Canadian businesses are in third place globally in data breach costs, with almost CAD$7 million for each data breach.
As a business operating in Canada, you should do everything in your power to avoid this and demonstrate compliance with PIPEDA.
This article can serve as a great first step to fully understanding the Canada PIPEDA breach notification, including what needs to be included in a notification, who to notify, what safeguards you should take to prevent a data breach, and what penalties you can expect if you don’t report a data breach.
There have been several notable breaches under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Here are a few examples:
- Equifax Canada Breach (2017):
- Incident: Equifax, a major credit reporting agency, experienced a data breach affecting 143 million people globally, including approximately 19,000 Canadians. The breach involved sensitive information such as Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers.
- Outcome: The Office of the Privacy Commissioner of Canada (OPC) conducted an investigation and found that Equifax failed to implement adequate safeguards and lacked appropriate measures to prevent such breaches. Equifax was required to improve its security measures and notify affected individuals.
- Desjardins Group Breach (2019):
- Incident: An internal breach at Desjardins Group, a large financial services cooperative, exposed the personal information of 4.2 million members. The breach was caused by an employee who improperly accessed and shared the data.
- Outcome: The OPC investigated and found that Desjardins had insufficient access controls and monitoring. The company was required to enhance its security protocols, including implementing stronger internal controls and auditing procedures.
- LifeLabs Breach (2019):
- Incident: LifeLabs, one of Canada’s largest medical testing companies, reported a cyberattack that compromised the personal information of 15 million customers. The breach included sensitive data such as names, addresses, emails, login passwords, dates of birth, health card numbers, and lab test results.
- Outcome: The OPC and the Information and Privacy Commissioner of Ontario conducted a joint investigation and concluded that LifeLabs had inadequate cybersecurity measures. The company was ordered to improve its data security practices and undergo regular audits.
- Marriott International Breach (2020):
- Incident: A breach at Marriott International affected 5.2 million guests worldwide, including Canadians. The compromised information included contact details, loyalty account information, and other personal data.
- Outcome: The OPC investigated and found that Marriott did not have sufficient safeguards in place. Marriott was directed to enhance its data protection measures and improve its response to data breaches.
These incidents highlight the importance of robust data protection measures and the need for organizations to comply with PIPEDA requirements to protect personal information effectively.
Let’s dive right in.
Key Takeaways
Under Canada PIPEDA, a data breach must be reported to the Office of the Privacy Commissioner
The Canada PIPEDA data breach notification to the Commissioner should include the circumstances and the time of the data breach, a description of the personal information that was affected, and an estimated number of individuals at risk of significant harm from the incident, among other things
The maximum fine for non-compliance with PIPEDA, including not sending a data breach notification, is CAD$100,000
What is PIPEDA?
PIPEDA, or Personal Information Protection and Electronic Documents Act, is a federal data privacy law that regulates the collection, use, and disclosure of personal information of Canadian citizens by private sector organizations.
This law applies to any business that offers products or services for profit in Canada, except for Alberta, British Columbia Quebec, which have their legislations called PIPA and Quebec Privacy Act.
The primary goal of PIPEDA is protecting the privacy rights of individuals and promoting accountability and transparency in companies that need to handle consumers’ personal information.
Much like other data privacy laws, like the GDPR, PIPEDA serves as a framework for individuals to aid them in better protecting their personal information, including names, addresses, phone numbers, email addresses, and more, while businesses must obtain customer consent first and safeguard this data against data breaches to demonstrate their compliance with this law.
What are Breach Notifications?
A data breach notification is a formal communication between an organization that suffered a data breach and the regulatory authority in that country.
In the notification, the business informs the regulatory authority of a data breach that happened to it and, depending on the regulation and the country, the different facts of the incident, including when the breach occurred, which specific data was affected, how much data, and more.
Data breach notifications are a vital part of complying with a specific data privacy law, and most laws, including the PIPEDA, have very clearly outlined the rules on how it should look.
What Needs to be Included in a Canada Breach Notification to the General Commissioner?
Canada PIPEDA data breach notifications are delivered to the Office of the Privacy Commissioner of Canada (OPC for short). The OPC oversees the PIPEDA and whether the organizations are fully compliant.
Here is what the notification should include:
A Description of the Circumstances of the Breach
The notice to the Commissioner should first include a brief description of the circumstances of the data breach.
For example, the description can state the breach happened due to a sophisticated cyberattack that targeted an unknown vulnerability in the company’s data storage system.
The Date or Time Period of the Breach
Next, the notification should include the date on which the loss, unauthorized access, or disclosure of the customer’s personal information occurred.
If the exact date is unknown, the organization should provide at least a time period, for instance, “during the weekend.”
The Personal Information Affected by the Breach
The notice should also include the types of personal information affected by this data breach.
For example, it might have affected the customers’ email addresses, login information, names, encrypted data, etc.
Risk Assessment
If your business suffered a breach, conduct a data risk assessment of the individuals affected due to the breach as well.
For instance, the breach might pose a significant threat to affected individuals by exposing them to potential identity theft or other types of fraud, especially when it comes to their financial information.
The Number of Individuals at Risk
Not all affected individuals will necessarily be at risk of harm from the data breach. It is also your responsibility to provide a number or an estimate of individuals to whom the breach does pose a real and significant risk of personal harm.
Steps Taken to Notify Individuals
PIPEDA also requires notifying individuals at significant risk of harm due to loss, unauthorized access, or disclosure of their sensitive data.
They can be notified via email, phone, and the company website.
Steps Taken to Reduce the Risk of Harm to Individuals
Of course, it’s not enough to report the data breach or that it poses a potential risk to your customers.
You also need to take steps to mitigate those risks, such as isolating and containing the breach immediately to prevent it from spreading to other systems in the company, shutting down servers if necessary, informing the law enforcement agencies, hiring an outside cybersecurity forensics company for an investigation and so on.
The Person to Contact About the Data Breach
Finally, the company must appoint someone who can answer the Commissioner’s questions about the breach, similar to the GDPR’s DPO or Data Protection Officer.
This should include the person’s name and contact information, such as email address or phone number.
Do Consumers Need to be Notified of Data Breaches?
PIPEDA also requires organizations to notify individuals if a data breach has the potential to create a legitimate risk of harm to them.
This notification is given directly to the affected individual as soon as feasibly possible and must include:
A description of the circumstances of the data breach
The date or time period in which the incident occurred
What personal information belonging to the individual was compromised in the breach
What steps will the company make to mitigate the risk of harm to the customer
Name and contact information the company has appointed to answer questions about the data breach customers might have
Contact PIPEDA directly if you cannot directly contact the affected individuals for the next steps. You may need to make public announcements in order to make the data breach publicly available.
What Types of Safeguards Should be Implemented to Prevent Data Breaches?
Even if a business discovers a data breach on time, it can still result in a potential financial loss and diminished reputation and customer trust.
For this reason, you should focus on preventing a data breach from happening in the first place.
Here are four safeguards your business should implement against potential data breaches:
Implement Strict Data Access Controls
Not all within your organization should have access to every piece of sensitive information that goes through it.
Limit access to sensitive data to only where necessary, utilizing different types of access controls such as user authentication, access based on job role, and regular user permission reviews.
Perform Regular Security Audits
Regular security audits and monitoring are crucial for a business to detect unusual activities and discover potential data breach signs or vulnerabilities within the organization.
The organization should work proactively to find security vulnerabilities, including implementing automated security audits and monitoring tools and also manually reviewing its systems and traffic for suspicious activities and behavior.
In addition, follow these best practices to identify third-party cybersecurity risks on time.
Encrypt Sensitive Data
End-to-end encryption means converting data from plain text into a code on one end that only the person with the corresponding description key can read.
To secure sensitive data, a business should implement end-to-end encryption between a sender and a recipient, encrypted storage, and encryption in transit.
Conduct Employee Training and Education
Having the best third-party tools for encryption, automated security audit and monitoring, or diligently implementing strict data access control won’t matter much if your employees don’t know how to use those tools and, more importantly, why.
Compliance training and education are essential for employees to not only learn to use particular tools but also to instill in them a culture of data protection.
Penalties For Not Reporting a Data Breach to the PIPEDA
If a business violates its PIPEDA obligations and fails to comply with the law, it can incur fines of up to CAD$100,000 per violation, depending on the severity of the violation.
This includes not reporting a loss, unauthorized access, or disclosure of personal information due to a data breach to the Commissioner.
PIPEDA violations can also result in a civil, class, or private rights of action and the complainant can also apply to the Federal Court for a hearing. The FC can then order the offending business to comply with PIPEDA, correct its practices, and compensate the complainant for damages.
Closing
Although the number of exposed records due to data breaches in Canada went down significantly from over 6.5 million in Q3 2021 to just over 167.000 in Q1 2023, the danger of cybersecurity attacks and data breach incidents is still very much present.
Captain Compliance can help your business mitigate those risks and stay compliant with data privacy laws, including PIPEDA. Contact us, and our privacy and compliance experts will ensure your business’s compliance.
FAQs
What is the breach notification law in Canada?
The most important data privacy law in Canada, which also regulates data breach notifications, is the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA governs data protection in the majority of Canada. The exceptions are Alberta and BC, which have the Personal Information Protection Act (PIPA) and Quebec’s Privacy Act.
Here’s what you need to know about the Connecticut Data Breach Notification Law.
How do I report a breach of privacy in Canada?
A breach of privacy in Canada by a business must be reported to the Office of the Privacy Commissioner (OPC). The Commissioner will then investigate the matter with the business and determine whether it is guilty of a PIPEDA violation.
Take a look at a real-life example of a data security incident notification.
What are the breach notification rule requirements?
The Personal Information Protection and Electronic Documents Act (PIPEDA), Personal Information Protection Act (PIPA) in Alberta, and Quebec Privacy Act are the three laws in Canada that require a data breach notification.
Under both PIPEDA and PIPA, a data breach notification should be sent to the Office of the Privacy Commissioner of Canada.
The notification should include:
A description of the circumstances in which the breach happened
The date (or the span) when this occurred
What personal information was affected
What risk of harm to the individuals can this present
An estimate of the number of individuals that are at significant risk of harm as a result of the incident
What steps has the company taken to mitigate the risk of harm to compromised individuals
Steps taken to notify individuals of the loss, unauthorized access, or disclosure of their data
Name and contact information of the person appointed by the company to answer the Commissioner’s questions regarding the data breach.
The only major difference between the two laws when it comes to data breach notification requirements is that, under Alberta PIPA, the business has to notify the federal regulator and not the individual unless the regulator requests this. In PIPEDA, you have to notify both the Commissioner and the individual.
The Quebec Privacy Act, on the other hand, requires notifying the Commission d’accès à l’information (CAI).
Discover how to achieve GDPR data breach compliance.
What to do after a data breach in Canada?
Once a data breach incident is discovered, a business operating in Canada must send a data breach notification to the Office of the Privacy Commissioner (OCP) or, if it is in Quebec, the Commission d’accès à l’information (CAI).
This notification should include:
The circumstances of the incident
The time of the breach
Description of the compromised data
Assessment of the risk of harm to individuals
An estimated number of affected individuals
Steps taken to reduce the risk of harm to individuals
Steps taken to notify individuals of the compromise of their data
Name and contact information of the person in the company who can answer the Commissioner’s questions about the breach
Learn what to do after a data breach in Australia.
What is the penalty for privacy breach in Canada?
The Personal Information Protection and Electronics Documents Act (PIPEDA) in Canada does not have a specific monetary fine for privacy breaches. However, it does include a fine of up to CAD$100,000 for non-compliance.
Operating a business in Brazil? Here are the fines for not complying with the LGPD.