Mexico's New Data Protection Law
Mexico has joined the ranks of more than 50 countries that have enacted omnibus data privacy laws covering the private sector. The new Federal Law on the Protection of Personal Data Held by Private Parties (Ley federal de protección de datos personales en posesión de los particulares) (the “Law”) was published on July 5, 2010 and took effect on July 6. IAPP has released an unofficial English translation. The Law will have an impact on the many US-based companies that operate or advertise in Mexico, as well as those that use Spanish-language call centers and other support services located in Mexico.
Like the EU Data Protection Directive and the Canadian federal PIPEDA legislation, Mexico’s data protection statute requires a lawful basis, such as consent or legal obligation, for collecting, processing, using, and disclosing personally identifiable information. There is no requirement to notify processing activities to a government body, as in many European countries, but companies handling personal data must furnish notice to the affected persons. Individuals have rights of access, correction, and objection (on “legitimate grounds”) to processing or disclosure. In the event of a security breach that would significantly affect individuals, those persons must be promptly notified. The Law also addresses data transfers, both within and outside Mexico.
A federal agency, the Institute for Access to Information and Data Protection (IFAI), will provide interpretive guidance and supervise compliance with the new law. IFAI will investigate complaints and inquiries and may launch investigations on its own initiative. In addition to administrative sanctions including warnings and fines, the law contemplates criminal prosecution of violators, with more substantial fines and the possibility of imprisonment for those responsible for a security breach or for fraudulent or deceptive collection and use of personal data.
The Law regulates private parties that “process” personally identified or identifiable data, with exceptions for credit reporting agencies (which are already covered by separate legislation) and individuals recording data exclusively for personal use. Definitions largely track those of the EU Data Protection Directive, including a very broad definition of “processing” that includes any collection, use, storage, or disclosure of data. The Law also uses the concepts of “data controller” and “data processor” as found in the EU Directive, respectively signifying entities that decide to process personal data and entities that carry out processing on their behalf.
The Law departs from the EU Directive, however, in reflecting the habeas data concept found in several Latin American constitutions and statutes: the individual to whom personal data relates is treated as the “data owner.” The individual’s legal rights derive largely from this concept of ownership and the associated right to control whether and how personal data is used.
“Sensitive data” gets some additional protections under the Law, as it does in Europe. As defined in the Law, sensitive data denotes information that touches on the most intimate aspects of a person’s life or involves a serious risk of discrimination. This includes but is not limited to “special categories” of data listed in the EU Directive: race or ethnicity, health, sexual preference, religious or philosophical beliefs, political views, and trade union membership. The Mexican law expressly adds genetic data to this list but does not include special treatment for criminal records as the EU Directive does.
The Law incorporates eight general principles that data controllers must follow in handling personal data: legality, consent, notice, quality, purpose limitation, fidelity, proportionality, and accountability. The Law also addresses data retention: personal data must be deleted when no longer necessary for the purposes set out in the privacy notice and applicable law.
Notice and Consent
Data controllers must furnish a privacy notice indicating what data is collected and for what purposes. If the data is collected directly from the individual, the privacy notice must be delivered at the same time (if not earlier) and in the same format. If the data is collected electronically, however, the data controller can choose to give only the identity and purposes of collection and a mechanism for obtaining the full privacy notice. Where the data has not been collected directly from the individual, the data controller must still provide a privacy notice and notification of changes in the privacy notice.
Data controllers can request authorization from IFAI to forego some or all of the notice requirements where, for example, the data collection is old or the cost of providing notice would be disproportionate.
The privacy notice must include the identity of the data controller, the purposes of processing, the individual’s options for limiting use or disclosure of the data, the procedures for access and correction by the individual, any contemplated transfers of the data, and procedures for notifying individuals about any subsequent changes in the privacy notice. The notice must expressly state if it concerns any sensitive data.
Consent usually can be tacit (opt-out) so long as there is sufficient notice. However, processing sensitive data or information about personal finances and assets requires express consent (opt-in); this must be recorded in writing (or electronically with authentication) in the case of sensitive data.
Consent is not required if
• the data controller is legally obliged to process the information
• the data is publicly available
• the data has been anonymized
• the data is necessary to fulfill obligations under a legal relationship between the data controller and the individual (such as employment or payment processing)
• there is an emergency that could harm the individual
• a health care professional needs the data to provide medical attention and the individual cannot give consent
• a competent government body issues a resolution waiving the consent requirement.
Security and Breach Notice
Data controllers are responsible for maintaining physical, technical, and administrative security measures to protect personal data from loss, alteration, and unauthorized disclosure or use. The measures must at least equal those taken to protect the data controller’s own information. Potential harm, the likelihood of security breaches, the sensitivity of the data, and technological developments are all to be taken into account in crafting appropriate security measures.
Security breaches that “materially” affect property or personal rights must be reported immediately to the affected individuals.
Data Transfers
Transferring personal data to a third party (other than for processing on behalf of the data controller) will typically require an agreement that the transferee will assume the same obligations as found in the privacy notice provided by the transferor. A data transfer requires the consent of the individual except where the transfer
• is pursuant to a law or treaty
• is necessary for medical purposes
• is made to a parent company or affiliate “operating under the same internal processes and policies” (Art. 37 (III))
• is necessary to fulfill a contract in the interest of the individual
• is necessary or legally required to protect a public interest or in the administration of justice
• is necessary to exercise a judicial claim or defense
• is necessary to maintain a legal relationship between the data controller and the individual.
The Law does not establish a formal procedure for approval of foreign data transfers. It appears that data controllers should be able to move data within a corporate group without individual consent, inside and outside Mexico, so long as the parent or affiliate does not handle the data in a manner contrary to the privacy notice furnished by the affiliate in Mexico.
Impact on US Companies
Many US companies have subsidiaries or distributors in Mexico, and data concerning Mexican employees, customers, and business contacts is often transferred to the US company for recordkeeping, contract fulfillment, business planning, market analysis, and other management purposes. Privacy notices in Mexico should mention these purposes and transfers, and the Mexican company may need to obtain opt-in consent in the case of sensitive and financial information. The US company must then handle data consistently with the privacy notice delivered by the Mexican affiliate or distributor, to avoid creating problems for the Mexican firm. For unrelated companies, data transfers should be covered by contractual terms that specify the relevant restrictions and provide for notice to the individuals unless an exception applies.
US companies also often contract with Mexican firms for Spanish-language call centers, customer support services, or outsourced data processing. Once customer data is processed by the Mexican company, it is subject to the Law, regardless of the location of the customers. US companies using such services in Mexico may expect that their vendors will increasingly refer in contracts to their own obligations under the Law and may require cooperation from the US companies in responding to privacy-related complaints and security breaches in Mexico.
Corporate groups operating in Mexico or using data-centric services in Mexico will need to stay abreast of IFAI decisions and changing business practices resulting from the new Law.
FAQ on Alberta's New Breach Notice Law
Earlier this month (May 1, 2010), Alberta became the first Canadian province to pass a broad breach notice law (“Bill 54”) as part of their comprehensive data privacy statute, the Personal Information Protection Act (“the Act”; technically, Alberta is the second province to pass a breach notice law in Canada, Ontario previously passed a breach notice law that focuses on health information custodians).
It will be interesting to see whether the Alberta law ushers in the passage of additional provincial laws similar to way California's SB 1386 lead to breach notice laws in over forty U.S. states. There appear to be several breach notice initiatives at the provincial and federal level in Canada, some of which may be on the verge of passing. If a wave of breach notice laws do pass throughout Canada, it will be interesting to see if it will have the same impact as in the United States (e.g. frequent reporting of breaches, lawsuits, etc.). It will also be interesting to see whether the Canadian approach differs from the U.S. approach.
This blog post breaks down Alberta’s breach notice provisions in a “Frequently Asked Questions” format, and includes commentary and comparisons to existing U.S. law. Note that the Act also now includes obligations concerning collecting and transferring of personal information outside of Canada. That is also discussed briefly in this blog post.
Obligations Concerning Personal Information Collection and Transfer Outside of Canada
First, before diving into the FAQ on the breach notice provisions of Bill 54, let’s take a quick look an amendment in Bill 54 that addresses the use of service providers outside of Canada for purposes of collecting or transferring personal information. Bill 54 added the following provision to the Act:
13.1(1) Subject to the regulations, an organization that uses a service provider outside Canada to collect personal information about an individual for or on behalf of the organization with the consent of the individual must notify the individual in accordance with subsection (3).
(2) Subject to the regulations, an organization that, directly or indirectly, transfers to a service provider outside Canada personal information about an individual that was collected with the individual’s consent must notify the individual in accordance with subsection (3).
(3) An organization referred to in subsection (1) or (2) must, before or at the time of collecting or transferring the information, notify the individual in writing or orally of (a) the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and (b) the name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.
While this provision does not require an individual’s consent to use a service provider outside of Canada, it does require certain notice of certain information to the individual prior to collecting or transferring personal information to such service providers. This specific information referenced in the Act can probably be put into an organization’s privacy policy. However, for organizations that have existing non-Canadian service provider relationships, a process must be put in place to provide notice to individuals. This provision may also have implications with respect to Cloud computing. Some organizations in Canada using the Cloud may not know whether personal information is being transferred outside of the United States. As such, these organizations may have to examine their existing service provider relationships, including identifying subcontractors outside of Canada that service providers may be using.
FAQ on the Personal Information Protection Act’s Breach Notice Obligations.
What breach notification obligations are set forth in Alberta’s breach notice law?
There are actually two potential notification obligations in Alberta’s breach notice law. The primary obligation requires organizations to provide notice to Alberta’s Information and Privacy Commissioner (the “Commissioner”):
34.1(1) An organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.
(emphasis supplied). In addition, organizations that suffer a breach may also have to provide notice to the impacted individuals:
37.1(1) Where an organization suffers a loss of or unauthorized access to or disclosure of personal information that the organization is required to provide notice of under section 34.1, the Commissioner may require the organization to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure (a) in a form and manner prescribed by the regulations, and (b) within a time period determined by the Commissioner.
(emphasis supplied). Two points jump out based on these duties. First, it appears that any notice obligation for individuals applies only to those individuals as to whom there is a “real risk of significant harm.” So with respect to a particular breach, this may involve only a subset of those individuals whose personal information was subject to loss or unauthorized access. Second, even if a real risk of significant harm does exist, there is no automatic mandatory reporting obligation to the impacted individuals. Rather, there is only a reporting obligation if the Commissioner requires reporting. At the end of the day however, depending on the regulations and procedures created by the Commissioner, this notification obligation may effectively become “mandatory.” In fact, subsection 37.1(3) requires the Commissioner to establish an “expedited process” for determining whether to require notification where the harm to the individual is “obvious and immediate.”
Differences against U.S. State breach notice laws:
- Regulator Involvement. The obvious difference between Alberta and most U.S. breach notice laws is that the primary notification obligation is to the regulators. In the U.S. the breach notice laws require notification to the impacted individuals, and some also require concurrent notification to the state regulators (e.g. state attorneys general). In addition, the U.S. breach notice laws typically do not give the regulators discretion as to whether to require notice to individuals.
- Harm Threshold. Like some state breach notice laws, Alberta’s law has a “harm” threshold built into it. While no U.S. breach notice law uses the “real risk of significant harm” terminology, some states do require a material risk of harm, a material compromise, a material risk of identity theft, or similar. While it is difficult to compare harm standards, and more research would be necessary to get a clearer picture, it appears that the real risk of significant harm threshold is relatively high. The term does not appear to be defined in the Act itself, but perhaps the Commissioner will get an opportunity to clarify its meaning as it develops regulations and processes for managing the notifications it receives.
What kind of information does the Alberta breach notice law apply to?
It applies to “personal information”, which is defined as follows:
“personal information” means information about an identifiable individual.
Differences against U.S. State breach notice laws:
- No residency requirement. Unlike U.S. state laws, the residency of the individual does not matter. Personal information could relate to any individual whether a resident of Alberta or not. This could serve to limit the Commissioner’s jurisdiction to some degree. In the U.S. states, a state breach notice law could apply to a company with little to no “presence” in that state simply if they held personal information of a resident. Under Alberta’s law, there may need to be more traditional “doing business” jurisdiction for this law to apply. However, this jurisdictional issue is outside of the scope of this article (Michael Power, please weigh in if you would like/have the time).
- Less precise definition than U.S. breach notice laws. In U.S. breach notice laws the definition of “personal information” or “personally identifiable information” is more precise: typically requiring first name/first initial and last name, in combination with some kind of a account number. The concept of “identifiable individual” is arguably a broader concept than PI or PII in the United States, and therefore there may be instances of reporting required under Alberta’s law that may not be required under U.S. law (on the argument that PI or PII was not at issue as defined under the U.S. breach notice law[s]).
How is a “security breach” defined that would trigger Alberta's breach notice law?
There is no formal definition for “security breach” or “breach of the security of the system.” Nonetheless, a security breach trigger is described in Alberta law as follows: “any incident involving the loss of or unauthorized access to or disclosure of the personal information.” However, a breach by itself does not trigger a reporting obligation unless “there [also] exists a real risk of significant harm to an individual.”
Differences against U.S. State breach notice laws:
- Actual Loss/Unauthorized Access/Disclosure. Under Alberta's law it appears that there must be an actual loss or unauthorized access to or disclosure of the personal information to activate the trigger. Many U.S. breach notice laws are triggered if there is a reasonable belief or suspicion of unauthorized access or acquisition. As anybody knows who has handled a breach, it is not entirely clear in some cases whether actual unauthorized access occurred (often there is circumstantial or tangential evidence of unauthorized access). If construed in this matter, the Alberta law may result in some breaches not being reported.
- Alberta's Loss Trigger. Second, the Alberta law includes “loss” as a trigger. The classic example is a lost laptop. Under many/most U.S. statutes, loss of personal information is not a explicit trigger. Depending on the circumstances, under U.S. state breach notice laws, some organizations may argue that a lost laptop with personal information does not amount to a reasonable belief of unauthorized access. Alberta’s law takes that argument away (however, the harm threshold must still be met).
What is the risk of harm threshold under Alberta’s breach notice law, and how does it operate in terms of the individuals who must be notified?
As discussed above the risk of harm threshold for notification is a “real risk of significant harm.” This harm threshold appears to apply in two different ways under the Alberta law. Under section 34.1 if there is a security breach where a reasonable person would consider that there exists a real risk of significant harm to an individual, the organization must report to the Commissioner. Notice of the entire security incident to the Commissioner is required if a real risk of significant harm exists for a single individual impacted by the incident.
However, under section 37.1, notification is required only to those individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure. This standard takes out the “reasonable person” test and appears to require actual an actual risk of harm. Moreover, notice is only required to those individuals as to whom a real risk of harm exists. So, if the organization reports a breach involving 1 million people and one may have reasonable suffered significant harm, it must report the entire breach to the Commissioner. However, it appears that the only individual that the organization must provide notice to is the individual as to whom an actual real risk of significant harm exists.
What notification obligations does an organization have if its service provider suffers a breach involving personal information?
The Alberta law applies to an organization that has personal information “under its control.” On its face, this control standard appears ambiguous when a service provider breach has occurred. If personal information is stored offsite on a service provider’s computer, but is accessible to an organization, is it under the “control” of the organization or the service provider (or both)? Unlike U.S. breach notice laws, Alberta’s law does not distinguish between the “owner” or “licensee” of personal information and the “service provider” (whose typical breach notice obligation under U.S. laws is to report the breach to the owner/licensee). This of course begs the next question.
What notification obligations does a service provider have if it suffers a breach involving personal information of its customers?
This is the flip-side of the question posed above. Service providers may be hard pressed to argue that they were not in “control” of personal information provided by their customers, and therefore may have an independent duty to notify under the Commissioner and possibly the impacted data subjects. Again, this is less clear than U.S. laws that only require service providers to report the breaches to their customers (a.k.a data owners/licensees; although some have argued that ambiguity exists as to the meaning of data "licensee" under U.S. laws).
Under Alberta’s breach notice law, do the notification obligations apply to personal information that is encrypted?
Unlike most U.S. laws there is no specific reference to encryption under Alberta’s breach notice law, and therefore no explicit encryption safe harbor. However, practically speaking, the definitions and triggers in Alberta’s law may preclude notice obligations with respect to encrypted personal information. For example, organizations may argue that, with respect to encrypted personal information, a reasonable person would NOT consider that there exists a real risk of significant harm to an individual whose personal information was lost or subject to unauthorized access.
Conclusion
Alberta's breach notice provisions are very interesting, especially when compared and contrasted against the approach of U.S. states. It will be even more interesting to see if Alberta's law becomes the model for other provinces, and whether it will have a similar impact on Canadian organizations as it did in the United States.
Security Breach Notices for Canadian Data
There’s some Canadian data on that lost laptop or hacked server. Do you have to notify individuals or authorities in Canada, as you are often required to do in the United States?
The US model of security breach notice laws has not been widely emulated abroad, although several jurisdictions are considering similar measures. Nevertheless, a duty to give notice of significant security breaches has been inferred in some cases from general principles found in comprehensive privacy and data protection laws in Europe, Canada, Japan, and elsewhere. Privacy commissioners in Canada have applied such general principles in publishing guidelines for companies suffering a data leak involving personal information. In addition, the province of Ontario expressly requires notice to individuals if their personal health information is compromised.
More recently, Special Commissions at the federal level and in the provinces of Alberta and British Columbia have recommended amending privacy legislation to mandate notification of material security breaches. Alberta is the first to act on this recommendation. Bill 54, amending Alberta’s Personal Information Privacy Act, will soon require organizations to notify potentially harmful security breaches to the Alberta Privacy Commissioner – who may then dictate the terms of notice to affected individuals.
As readers of this blog are no doubt aware, security breach notice laws have proliferated in the United States since California’s SB 1386 came into effect in 2003. Forty-five states, the District of Columbia, Puerto Rico, the Virgin Islands, and the US federal government (with respect to medical and financial data) have established obligations to notify potentially affected individuals, and sometimes relevant authorities, when there is reason to believe that the security of certain kinds of personal information has been compromised.
The focus in the US has been on the kinds of information most likely to be abused for purposes of identity theft and fraud. The “standard set” of personal information covered by state breach notice laws is limited to unencrypted, name-linked Social Security Numbers, driver’s license or other official state identification numbers, and bank account or payment card numbers (if the access code is compromised as well). The federal HITECH Act requires notice in many cases where personally identifiable medical information has been compromised, and several states require notice of security breaches involving health-related information or other data elements beyond the “standard set,” ranging from date of birth and mother’s maiden name to employer and tribal ID numbers.
American companies, nonprofits, and public entities are becoming familiar with breach notice obligations and consequences in the US, but some of the same security incidents also compromise data concerning individuals residing in other countries, most commonly Canada. US-based enterprises often ask how a data leak including protected information about Canadians should be handled.
While I am not a Canadian lawyer, I have had occasion to help clients determine how to address international data leaks, often with assistance from qualified Canadian counsel. Here are some important background facts and guiding principles gleaned from these experiences and from recent developments in Canadian law and official guidance:
PIPEDA and Provincial Privacy Laws
While Canada has not (yet) adopted federal breach notice legislation, relevant obligations are found in the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), which came fully into effect in 2004. PIPEDA’s Schedule 1 states ten “fair information principles” articulated by the Canadian Standards Association (CSA) for the collection, use, or disclosure of personal information. Unlike the American approach of protecting only specific kinds of personal information, PIPEDA defines personal information broadly as any information about an identifiable individual except business contact information.
PIPEDA applies to federal works, undertakings, or businesses (“FWUBs,” notably banks, telecommunications firms, transportation companies, and enterprises operating in the territories), as well as to inter-provincial and international commercial activities and to commercial activities within provinces that have not enacted similar privacy legislation.
However, under Canada’s constitution, employment matters are traditionally left to provincial law, so PIPEDA normally does not govern an employer’s handling of employee data unless the employer is an FWUB. Provincial law rather than PIPEDA also applies if the federal Governor in Council determines that provincial legislation is “substantially similar” to PIPEDA and incorporates the CSA fair information principles. So far, Alberta and British Columbia have enacted personal information protection acts (“PIPAs”) based on PIPEDA, and Quebec has an older personal data protection statute based on broadly similar principles. Ontario enacted a Personal Health Information Protection Act in 2004 modeled on PIPEDA’s approach to personal information, although the act concerns only health-related information. These four laws have been deemed “substantially similar” to PIPEDA.
The federal and provincial privacy commissioners are authorized to investigate compliance issues, including security breaches, as well as offering interpretation and guidance on the application of privacy laws. The commissioners may refer suspected violations to prosecutors. The commissioners’ guidance documents are not legally binding, but they serve to establish “best practices” in industry and are likely to be influential in court.
So, an American company suffering a data leak involving Canadian consumers normally looks to PIPEDA and guidance from the federal Privacy Commissioner, because the company is typically engaged in international or inter-provincial commerce. To the extent that the data leak involves Canadian employee data, the American company normally looks to provincial law, and only Alberta, British Columbia, and Quebec have PIPAs (and guidance from provincial privacy commissioners) governing employee privacy. If the incident involves health information in Ontario, the Ontario Personal Health Information Protection Act generally applies. (As in the US, there may also be liability for a security incident under tort or contract law, but the focus here is on laws and guidance concerning breach notice.)
Is Breach Notice Required under Canadian Privacy Laws?
PIPEDA does not explicitly address security breach notice to affected individuals or to the relevant privacy commissioner. However, PIPEDA (like the provincial PIPAs) regulates the authorized “collection, use or disclosure” of personal information, and lost or stolen personal information may be deemed an unauthorized collection or use of data, or, from the perspective of the responsible organization, an unauthorized “disclosure” of personal information.
Specifically, PIPEDA holds an organization “responsible for personal information under its control” (Sch. 1, sec. 4.1) and requires the organization to designate one or more individuals who are “accountable” for the organization’s compliance (Sch. 1, secs. 4.1.1, 4.1.2). The Act requires the organization to ensure a comparable level of protection, contractually or by other means, when the information is handled by a third party (Sch. 1, sec. 4.1.3). The consent of the individual is required for the collection, use, or disclosure of personal information, except where consent would be “inappropriate” (Sch. 1, sec. 4.3). Personal information is not to be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law (Sch. 1, sec. 4.5). Organizations must protect personal information with “security safeguards appropriate to the sensitivity of the information” (Sch. 1, sec. 4.7). A security breach might be viewed as a violation of any or all of these principles.
PIPEDA does not explicitly include a requirement to notify privacy commissioners or individuals of instances of noncompliance. Organizations are not required to register or report to privacy commissions, as in many European countries, although PIPEDA (like the provincial PIPAs) empowers the privacy commission to “audit” the personal information management practices of any organization if the commission has “reasonable grounds” to suspect a violation (PIPEDA sec. 18). The “openness” principle of PIPEDA and the provincial PIPAs directs organizations to make their personal information “policies and practices” readily available to individuals (PIPEDA Schedule 1, sec. 4.8), and the law provides that organizations must have procedures for receiving and responding to requests for information and complaints (Sch. 1, secs. 4.9, 4.10). Arguably, this may imply openness about known, substantial security failures, and it certainly means that the organization must have procedures in place for fielding any questions about an announced or suspected security breach involving personal information.
Privacy Commissioner Guidelines
Following widely publicized data breaches at a unit of the Canadian Imperial Bank of Commerce and Canadian subsidiaries of the US-owned TJX retail group, the federal Privacy Commissioner, in collaboration with the Privacy Commissioners of Alberta, British Columbia, and Ontario, issued a document entitled “Key Steps for Organizations in Responding to Privacy Breaches” (the “Guidelines”) in late 2007. The Guidelines define a breach as “an unauthorized access to, or collection, use or disclosure of, personal information.” “Unauthorized” refers to an act in violation of PIPEDA or similar provincial legislation, thus tying security breaches to compliance with the laws for which the privacy commissions are responsible. The Privacy Commissioner of Ontario issued similar guidance for health information custodians under the Ontario Personal Health Information Protection Act.
According to the federal Guidelines, an organization that becomes aware of an unauthorized access to personal information should consider the following steps and implement them to the extent necessary to mitigate harm:
1. Breach containment and preliminary assessment (shutting down systems, recovering records, designating a lead investigator, determining who needs to be notified inside and outside the organization, notifying the police of suspected criminal activity, preserving evidence)
2. Risk evaluation (kinds of data involved, causes and risk of further exposure, number and names of affected individuals, who received access to the data and what kind of harm could result)
3. Notification (see below)
4. Prevention of future breaches (security audit, assessment of policies, employee training)
Notification is to be determined on a case-by-case basis including the following factors:
• Individuals should be notified if the breach poses a risk of personal harm, including physical injury, identity theft, fraud, financial loss, loss of business or employment opportunities, humiliation, or damage to reputation or relationships.
• Individuals should be notified “as soon as possible” following assessment and evaluation of the breach.
• The preferred form of notification is direct – by phone, email, or postal mail. Indirect methods (such as media announcements) are appropriate only where direct notification could cause further harm.
• The organization with a direct relationship with the individuals should normally be the one to notify them.
• Notices should generally include descriptions of:
o The incident
o The information compromised
o Actions taken by the organization to mitigate harm
o Resources to help the individuals take protective measures.
• Notification may also be appropriate to other parties such as
o Privacy commissioners
o Police
o Licensing or other regulatory bodies
o Affiliates or business units
o Trade unions
o Third-party contractors affected by the breach
o Insurers
o Credit card issuers.
Unlike American breach notice statutes and regulations, which are legally enforceable, the Guidelines themselves do not have the force of law. Canadian lawyers emphasize, however, that courts are likely to defer to the expert commissions and consult the Guidelines in deciding whether an organization suffering a security breach has violated PIPEDA or a provincial PIPA, or whether the organization has met contractual expectations or a duty of reasonable care under tort law.
Other notable differences between the Canadian approach and US breach notice laws:
• Scope: US laws require breach notice for only certain kinds of unencrypted personal information, with an emphasis on preventing ID theft or protecting medical data. Canada’s PIPEDA and provincial PIPAs cover all personally identifiable information and all forms of harm.
• Encryption: Unlike US laws, Canada’s PIPEDA and PIPAs, as interpreted by privacy commissioners, do not expressly offer a “safe harbor” for encrypted data. However, encryption presumably should be taken into consideration in determining whether there has been “unauthorized access” to the data and whether there is a material risk of future harm.
• Notice to authorities: Some US laws mandate notice to specified authorities, such as law enforcement, regulatory, or consumer protection agencies. The Canadian laws are silent on this, but the Guidelines “encourage” organizations to report to the relevant privacy commission(s) and, where appropriate, to police and regulatory authorities and affected third parties.
• Notice to individuals: US laws make breach notice mandatory under specified conditions, while the Canadian Guidelines simply list factors to consider in determining whether notice is necessary.
• Form of notice: The Guidelines show a strong preference for direct notice to the affected individuals, delivered by the party with the closest relationship to the individuals. Many of the US breach notice laws permit (or require) mass media announcements where large numbers of individuals are involved or it is “impractical” to notify individuals directly.
Ontario’s Personal Health Information Protection Act
Although Ontario has not yet enacted a comprehensive PIPA, its Personal Health Information Protection Act already includes breach notice requirements for custodians of personal health information (sec. 12(2)):
“a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons.”
The Act appears to hold a health information custodian in Ontario responsible for breach notice regardless of where the breach occurs. A security breach at an American affiliate or service provider, for example, could trigger notice obligations on the part of the Canadian health information custodian.
Alberta’s Bill 54
While the federal government continues to consider proposed PIPEDA amendments, including provisions that would introduce specific breach notice requirements, the province of Alberta has gone ahead with Bill 54, amending Alberta’s PIPA. The bill, adopted by the legislature last year, has already received Royal Assent and will come into force on proclamation, which is likely to occur in the near future.
Bill 54 is significant for companies operating in Alberta or otherwise handling data concerning Alberta customers or employees. It increases penalties for noncompliance, imposes a duty to destroy personal information when it is no longer needed, and requires notice to individuals before transferring personal information to a foreign service provider, a practice that must also be described in the organization’s personal information management policies and procedures.
Importantly, Bill 54 also requires an organization to notify the Privacy Commissioner of Alberta if personal information under its control is lost, accessed, or disclosed to a third party without authorization and if “a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.” The details to be included in such a notice will be prescribed by regulation, and the Commissioner may request additional information concerning the breach.
Once notified, the Privacy Commissioner is authorized to require that the organization provide notice to affected individuals, under terms and conditions that the Commissioner deems appropriate in the circumstances, following an “expedited” procedure. The law expressly permits organizations to notify individuals on their own initiative, but the Commissioner may require additional notice.
If Alberta’s new law is a good indicator of where federal and provincial legislation is headed, companies can expect that significant data breaches in the future will typically involve a prompt notice to the relevant privacy commissioner(s) and some colloquy with their offices before sending notices to individuals in Canada. This represents a level of official involvement beyond what is common in the United States outside the investigation of potentially criminal acts of theft or fraud.
