March 14, 2023 | By Craig Zawada, K.C
A dark, and not very funny, joke in IT administration circles says there are two kinds of businesses: those which have been hacked and those which will be. Anyone that has suffered through ransomware, data theft, or other form of cyber-attack knows the incredible cost to time, resources, reputation, and even mental health.
Depending on how well the business has prepared for a potential breach, those consequences can be minimized, but they are rarely trivial. And at the extreme end of the spectrum, they can literally destroy an organization. As this is being written, Indigo is pulling itself out of a suspected ransomware attack that severely impacted operations, but they are not alone. Businesses like Equifax, Garmin, LastPass, Running Room and countless others have reported breaches in recent years. They will not be the last.
There are many things that should go into a company’s cyber-attack incident plan, but we will focus on just one here: breach reporting. This is a legal obligation in Canada that can lead to penalties today. It will result in more massive fines once Canada’s new privacy legislation is passed, likely in 2023.
Alberta and Quebec were the first two Canadian provinces to mandate breach reporting, and the federal government’s Personal Information Protection and Electronic Documents Act (PIPEDA) followed suit in 2018. That Act says that if there is a breach of your security safeguards, you are required to notify the Privacy Commissioner “as soon as feasible” whenever there is a reasonable chance of a “real risk of significant harm.” Failure to comply can mean a fine of up to $100,000.
The fine maximum is a weakness of PIPEDA’s regime. Admittedly, a hundred thousand dollars is not nothing. But it can quickly be dwarfed by the other costs of a cyber-attack, whether it is a ransom required or resulting costs to the business. Also compare it to Quebec’s penalties of up to $10 million dollars or 2% of worldwide turnover (similar to revenues), whichever is greater. Businesses would not necessarily ignore PIPEDA reporting, but like other things in that Act, the remedies are comparatively weak.
Still, this reporting requirement is something which must be included in an incident policy. And it is going to be more important once the new Canada Privacy Protection Act comes into force. Although the reporting requirements are similar, and the “real risk of significant harm” test remains, there are a couple of additional things which will help ensure breaches are reported.
The first is the CPPA’s penalty increase. Failure to report could enable the maximum fines in the Act: $25 million or 5% of global revenues, whichever is higher. These are maximums, of course, but the new privacy tribunal will have broad powers to sanction companies with severe costs.
Another significant change in the CPPA model is its protection of youth information. There are many parts of the proposed legislation where information about minors is held to a higher standard. In brief, such data is considered to be “sensitive information” and requires greater protection. The “real risk of significant harm” test uses sensitivity as one of the criteria. It may be that any breach which exposes minors’ data will then automatically trigger the reporting requirement. That may be overstating it, but given the penalties, reporting of any breach involving minors’ data will usually be recommended.
Also keep in mind that the sole obligation to report is not just to the Privacy Commissioner. Affected individuals must also be advised when there is a risk of harm to them. This notification must allow the individual to understand how the breach may impact them and what steps they can take to reduce or mitigate the risk. The state of the business’s IT systems might make this difficult, so it should be planned in advance.
A cyber-attack is one of the most frightening and dangerous risks a business faces today, especially if it handles a large amount of customer data. When that information is sensitive, such as financial, medical, and yes, minors, the standards and hazards increase markedly. Any breach or cyber-attack creates urgency and sometimes terror. When IT systems are failing or unavailable, a business must have a predefined set of steps it can follow to minimize the problems and ensure that emotions and panic do not get in the way of good practices. Whether you rely on your professional advisors to help set up your policy, or work it out yourself, it is mandatory that it be done now before problems arise.
This publication is provided as an information service and may include items reported from other sources. We do not warrant its accuracy. This information is not meant as legal opinion or advice. Contact Procido LLP (www.procido.com) if you require legal advice on the topic discussed in this article.