With mandatory breach notification requirements coming into effect on November 1, Canadian businesses will need to focus on two factors to prepare: 1) a risk assessment, and 2) determining the decision makers in the company and a breach response plan.
Chantal Bernier, who led the Office of the Privacy Commissioner of Canada for six years as interim privacy commissioner and assistant commissioner, said Canadian businesses need to have their own criteria for assessing if the cyber risk is one of significant harm. Under the mandatory requirements, if there is a breach, meaning a loss of personal information, there needs to be a determination of whether that loss creates a “real risk of significant harm.”
“This piece of legislation puts the monkey on your back for that determination,” Bernier told delegates attending the International Cyber Risk Management Conference (ICRMC) in Toronto Wednesday. “You only report to the privacy commissioner, or you only notify individuals, if you have determined that there is a real risk of significant harm. So you need to have criteria to exercise that determination.”
While the law doesn’t provide much guidance on what constitutes a real risk of significant harm, three factors should be taken into consideration, Bernier said:
the sensitivity of the information compromised,
the probability of its misuse, and
the harm may be more than pecuniary loss: the definition of harm also includes moral and psychological harm, including reputational harm.
The second factor in preparing for the upcoming law is a breach response plan. Companies need to have a “decision tree as to who is going to make the decision, upon the recommendation of whom, and through what process,” Bernier said. “You obviously need breach response plans in advance, because the breach is not the time to improvise.”
Bernier, now counsel with the global privacy and cybersecurity group of Dentons Canada LLP, said if a breach creates a real risk of significant harm, the privacy commissioner of Canada and every individual impacted must be notified. Failing to do so could result in a penalty of “up to $100,000 per person who should have been notified and was not.”
The federal government is also looking at recommendations for remediation following a breach. Even though the law is coming into effect in November, there have been voluntary breach notification guidelines since 2007, Bernier reported.