FAQ on Alberta's New Breach Notice Law
Earlier this month (May 1, 2010), Alberta became the first Canadian province to pass a broad breach notice law (“Bill 54”) as part of their comprehensive data privacy statute, the Personal Information Protection Act (“the Act”; technically, Alberta is the second province to pass a breach notice law in Canada, Ontario previously passed a breach notice law that focuses on health information custodians).
It will be interesting to see whether the Alberta law ushers in the passage of additional provincial laws similar to the way California's SB 1386 lead to breach notice laws in over forty U.S. states. There appear to be several breach notice initiatives at the provincial and federal level in Canada, some of which may be on the verge of passing. If a wave of breach notice laws do pass throughout Canada, it will be interesting to see if it will have the same impact as in the United States (e.g. frequent reporting of breaches, lawsuits, etc.). It will also be interesting to see whether the Canadian approach differs from the U.S. approach.
This blog post breaks down Alberta’s breach notice provisions in a “Frequently Asked Questions” format, and includes commentary and comparisons to existing U.S. law. Note that the Act also now includes obligations concerning collecting and transferring of personal information outside of Canada. That is also discussed briefly in this blog post.
Obligations Concerning Personal Information Collection and Transfer Outside of Canada
First, before diving into the FAQ on the breach notice provisions of Bill 54, let’s take a quick look an amendment in Bill 54 that addresses the use of service providers outside of Canada for purposes of collecting or transferring personal information. Bill 54 added the following provision to the Act:
13.1(1) Subject to the regulations, an organization that uses a service provider outside Canada to collect personal information about an individual for or on behalf of the organization with the consent of the individual must notify the individual in accordance with subsection (3).
(2) Subject to the regulations, an organization that, directly or indirectly, transfers to a service provider outside Canada personal information about an individual that was collected with the individual’s consent must notify the individual in accordance with subsection (3).
(3) An organization referred to in subsection (1) or (2) must, before or at the time of collecting or transferring the information, notify the individual in writing or orally of (a) the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and (b) the name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.
FAQ on the Personal Information Protection Act’s Breach Notice Obligations.
What breach notification obligations are set forth in Alberta’s breach notice law?
There are actually two potential notification obligations in Alberta’s breach notice law. The primary obligation requires organizations to provide notice to Alberta’s Information and Privacy Commissioner (the “Commissioner”):
34.1(1) An organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.
(emphasis supplied). In addition, organizations that suffer a breach may also have to provide notice to the impacted individuals:
37.1(1) Where an organization suffers a loss of or unauthorized access to or disclosure of personal information that the organization is required to provide notice of under section 34.1, the Commissioner may require the organization to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure (a) in a form and manner prescribed by the regulations, and (b) within a time period determined by the Commissioner.
(emphasis supplied). Two points jump out based on these duties. First, it appears that any notice obligation for individuals applies only to those individuals as to whom there is a “real risk of significant harm.” So with respect to a particular breach, this may involve only a subset of those individuals whose personal information was subject to loss or unauthorized access. Second, even if a real risk of significant harm does exist, there is no automatic mandatory reporting obligation to the impacted individuals. Rather, there is only a reporting obligation if the Commissioner requires reporting. At the end of the day however, depending on the regulations and procedures created by the Commissioner, this notification obligation may effectively become “mandatory.” In fact, subsection 37.1(3) requires the Commissioner to establish an “expedited process” for determining whether to require notification where the harm to the individual is “obvious and immediate.”
Differences against U.S. State breach notice laws:
- Regulator Involvement. The obvious difference between Alberta and most U.S. breach notice laws is that the primary notification obligation is to the regulators. In the U.S. the breach notice laws require notification to the impacted individuals, and some also require concurrent notification to the state regulators (e.g. state attorneys general). In addition, the U.S. breach notice laws typically do not give the regulators discretion as to whether to require notice to individuals.
- Harm Threshold. Like some state breach notice laws, Alberta’s law has a “harm” threshold built into it. While no U.S. breach notice law uses the “real risk of significant harm” terminology, some states do require a material risk of harm, a material compromise, a material risk of identity theft, or similar. While it is difficult to compare harm standards, and more research would be necessary to get a clearer picture, it appears that the real risk of significant harm threshold is relatively high. The term does not appear to be defined in the Act itself, but perhaps the Commissioner will get an opportunity to clarify its meaning as it develops regulations and processes for managing the notifications it receives.
What kind of information does the Alberta breach notice law apply to?
It applies to “personal information”, which is defined as follows:
“personal information” means information about an identifiable individual.
Differences against U.S. State breach notice laws:
- No residency requirement. Unlike U.S. state laws, the residency of the individual does not matter. Personal information could relate to any individual whether a resident of Alberta or not. This could serve to limit the Commissioner’s jurisdiction to some degree. In the U.S. states, a state breach notice law could apply to a company with little to no “presence” in that state simply if they held personal information of a resident. Under Alberta’s law, there may need to be more traditional “doing business” jurisdiction for this law to apply. However, this jurisdictional issue is outside of the scope of this article (Michael Power, please weigh in if you would like/have the time).
- Less precise definition than U.S. breach notice laws. In U.S. breach notice laws the definition of “personal information” or “personally identifiable information” is more precise: typically requiring first name/first initial and last name, in combination with some kind of a account number. The concept of “identifiable individual” is arguably a broader concept than PI or PII in the United States, and therefore there may be instances of reporting required under Alberta’s law that may not be required under U.S. law (on the argument that PI or PII was not at issue as defined under the U.S. breach notice law[s]).
How is a “security breach” defined that would trigger Alberta's breach notice law?
There is no formal definition for “security breach” or “breach of the security of the system.” Nonetheless, a security breach trigger is described in Alberta law as follows: “any incident involving the loss of or unauthorized access to or disclosure of the personal information.” However, a breach by itself does not trigger a reporting obligation unless “there [also] exists a real risk of significant harm to an individual.”
Differences against U.S. State breach notice laws:
- Actual Loss/Unauthorized Access/Disclosure. Under Alberta's law it appears that there must be an actual loss or unauthorized access to or disclosure of the personal information to activate the trigger. Many U.S. breach notice laws are triggered if there is a reasonable belief or suspicion of unauthorized access or acquisition. As anybody knows who has handled a breach, it is not entirely clear in some cases whether actual unauthorized access occurred (often there is circumstantial or tangential evidence of unauthorized access). If construed in this matter, the Alberta law may result in some breaches not being reported.
- Alberta's Loss Trigger. Second, the Alberta law includes “loss” as a trigger. The classic example is a lost laptop. Under many/most U.S. statutes, loss of personal information is not a explicit trigger. Depending on the circumstances, under U.S. state breach notice laws, some organizations may argue that a lost laptop with personal information does not amount to a reasonable belief of unauthorized access. Alberta’s law takes that argument away (however, the harm threshold must still be met).
What is the risk of harm threshold under Alberta’s breach notice law, and how does it operate in terms of the individuals who must be notified?
As discussed above the risk of harm threshold for notification is a “real risk of significant harm.” This harm threshold appears to apply in two different ways under the Alberta law. Under section 34.1 if there is a security breach where a reasonable person would consider that there exists a real risk of significant harm to an individual, the organization must report to the Commissioner. Notice of the entire security incident to the Commissioner is required if a real risk of significant harm exists for a single individual impacted by the incident.
However, under section 37.1, notification is required only to those individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure. This standard takes out the “reasonable person” test and appears to require actual an actual risk of harm. Moreover, notice is only required to those individuals as to whom a real risk of harm exists. So, if the organization reports a breach involving 1 million people and one may have reasonable suffered significant harm, it must report the entire breach to the Commissioner. However, it appears that the only individual that the organization must provide notice to is the individual as to whom an actual real risk of significant harm exists.
What notification obligations does an organization have if its service provider suffers a breach involving personal information?
The Alberta law applies to an organization that has personal information “under its control.” On its face, this control standard appears ambiguous when a service provider breach has occurred. If personal information is stored offsite on a service provider’s computer, but is accessible to an organization, is it under the “control” of the organization or the service provider (or both)? Unlike U.S. breach notice laws, Alberta’s law does not distinguish between the “owner” or “licensee” of personal information and the “service provider” (whose typical breach notice obligation under U.S. laws is to report the breach to the owner/licensee). This of course begs the next question.
What notification obligations does a service provider have if it suffers a breach involving personal information of its customers?
This is the flip-side of the question posed above. Service providers may be hard pressed to argue that they were not in “control” of personal information provided by their customers, and therefore may have an independent duty to notify under the Commissioner and possibly the impacted data subjects. Again, this is less clear than U.S. laws that only require service providers to report the breaches to their customers (a.k.a data owners/licensees; although some have argued that ambiguity exists as to the meaning of data "licensee" under U.S. laws).
Under Alberta’s breach notice law, do the notification obligations apply to personal information that is encrypted?
Unlike most U.S. laws there is no specific reference to encryption under Alberta’s breach notice law, and therefore no explicit encryption safe harbor. However, practically speaking, the definitions and triggers in Alberta’s law may preclude notice obligations with respect to encrypted personal information. For example, organizations may argue that, with respect to encrypted personal information, a reasonable person would NOT consider that there exists a real risk of significant harm to an individual whose personal information was lost or subject to unauthorized access.
Alberta's breach notice provisions are very interesting, especially when compared and contrasted against the approach of U.S. states. It will be even more interesting to see if Alberta's law becomes the model for other provinces, and whether it will have a similar impact on Canadian organizations as it did in the United States.