Poised for Change

Experts suggest that Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been challenged by the emergence of smartphones, mobile payments, cloud computing and the rise of big data. A series of widely publicized data breaches over the past two years have kept the issue top of mind and, as a result, Canadians continue to voice concerns over the collection and treatment of their personal information.

Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act, tabled April 8, 2014, aims to modernize PIPEDA and maintain the country’s leadership in privacy protection by significantly enhancing the powers of the Office of the Privacy Commissioner of Canada (OPC).

These increased powers provide a potent incentive for organizations to exercise greater care and caution in ensuring that the data and personal information they collect remains safe while encouraging continued growth and trust in the digital economy.

In addition to vastly changing the privacy landscape in Canada, the proposed changes to PIPEDA will have a significant impact to the way that cyber insurance is underwritten. Changing requirements with regard to consent, notification, remedies, disclosure and annual reporting will necessitate enhanced training and education for cyber underwriters and brokers.

FAR-REACHING IMPACT

Though the changes from Bill S-4 are expected to be far-reaching, there are several key areas worthy of closer examination by cyber experts.

Strengthened role of the OPC

Most notably, Bill S-4 enhances and increases the power of the OPC by enabling the commissioner to enter into compliance agreements. Should an organization not conform to this agreement, the commissioner may then apply to the Federal Court for a hearing to prosecute the offender.

Entering into an agreement does not limit an affected individual’s right to go to court against the organization that experienced a breach. The new bill removes incentive for the organization to enter into the agreement, and allows for individuals not satisfied with the agreement to take action, notes a Canadian Bar Association (CBA) submission on Bill S-4.

In addition, the draft amendments propose allowing the commissioner to fine up to $100,000 organizations that knowingly contravene sections of PIPEDA, or fine organizations up to $10,000 for offences punishable on summary conviction. This clause gives the commissioner real recourse and further bolsters PIPEDA’s effectiveness, as knowingly contravening the legislation now has a monetary consequence.

With actual dollar amounts attached to fines, the insurance industry may begin to see requests for higher regulatory proceedings coverage within cyber policies.

Under the proposed bill, the OPC will have an enhanced advocacy role to protect the public interest. In addition, it will be able to disclose information necessary to conduct investigations and make recommendations in its annual report to Parliament.

It may also disclose information for proceedings or hearings before a Federal Court, and disclose information to the Attorney General of Canada, a provincial attorney general, or any other government institution for any findings related to an offence under Canadian or provincial law. Raising the profile of breaches has had a large effect on the privacy landscape in the United States and this is expected to have similar results in Canada.

These new disclosures aimed at protecting the public interest may work to raise the profile of the privacy exposures organizations face today and may result in increased demands for additional privacy coverage.

Breach test: more costs and human capital

The “breach test” in Bill S-4 mirrors the test found in Alberta’s Personal Information Protection Act. Under this, an organization must report a breach to the commissioner and notify individuals if it is reasonable to believe that the breach “creates a real risk of significant harm” to the party involved. Although broad, that harm is based on the level of sensitivity of the information that has been breached and the likelihood that the information is being, or will be, misused.

The threshold for reporting is tied to “real risk of significant harm to an individual.” The ambiguity of the threshold allows for interpretation. Systemic or large breaches may go unchecked should an organization feel no significant harm will manifest, notes the CBA submission.

The bill also requires organizations to maintain records of every breach of security safeguards. This requirement will need to be addressed by organizations, depending on the level of threat detection; some organizations may have to devote additional administrative costs and human capital to record-keeping.

Given the lack of clearly defined thresholds, organizations will be further burdened by logging and tracking incidents that may not qualify as “real risk of significant harm,” the submission adds.

The potential impact on the insurance industry is unknown at this point as the vagueness of “significant harm” may mean either that very few or the majority of breaches meet notification requirements. At the very least, the demand will increase insurer’s forensic costs in line with the burden to investigate incidents to find out if data was stolen, who took it and for what purpose.

From an underwriting standpoint, it will be important to know if an organization’s current infrastructure can handle the additional burden of tracking and record-keeping.

Breach notifications

The new bill requires that when a breach occurs, any communication to impacted individuals must convey the significance of the breach and include enough “prescribed information” that could be deemed relevant. The notification must also be “conspicuous” and given directly to the individual, if feasible, as soon as possible. Bill S-4 also outlines notifications to any other organizations or government institutions that can reduce or mitigate the harm from the breach.

The new requirements and mandatory reporting will create real, measurable costs for organizations that experience a breach. Accordingly, cyber underwriters must consider these additional costs.

Changing consent

In the proposed new bill, “consent” will be considered valid only “if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.” The changes to the definition, though not significant, protects Canadians by ensuring they understand the “nature, purpose and consequences of the collection.”

The revised definition may give rise to additional questions or contradictions from the perspective of Canada’s judicial system. Given the decade of interpretation under the old definition, organizations will have to review their standards and ensure they are still in compliance, argues the CBA submission.

If passed, the proposed updates to PIPEDA will vastly change the privacy landscape in Canada. Canadian carriers are already wary of the large claims paid by their U.S. counterparts following a number of high-profile data breaches and the response by several carriers to increase rates or exit certain retail and medical record segments of the market.

For cyber insurers, the effects of Bill S-4 will be far-reaching and come at a time where the industry has already experienced significant change, largely as a result of the impact of the significant loss ratios posted by many U.S. cyber carriers in the last two years.