Canada PIPEDA Breach Notification: What is it?
Canadian businesses are in third place globally in data breach costs, with almost CAD$7 million for each data breach.
As a business operating in Canada, you should do everything in your power to avoid this and demonstrate compliance with PIPEDA.
This article can serve as a great first step to fully understanding the Canada PIPEDA breach notification, including what needs to be included in a notification, who to notify, what safeguards you should take to prevent a data breach, and what penalties you can expect if you don’t report a data breach.
Let’s dive right in.
- Under Canada PIPEDA, a data breach must be reported to the Office of the Privacy Commissioner
- The Canada PIPEDA data breach notification to the Commissioner should include the circumstances and the time of the data breach, a description of the personal information that was affected, and an estimated number of individuals at risk of significant harm from the incident, among other things
- The maximum fine for non-compliance with PIPEDA, including not sending a data breach notification, is CAD$100,000
What is PIPEDA?
PIPEDA, or Personal Information Protection and Electronic Documents Act, is a federal data privacy law that regulates the collection, use, and disclosure of personal information of Canadian citizens by private sector organizations.
This law applies to any business that offers products or services for profit in Canada, except for Alberta, British Columbia Quebec, which have their legislations called PIPA and Quebec Privacy Act.
The primary goal of PIPEDA is protecting the privacy rights of individuals and promoting accountability and transparency in companies that need to handle consumers’ personal information.
Much like other data privacy laws, like the GDPR, PIPEDA serves as a framework for individuals to aid them in better protecting their personal information, including names, addresses, phone numbers, email addresses, and more, while businesses must obtain customer consent first and safeguard this data against data breaches to demonstrate their compliance with this law.
What are Breach Notifications?
A data breach notification is a formal communication between an organization that suffered a data breach and the regulatory authority in that country.
In the notification, the business informs the regulatory authority of a data breach that happened to it and, depending on the regulation and the country, the different facts of the incident, including when the breach occurred, which specific data was affected, how much data, and more.
Data breach notifications are a vital part of complying with a specific data privacy law, and most laws, including the PIPEDA, have very clearly outlined the rules on how it should look.
What Needs to be Included in a Canada Breach Notification to the General Commissioner?
Canada PIPEDA data breach notifications are delivered to the Office of the Privacy Commissioner of Canada (OPC for short). The OPC oversees the PIPEDA and whether the organizations are fully compliant.
Here is what the notification should include:
A Description of the Circumstances of the Breach
The notice to the Commissioner should first include a brief description of the circumstances of the data breach.
For example, the description can state the breach happened due to a sophisticated cyberattack that targeted an unknown vulnerability in the company’s data storage system.
The Date or Time Period of the Breach
Next, the notification should include the date on which the loss, unauthorized access, or disclosure of the customer’s personal information occurred.
If the exact date is unknown, the organization should provide at least a time period, for instance, “during the weekend.”
The Personal Information Affected by the Breach
The notice should also include the types of personal information affected by this data breach.
For example, it might have affected the customers' email addresses, login information, names, encrypted data, etc.
If your business suffered a breach, conduct a data risk assessment of the individuals affected due to the breach as well.
For instance, the breach might pose a significant threat to affected individuals by exposing them to potential identity theft or other types of fraud, especially when it comes to their financial information.
The Number of Individuals at Risk
Not all affected individuals will necessarily be at risk of harm from the data breach. It is also your responsibility to provide a number or an estimate of individuals to whom the breach does pose a real and significant risk of personal harm.
Steps Taken to Notify Individuals
PIPEDA also requires notifying individuals at significant risk of harm due to loss, unauthorized access, or disclosure of their sensitive data.
They can be notified via email, phone, and the company website.
Steps Taken to Reduce the Risk of Harm to Individuals
Of course, it’s not enough to report the data breach or that it poses a potential risk to your customers.
You also need to take steps to mitigate those risks, such as isolating and containing the breach immediately to prevent it from spreading to other systems in the company, shutting down servers if necessary, informing the law enforcement agencies, hiring an outside cybersecurity forensics company for an investigation and so on.
The Person to Contact About the Data Breach
Finally, the company must appoint someone who can answer the Commissioner’s questions about the breach, similar to the GDPR’s DPO or Data Protection Officer.
This should include the person’s name and contact information, such as email address or phone number.
Do Consumers Need to be Notified of Data Breaches?
PIPEDA also requires organizations to notify individuals if a data breach has the potential to create a legitimate risk of harm to them.
This notification is given directly to the affected individual as soon as feasibly possible and must include:
- A description of the circumstances of the data breach
- The date or time period in which the incident occurred
- What personal information belonging to the individual was compromised in the breach
- What steps will the company make to mitigate the risk of harm to the customer
- Name and contact information the company has appointed to answer questions about the data breach customers might have
Contact PIPEDA directly if you cannot directly contact the affected individuals for the next steps. You may need to make public announcements in order to make the data breach publicly available.
What Types of Safeguards Should be Implemented to Prevent Data Breaches?
Even if a business discovers a data breach on time, it can still result in a potential financial loss and diminished reputation and customer trust.
For this reason, you should focus on preventing a data breach from happening in the first place.
Here are four safeguards your business should implement against potential data breaches:
Implement Strict Data Access Controls
Not all within your organization should have access to every piece of sensitive information that goes through it.
Limit access to sensitive data to only where necessary, utilizing different types of access controls such as user authentication, access based on job role, and regular user permission reviews.
Perform Regular Security Audits
Regular security audits and monitoring are crucial for a business to detect unusual activities and discover potential data breach signs or vulnerabilities within the organization.
The organization should work proactively to find security vulnerabilities, including implementing automated security audits and monitoring tools and also manually reviewing its systems and traffic for suspicious activities and behavior.
In addition, follow these best practices to identify third-party cybersecurity risks on time.
Encrypt Sensitive Data
End-to-end encryption means converting data from plain text into a code on one end that only the person with the corresponding description key can read.
To secure sensitive data, a business should implement end-to-end encryption between a sender and a recipient, encrypted storage, and encryption in transit.
Conduct Employee Training and Education
Having the best third-party tools for encryption, automated security audit and monitoring, or diligently implementing strict data access control won’t matter much if your employees don’t know how to use those tools and, more importantly, why.
Compliance training and education are essential for employees to not only learn to use particular tools but also to instill in them a culture of data protection.
Penalties For Not Reporting a Data Breach to the PIPEDA
If a business violates its PIPEDA obligations and fails to comply with the law, it can incur fines of up to CAD$100,000 per violation, depending on the severity of the violation.
This includes not reporting a loss, unauthorized access, or disclosure of personal information due to a data breach to the Commissioner.
PIPEDA violations can also result in a civil, class, or private rights of action and the complainant can also apply to the Federal Court for a hearing. The FC can then order the offending business to comply with PIPEDA, correct its practices, and compensate the complainant for damages.
Although the number of exposed records due to data breaches in Canada went down significantly from over 6.5 million in Q3 2021 to just over 167.000 in Q1 2023, the danger of cybersecurity attacks and data breach incidents is still very much present.
Captain Compliance can help your business mitigate those risks and stay compliant with data privacy laws, including PIPEDA. Contact us, and our privacy and compliance experts will ensure your business’s compliance.
What is the breach notification law in Canada?
The most important data privacy law in Canada, which also regulates data breach notifications, is the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA governs data protection in the majority of Canada. The exceptions are Alberta and BC, which have the Personal Information Protection Act (PIPA) and Quebec’s Privacy Act.
How do I report a breach of privacy in Canada?
A breach of privacy in Canada by a business must be reported to the Office of the Privacy Commissioner (OPC). The Commissioner will then investigate the matter with the business and determine whether it is guilty of a PIPEDA violation.
What are the breach notification rule requirements?
The Personal Information Protection and Electronic Documents Act (PIPEDA), Personal Information Protection Act (PIPA) in Alberta, and Quebec Privacy Act are the three laws in Canada that require a data breach notification.
Under both PIPEDA and PIPA, a data breach notification should be sent to the Office of the Privacy Commissioner of Canada.
The notification should include:
- A description of the circumstances in which the breach happened
- The date (or the span) when this occurred
- What personal information was affected
- What risk of harm to the individuals can this present
- An estimate of the number of individuals that are at significant risk of harm as a result of the incident
- What steps has the company taken to mitigate the risk of harm to compromised individuals
- Steps taken to notify individuals of the loss, unauthorized access, or disclosure of their data
- Name and contact information of the person appointed by the company to answer the Commissioner's questions regarding the data breach.
The only major difference between the two laws when it comes to data breach notification requirements is that, under Alberta PIPA, the business has to notify the federal regulator and not the individual unless the regulator requests this. In PIPEDA, you have to notify both the Commissioner and the individual.
The Quebec Privacy Act, on the other hand, requires notifying the Commission d'accès à l'information (CAI).
What to do after a data breach in Canada?
Once a data breach incident is discovered, a business operating in Canada must send a data breach notification to the Office of the Privacy Commissioner (OCP) or, if it is in Quebec, the Commission d'accès à l'information (CAI).
This notification should include:
- The circumstances of the incident
- The time of the breach
- Description of the compromised data
- Assessment of the risk of harm to individuals
- An estimated number of affected individuals
- Steps taken to reduce the risk of harm to individuals
- Steps taken to notify individuals of the compromise of their data
- Name and contact information of the person in the company who can answer the Commissioner’s questions about the breach
What is the penalty for privacy breach in Canada?
The Personal Information Protection and Electronics Documents Act (PIPEDA) in Canada does not have a specific monetary fine for privacy breaches. However, it does include a fine of up to CAD$100,000 for non-compliance.
Operating a business in Brazil? Here are the fines for not complying with the LGPD.