November 6, 2016 by Eduard Goodman, Chief Privacy Officer, IDT911
It has been said that change is the one constant in life. The data privacy landscape continues to evolve and changes are coming to Canada’s federal breach notification law, with legislation in a select few provinces also likely to get an update as a result.
The details of the new laws are still up in the air, but some of the foundational elements have been released and insurers have important signposts to help guide them as they get themselves and their policyholders ready for what comes next.
ADDRESSING KEY ASPECTS OF NOTIFICATION
There are several key points about the new legislation that will drive efforts in the near term. The first is that this law, though technically passed, is still in the rule-making phase when it comes to real-world application. Little instruction has been provided on how the law will be implemented in practice, so it has not gone live from a boots-on-the-ground perspective.
Instead, expectations are that all the necessary processes and back-end details will be ready for prime time in about 12 months. Working with the information currently available, insurers should anticipate an effective date around the fall of 2017.
Another primary consideration right now is that existing privacy laws (such as the private sector-focused Personal Information Protection and Electronic Documents Act, or PIPEDA) already in effect remain essentially intact, with the recent round of rule-making aimed at adding a provision that requires notification if a breach occurs. However, specifics surrounding that notification – who must be notified, when, through which methods and, even, what is considered private information or an actionable exposure – are not yet clear.
Among the top-level factors under consideration as law-makers seek to clarify these important details are the criteria for determining the potential for harm that may result from a breach, and identifying those data types that will trigger the new rule’s notification provisions.
Risk-based analyses are likely to be a part of the law’s language, providing entities with guidance on breaches that may not involve data considered sensitive historically, but that could still result in harm to victims. Examples include incidents that compromise the names and home addresses of members of a political party, or of a club geared toward travellers with a specific sexual orientation.
Past breach notification rules were largely focused on financial, health and similarly sensitive data, while the legislation currently being drafted is likely to be wider-reaching to address a broader array of data types.
PREPARING FOR THE NEW REGULATIONS
It will be difficult in the current climate, without more detailed direction from law-makers, for insurers to know whether or not they are fully prepared for any new compliance mandate that eventually materializes. Add in the potential challenges posed by the existing patchwork of provincial rules that may be substantially similar to the federal legislation, but which lack robust notification rules, and underwriters cannot be sure where to go from here.
It is possible that those provinces with strong breach laws will draft their own changes to remain ahead of the curve, but at this point, those discussions have not resulted in specific language changes or the introduction of updated legislation.
One key to success when it comes to navigating today’s changing privacy legislation landscape is a commitment to following the latest privacy and security best practices.
Significant guidance is already available at the Office of the Privacy Commissioner of Canada’s (OPCC) website, including recommendations for improving data security and tips to help organizations develop effective privacy plans. The site also provides links to the most current advice around specific activities, such as the use of data brokers, the harvesting of email addresses via bulk lists and how international privacy concerns affect both Canadian citizens and businesses.
It may also be useful to examine historical breach data to gain better insight into where tomorrow’s compliance concerns are likely to exist.
The most recent report made available by the OPCC, which covered activities in 2014, showed a total of 44 breach notifications under PIPEDA.
This is fewer than the 60 exposures reported in 2013, but because breach reporting has been voluntary, it is unclear if this trend reflects a drop in breach numbers or simply less reporting by those organizations that experienced a data exposure.
By exploring the sectors affected most by data breaches in the federal statistics (the financial industry led the figures with 16 breaches, followed by the Internet and insurance sectors, with seven and six breaches, respectively) as well as the manner of the breach (theft and unauthorized access accounted for the largest share of exposures at 23, followed closely by accidental disclosures at 18), carriers may be able to identify where risk mitigation efforts are likely to have the greatest impact as notification becomes compulsory.
Knowing that there is also guidance already available on self-reporting a data breach, carriers can look to it as a roadmap while preparing for the mandated notification requirements that are on the way.
The federal breach process is currently suggestive, but hints have come from the OPCC that the final, required process will look very similar to those recommendations that are already posted. In essence, the language will probably transition from “may” to “shall.”
Given this perspective, it is unlikely that most of the law, once fully enacted, will be much of a surprise to those insurers that have historically paid close attention to the federal guidance. If an organization is building a response program, it already has the blueprint to comply with the new legislation and few, if any, additional updates are likely to be needed once the final processes are spelled out.
ELIMINATING THE UNKNOWNS
Though the newly legislated rules have not yet been set out in detail, the law will, in the longer term, provide much greater certainty for organizations and underwriters alike. Rather than operate under recommendations, as businesses are doing now, the expanded breach notification mandate will give clear guidance on requirements and obligations. And though the Canadian privacy environment tends to lean toward self-reporting when a breach occurs, it will be a positive change to have certainty around what is expected in these situations.
In addition, legal costs will likely be mitigated in the long run because the regulations will no longer have any grey area – instead, they will be black and white, with little or no wiggle room for interpretation. Expenses related to litigation and legal support are often a big part of breach costs, but with more clarity on when and how notification must be made, businesses will know where they stand.
The privacy office can provide guidance on what is expected as well as what can and cannot be enforced in each breach scenario.
This transition to greater predictability is expected to not only cut down on legal costs, but will also offer insurers better insight into exposures. With increased reporting and more granular data being collected, new patterns are likely to arise that will help carriers identify risks and mitigation strategies with greater clarity than ever before.
Rather than the somewhat vague data that results from self-reporting, a more comprehensive trove of hard numbers will become available for analysis, leading to a broader array of actionable insight. In turn, carriers will then be able to help guide policyholders in making better strategic decisions when it comes to data privacy and protection, further limiting losses into the future.
IDENTIFYING MARKET OPPORTUNITIES, CLAIMS TRENDS
It is important to note that, up until very recently, larger entities were typically more likely to follow self-reporting best practices. The reasons are simple: they have deeper expertise in-house, making them more aware of the risks associated with a data breach.
Increased awareness across the small and mid-sized business sector, however, will certainly result as the new law becomes more popularized.
This follows what happened in the United States, where small organizations have become more keenly aware of where breach liabilities exist because the privacy environment has come under greater scrutiny. In addition, as smaller businesses have become more worried about their risk of a breach, carriers in the U.S. have started selling more coverage in that market, further increasing awareness across the policyholder base.
The cycle seen in the U.S. is now playing out in similar ways in Canada, and offers a glimpse into where the marketplace is heading.
Underwriters may recognize that the notification legislation represents a positive market opportunity, but it is important to consider that more sales could translate into more claims, particularly among policyholders with lax security and privacy practices.
Over the next 12 or 18 months, as the law’s specifics are announced and everyone gains more experience with breach prevention and response programs, the claims environment should also come into better focus.
Eduard Goodman, Chief Privacy Officer, IDT911