Ottawa working on “options regarding next steps” for Canada-wide mandatory privacy breach notification

Before the House of Commons was dissolved last summer to kick off the federal election, the ruling Conservatives passed the Digital Privacy Act, which creates new offences for failing to report data security breaches. However, nation-wide mandatory breach notification would not actually take effect unless the government develops regulations, and it is not clear whether the newly-elected Liberals plan to do this.

The Digital Privacy Act (Bill S-4 of the last session of Parliament) changes the Personal Information and Protection of Electronic Documents Act (PIPEDA) to include a new requirement for “organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner.” Passed into law June 18, Bill S-4 also contains a requirement “organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control.”

The amendments “dealing with breach reporting, notification and recordkeeping will be brought into force only after related regulations outlining specific requirements are developed and in place,” a spokesperson for the Office of the Privacy Commissioner of Canada told Canadian Underwriter in an e-mail Jan 11. “For information about the regulation-making process or timelines, you may direct inquiries to the Department of Innovation, Science and Economic Development.”

Canadian Underwriter asked the ISED department whether the federal government plans to develop regulations to bring those amendments into force, and if so when those regulations would be in place.

A spokesperson sent a response Jan. 12 but did not answer the question.

“There were consultations with stakeholders on the Personal Information Protection and Electronic Documents Act (PIPEDA),” the ISED spokesperson wrote in an e-mail to Canadian Underwriter. “Both consumer advocates and industry associations appeared as witnesses before the Standing Committee on Industry during its study of Bill S-4, the Digital Privacy Act, which amended PIPEDA, and provided views on all aspects of S-4, including data breach reporting. Options regarding next steps, including consultations, are being developed.”

Bill S-4 was originally tabled in 2014 by Yonah Martin, a Conservative Senator for British Columbia.

During debates in 2014 and 2015, the Conservatives – who formed the government at the time – said the Digital Privacy Act would create new offences for deliberately failing to report data breaches to individuals and the federal privacy commissioner, with fines of up to $100,000 per every individual an organization failed to notify.

In May, 2014, then-Industry Minister James Moore told a Senate committee that it is “not currently mandatory” for organizations to disclose to consumers if they have a data breach and personal information is lost or stolen.

The bill would require firms to notify people if their personal information has been lost “and there is a potential to expose us to harm,” said Joan Crockatt – at the time the Conservative MP for Calgary Centre – during a debate in October, 2014 in the House of Commons.

“The time frame companies would be given to do this under this bill would be as soon as was feasible,” Crockatt said at the time. “For example, if a company’s computer system was hacked and the clients’ credit card information was stolen, the company might need a week to put a fence around it and figure out how many people had been affected and let us, as consumers, know. If the data breach or the hacker was more sophisticated, it might take the company a couple of weeks to figure out everyone who was affected and let us know. There would be some flexibility, but one thing that would be very clear would be that companies could not delay notifying us when there was this kind of breach.”

She said at the time that if an organization “failed to notify clients in the shortest time frame possible, it could be taken to court by the Privacy Commissioner or by individuals.”

Courts could “assess penalties for deliberately failing to report a data breach to the Privacy Commissioner, deliberately failing to notify an individual of a data breach and deliberately failing to maintain or deliberately destroying data breach records,” Brant Conservative MP Phil McColeman told the Commons during debate in Bill S-4.

“In keeping with existing offences under PIPEDA, these offences would be subject to a fine of up to $10,000 on summary conviction and up to $100,000 on indictment,” McColeman added at the time. “I would point out to the House that the organization can be assessed a penalty for each and every individual it fails to notify. Given the large number of individuals who could potentially be affected by a data breach, this is a very serious penalty indeed.”

Charmaine Borg, then NDP MP for Terrebonne-Blainville, criticized the Conservatives over Bill S-4 because she had previously tabled a private member’s bill – C-475 – which would have changed PIPEDA to require organizations having personal information under their control to notify the federal privacy commissioner “of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access.”

Bill C-475 was defeated in 2014. Ed Holder – then the Conservative MP for London West – said in 2013 that if Bill C-475 had been passed into law, it would “require organizations to report to the Privacy Commissioner every data breach posing a possible risk of harm.” He added that the “average organization” would “err on the side of caution” and this would have resulted in “notification fatigue” among consumers.

In addition to providing for mandatory breach notification, Bill S-4 also changes PIPEDA to permit the disclosure of personal information without the knowledge or consent of the person in certain cases. One of those cases is for the purpose of preventing, detecting or suppressing fraud.

A similar provision was made in Bill C-12 in 2011, but that bill never made it to second reading, and died on the order paper when then-Prime Minister Stephen Harper prorogued Parliament in September, 2013.

In 2012, the Ontario Auto Insurance Anti-Fraud Task Force recommended that the Ontario government ask the federal government to “move quickly” on passing Bill-12, in order to remove any “undue limitations” on the ability of insurers to pool claims information to combat fraud.

“As it stands right now under the current law, investigators who want to access personal information must be listed as an investigative body in the regulations,” said Conservative MP Michelle Rempel – then Minister of State for Western Economic Diversification – in the Commons in 2015. “This involves coming forward with an application to the government and if the federal cabinet decides that the application is warranted, the organization is added to the list. This is an extremely burdensome process for organizations.”

Bill S-4 was the subject of hearings in March, 2015 before the House of Commons Standing Committee on Industry Science and Technology. The committee heard from Richard Dubin, IBC’s vice president, investigative services.

Dubin was asked by Conservative MP Cheryl Gallant – then an industry committee member – why IBC supports a change to PIPEDA when IBC is already a designated investigative body.

Dubin gave the committee an example of a fraud scheme involving a vehicle collision, in which there is no significant damage, there are no witnesses other than the drivers and police are not called to attend.

In Dubin’s example, there are three “jump-ins,” who falsely claim to have been passengers.

“All three occupants were claiming soft tissue injury, but they didn’t report it at the scene of the accident so the police didn’t attend,” Dubin told the industry committee last March.

In such a scenario, an auto claims adjuster could look into the “general history” of the driver and vehicle and contact IBC, Dubin noted.

“They’d find out from that information that this driver and the vehicle were involved in a previous collision,” Dubin said. “It does identify the other insurer as well in those public reports. What that information has that they’re not able to get to yet is that the other insurer also had a left-turn situation with multiple occupants in this vehicle.”

In such a scenario, under PIPEDA at the time, “the adjuster obviously can’t contact the other insurer to find out the facts of the other collision, so they’re in the dark at this point,” Dubin said. “In the meantime, the claim starts getting paid and the occupants receive weekly income disability payments. They attend rehab facilities for extensive treatment, all of them usually receiving the same type of extensive treatment of physiotherapy, massage therapy, or chiropractic. At the same time that these bills are building up, the body shop is now doing the repairs to a vehicle that could very well have been previously repaired in the other accident.”

The changes to PIPEDA with Bill S-4 “would allow the insurer of this vehicle to contact the other insurer,” Dubin said. “They would find out some of the scenarios, that the same scenario existed with the same service suppliers: they used the same rehab facility, the same body shop, everything was virtually the same.”