacy commissioners
• Investment Industry Regulator Organization of
Canada (IIROC)
• Office of the Superintendent of Financial
Institutions (OSFI)
• Canadian Securities Administrators (CSA)
30. Key takeaways
• Risks and requirements are escalating
• Manage information intake and retention
• Incident response plan
• Privilege considerations
• Escalation protocols
• Record keeping
• Cyber insurance
31. Speaker
Daanish Samadmoten, Privacy and Cybersecurity Group, Fasken
Daanish provides practical and strategic advice to clients in respect of privacy compliance matters and data
breach incidents. With considerable experience and an ongoing practice in the fields of commercial, civil and
administrative litigation, Daanish brings to bear key legal and litigation risk management considerations in
relation to privacy and cybersecurity matters.
Editor's Notes
A “breach of security safeguards” means: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards. (PIPEDA, section 2(1))
“About” means that the information is not just the subject of something but also relates to or concerns the subject. (Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157)
Information will be about an “identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information. (Gordon v. Canada (Health), 2008 FC 258)
Information will still be personal information even if it is publicly available within the meaning of the regulations and is exempt from applicable consent requirements (Englander v. TELUS Communications Inc., 2004 FCA 387)
The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include:
(a) the sensitivity of the personal information involved in the breach;
(b) the probability that the personal information has been, is being or will be misused; and
(c) any other prescribed factor. (PIPEDA, section 10.1(8))
The concept of sensitivity of personal information is discussed in Principle 4.3.4 of PIPEDA, which states: “Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.”
Some questions to consider when assessing the probability of misuse:
What happened and how likely is it that someone would be harmed by the breach?
Who actually accessed or could have accessed the personal information?
How long has the personal information been exposed?
Is there evidence of malicious intent (e.g., theft, hacking)?
Were a number of pieces of personal information breached, thus raising the risk of misuse?
Is the breached information in the hands of an individual/entity that represents a reputation risk to the individual(s) in and of itself? (e.g. an ex-spouse or a boss depending on specific circumstances)
Was the information exposed to limited/known entities who have committed to destroy and not disclose the data?
Was the information exposed to individuals/entities who have a low likelihood of sharing the information in a way that would cause harm? (e.g. in the case of an accidental disclosure to unintended recipients)
Was the information exposed to individuals/entities who are unknown, or to a large number of individuals, where certain individuals might use or share the information in a way that would cause harm?
Is the information known to be exposed to entities/individuals who are likely to attempt to cause harm with it (e.g. information thieves)?
Has harm materialized (demonstration of misuse)?
Was the information lost, inappropriately accessed or stolen?
Has the personal information been recovered?
Is the personal information adequately encrypted, anonymized or otherwise not easily accessible?
(Office of the Privacy Commissioner of Canada, What you need to know about mandatory reporting of breaches of security safeguards (Consultation) (Ottawa: Office of the Privacy Commissioner of Canada, 2018))
“Commissioner” refers to the Privacy Commissioner of Canada.
(Office of the Privacy Commissioner of Canada, What you need to know about mandatory reporting of breaches of security safeguards (Consultation) (Ottawa: Office of the Privacy Commissioner of Canada, 2018))
Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. (PIPEDA, section 10.1(3))
When notifying an individual of a data breach, an organization must also notify another organization, a government institution or a part of a government institution of the breach as soon as feasible if that organization, government institution or part concerned may be able to reduce the risk of the harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied. (PIPEDA, sections 10.2(1) and (2))
The report may be sent to the Commissioner through any secure means of communication and must contain: (a) a description of the circumstances of the breach and, if known, the cause; (b) the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period; (c) a description of the personal information that is the subject of the breach to the extent that the information is known; (d) the number of individuals affected by the breach or, if unknown, the approximate number; (e) a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm; (f) a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act; and (g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach. (PIPEDA, section 10.1(2) and Breach of Security Safeguards Regulations (SOR/2018-64), sections 2(1), 2(2), and 2(3))
Notice to individual must include sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of the harm that could result from it or to mitigate that harm, as well as: (a) a description of the circumstances of the breach; (b) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period; (c) a description of the personal information that is the subject of the breach to the extent that the information is known; (d) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach; (e) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and (f) contact information that the affected individual can use to obtain further information about the breach. (PIPEDA, section 10.1(4) and Breach of Security Safeguards Regulations (SOR/2018-64), section 3).
The notification must be conspicuous and given directly to the individual in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances except if: (a) direct notification would be likely to cause further harm to the affected individual; (b) direct notification would be likely to cause undue hardship for the organization; or (c) the organization does not have contact information for the affected individual, in which case, indirect notification must be given by public communication or similar measure that could reasonably be expected to reach the affected individuals. (PIPEDA, section 10.1(5) and Breach of Security Safeguards Regulations (SOR/2018-64), sections 5(1) and 5(2))
Examples of indirect notification include public announcements, such as advertisements in online or offline newspapers. The measures that would be employed for other public announcements should be used for indirect notifications. For example, media messaging, a prominent notice on the organization’s website, or other online/digital presence.
(Office of the Privacy Commissioner of Canada, What you need to know about mandatory reporting of breaches of security safeguards (Consultation) (Ottawa: Office of the Privacy Commissioner of Canada, 2018))
Records must include, at a minimum: the date or estimated date of the breach, general description of the circumstances of the breach, nature of information involved in the breach, whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified, and if the breach was not reported to the Privacy Commissioner/individuals, a brief explanation of why the breach was determined not to pose a “real risk of significant harm”
(Office of the Privacy Commissioner of Canada, What you need to know about mandatory reporting of breaches of security safeguards (Consultation) (Ottawa: Office of the Privacy Commissioner of Canada, 2018))
Records must be kept for two years, although other legal requirements may impose longer retention periods. (Breach of Security Safeguards Regulations (SOR/2018-64), section 6(1))
There is no threshold associated with the record-keeping obligation – a record of all breaches must be kept, irrespective of whether they give rise to a real risk of significant harm. Nor is there any threshold before an organization would be required to provide its 'breach file' to the Commissioner.
The record-keeping requirement is an important compliance consideration and has the potential to create costs and risks for organizations. For example, in privacy-related litigation in Canada, plaintiffs' counsel often plead their claims in ways that could make a very broad swath of internal documents, policies, and information relating to previous breach incidents relevant in the discovery process. One would expect plaintiffs' counsel to request production of the 'breach file' in the course of discovery in a privacy breach litigation matter and to plead their cases to try to achieve this objective. This tactic is already prevalent in privacy breach litigation and class actions. This could be significant in the litigation (e.g. it may support claims of punitive or aggravated damages) and it may give rise to additional potential litigation. Pursuant to the regulations, organizations will be required to keep breach records for at least two years after the date on which a breach has been confirmed, which is the limitation period for bringing a civil action in most Canadian provinces. Accordingly, it is conceivable that if a plaintiff were to obtain discovery of a breach file and it reveals additional potential claims in relation to breaches (including breaches that did not result in notifications to individuals), the organization may face the risk of additional litigation in respect of those matters.
(Alex Cameron et al, “Important New Rules for Mandatory Privacy Breach Notification, Reporting and Record Keeping in Canada” Fasken Martineau DuMoulin LLP (18 April 2018), online: <https://www.fasken.com/en/knowledgehub/2018/04/important-new-rules-for-mandatory-privacy-breach-notification>)
An individual may make a complaint to the Commissioner or the Commissioner may initiate a complaint against an organization for contravening a provision of Division 1 or for not following a recommendation set out in Schedule 1 (PIPEDA, section 11).
A complainant may after receiving the Commissioner’s report or being notified under subsection 12.2(3) that the investigation of the complaint has been discontinued, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made. A complainant may also apply to the Court for a hearing in respect of any matter that is referred to in the Commissioner’s report, and that is referred to in the prescribed sections under section 14(1) of PIPEDA.
(Office of the Privacy Commissioner of Canada, What you need to know about mandatory reporting of breaches of security safeguards (Consultation) (Ottawa: Office of the Privacy Commissioner of Canada, 2018))