Mandatory Breach Reporting
Businesses of all types store customer data. Some businesses store only minimal information like an email and home addresses; businesses offering professional services might store client corporate, proprietary, tax and legal details and reports; other businesses and organizations are required to handle and store important health related information as a normal course of operation.
Each new cyber incident we hear about highlights that threat actors are increasingly motivated and capable of obtaining sensitive data and monetizing it on the Internet. Given trends towards service-oriented economies and the increasing information digitization that goes along with it, the importance of knowing where data is and how its protected is only getting higher.
In many jurisdictions around the world the concept of “mandatory breach reporting” is becoming a legal and regulatory requirement. In this post we’ll be talking about some of the details related to Canada’s recent implementation of this concept, however the concepts will be similar or the same to requirements in your part of the world:
- Businesses that store client and third-party data have an obligation to protect it
- Protecting data means understanding where and how it is stored
- If an incident occurs, it is critical to be able to explain what happened (when, what, how, and for how long)
Regulators, lawmakers, and your customers have expectations that reasonable efforts are undertaken to protect personal and protected information, which means not only preventing unauthorized access to that data but also detecting and explaining the unauthorized access if it does occur.
One of the challenges businesses face is that protected client information may be distributed across many locations: on internal on-premise databases, in cloud systems, or on individual desktop or server systems. Another challenge is that basic security tools and processes do not usually provide forms of ‘threat detection’ or ‘post incident’ support and data. The ability to identify modern threats and vulnerabilities on your network, or review events meaningfully after an incident is not part of most baseline IT packages or configurations.
In Canada there are several pieces of legislation that touch on the importance of protecting sensitive data held by third parties. Most notably this includes the Personal Information Protection and Electronics Documents Act or simply “PIPEDA” for short (I pronounce this as “pip ee dah”, but to others it’s “pip ah dah”). Virtually all organizations that handle Canadians data are subject to PIPEDA.
On 1 November 2018, new regulations came into force in Canada related to “mandatory reporting of breaches of security safeguards”. All organizations subject to PIPEDA are impacted by the regulations. While the concept of mandatory reporting may be new to some parts of the country, other parts of the country such as Alberta already had similar or complementary provincial requirements.
These changes apply certain obligations on businesses that experience a data breach, including that:
- The organization must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach (“affected individuals”) by conducting a risk assessment. The assessment of risk must consider the sensitivity of the information involved, and the probability that the information will be misused;
- When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (the Commissioner) as soon as feasible;
- The organization must notify any other organization that may be able to mitigate harm to affected individuals; and
- The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request.
The interpretation and understanding of terminology used is likely to become more specific over time. For example “real risk of significant harm” has a fairly broad definition today. The concept of “security safeguards” is also relatively non-specific. That said, the Privacy Commissioner of Canada has published some helpful tips and steps to consider. Nevertheless, the obligations and process for reporting a breach is quite clear.
Requirements for Reporting
Following an incident, the regulations require a report to be filled out. This includes:
- The number of individuals affected by the breach
- When the breach occurred (start and end)
- A description of the breach, including “how and why” the breach occurred, when it was discovered, and who may have had access to the personal information
- A description of the relevant security safeguards in place at the time of the breach to prevent the type of incident
- A description of the steps taken to reduce the risk of a similar event in the future
- Steps taken to notify the individuals affected
All organizations strive to avoid being affected by a cyber security threat, and even some of the best protected and best resourced organizations are still affected by compromises and data leaks. It can happen to any organization. Thinking forward to a potential incident, what information would be written down in your breach report?
- Would you be able to reliably identify the start and end of a compromise, or are you relying on third party notification (e.g. the federal police) to notify you that customer data was found on the Internet? What systems are gathering this data for you and where is it kept?
- If a compromise were to occur, how would you be able to scope its size (e.g. how much data was lost?)
- Considering current information about cyber security threats, and the data you have within your network, are you able to express what security safeguards are in place to protect that data and identify a compromise? Are they adequate and how do you know? While security configurations and anti-virus applications are part of general IT admin duties, security monitoring and threat detection typically are not. Is your team properly equipped and supported?
- What processes and plans have you implemented to continuously evaluate your threats, vulnerabilities and cyber security practices as the threats to personal data you manage, change and evolve?
Having thoughtful answers to these questions will help manage a cyber security incident, and likely limit the scope of reporting requirements. If an “unknown threat had unknown access for an unknown amount of time”, the conclusion may be that all client data over all time is presumed to have been lost. In contrast, a clear statement showing only a single, non-customer data handling account was compromised for a two day period, would be considerably different.
Incident reporting aside, preparation and protection against cyber threats will demonstrate to your customers that their data privacy and security is being taken seriously.
- What you need to know about mandatory reporting of breaches of security safeguards (Office of the Privacy Commissioner of Canada)
- Tips for containing and reducing the risks of a privacy breach (Office of the Privacy Commissioner of Canada)
- The Personal Information Protection and Electronic Documents Act(Justice Canada)
- Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information (Justice Canada)