Blog

Canada’s Cybersecurity Breach Notification Regulation

electronic lock on canadian flag background
General Counsel and VP/Incident Response
LEO Cyber Security

2 minutes

Credit unions maintaining personal data of Canadian residents should consider reviewing their incident response plans in light of this new law.

This article was originally published on the LEO Cybersecurity blog and is reprinted with permission. 

Back in April, Canada adopted additional regulations related to its cybersecurity law, the Personal Information Protection and Electronic Documents Act. The new regulations, which dictate requirements for reporting a data breach, went into effect Nov. 1. Specifically, a report to Canada’s Office of the Privacy Commissioner must contain:

  • a description of the circumstances of the breach and, if known, the cause;
  • the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
  • a description of the personal information that is the subject of the breach to the extent that the information is known;
  • the number of individuals affected by the breach or, if unknown, the approximate number;
  • a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
  • a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act; and
  • the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

A notification to an individual affected by the data breach must contain:

  • a description of the circumstances of the breach;
  • the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
  • a description of the personal information that is the subject of the breach to the extent that the information is known;
  • a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
  • a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
  • contact information that the affected individual can use to obtain further information about the breach.

The text of the regulation can be found here, along with its accompanying Regulatory Impact Analysis Statement, which clarifies a number of issues, including the meaning of “significant harm.” Baker Hostetler posted additional analysis on its DataPrivacyMonitor blog, available here.

Companies maintaining personal data of Canadian residents should consider reviewing their incident response plans in light of this new law.

Seth Jaffe, CBCP, JD, is official rocket scientist in residence for CUES strategic partner LEO Cybersecurity, Dallas. Hailing from NASA’s Mission Control Center, he brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to 20-plus years of technical experience, Seth was previously a member of the data protection task force at a large law firm and served as the lead legal team member of an incident response team at a major U.S. airline. He is a certified business continuity professional and holds a juris doctorate, which is why he also wears the general counsel hat at LEO.

Compass Subscription