The final regulations for mandatory breach notification are now in place as companies prepare for the November 01 enforcement deadline announced earlier this month.
These provisions have been in the works for many years now, ever since the Canadian government passed into law Bill S-4, known as the Digital Privacy Act, which made amendments to the Personal Information Protection and Electronic Documents Act in 2015.
There’s nothing terribly surprising in the regulations, said Patrick Bourk, principal and national cyber practice leader at HUB International, but with a specific date on the calendar, companies will be reminded of the shock that this could have on their organizations.
Reporting and record-keeping are the two key factors companies need to pay attention to in the regulations since they will now have to meet a threshold to report data breaches to the Privacy Commissioner and to affected individuals, if that breach creates a real risk of significant harm to the individual, according to Bourk.
“The law will now say, ‘if you have a breach, you must report it by law,’” he explained. “What could come out of it is now all of a sudden, there’s going to be organizations rushing to say, ‘how do we prepare for this, how do we go about building an incident response plan, what does the incident response plan look like, who are the professionals that we better have on retainer if we do have a problem?’ There’s now going to be a rush to build something to deal with the potential of breach.
“Regardless or not whether you reach that threshold, the law is going to require every company to maintain a record of every breach of safeguards involving personal information,” he added. “What does that mean? Well, you better have a policy in place if there’s a breach. It’s not like you have to notify everybody, but you have to have a protocol for documenting it, for categorizing it, for saving for two years.”
Putting more emphasis on pre-breach planning is a smart move companies could make right now. Through an exclusive partnership with a key insurance partner, HUB International already offers clients sample incident response plans that they can vet and implement in their organizations. Insurers can help in other ways, too.
“The insurance policy doesn’t have a threshold of real risk of imminent harm so if you have an incident, you can leverage your insurance policy to help document your mandatory breach file and the policy will therefore pay for the costs of the experts to get involved to determine [if] this [is] something we should report,” he explained.
The cyber expert draws a comparison to the Y2K crisis when new companies came out of the woodwork to offer compliance services. In this case, an increase in interest for cyber insurance could be the result of the new breach notification rules.
“The introduction of that requirement in the US had the knock-on effect of companies looking at cyber insurance, so we’re anticipating that this could have that same kind of impact,” said Bourk. “Once companies hear about this, their in-house counsel hear about it, their legal counsel advise them of these new rules, there’s probably going to be an increased interest in, ‘what do we do to prepare for this other than hire a law firm to help us build out our plan of attack? Let’s get an insurance policy as well.’”
One barrier some organizations could encounter in the lead up to the enforcement date is picking a person to handle the documentation of breaches, and determining if a breach meets the harm threshold.
“If there’s some sort of privacy breach, whoever is tasked with that in an organization is going to have to get up to speed with what exactly constitutes a breach,” said Bourk. “They’re going to have to now use their judgement to say, ‘is this a real risk of significant harm threshold met such that we have to tell the whole world about it?’”
But not all companies are going to have to be building something from nothing to meet the regulations. Bourk has seen many clients already taking the right steps when hit with a breach.
“They’ll call the right professionals, they’ll get the advice on [whom] to notify and when, and in many cases, they do end up notifying because it’s the prudent thing to do and it’s a brand reputation issue,” he said. “For the companies that had no idea that this exists and that this is going to be a new requirement, I think they’ll be scared straight.”