Law Times

Page 8 January 25, 2016 • Law Times www.lawtimesnews.com Unclear rules around when to tell public about data breaches, lawyer says BY YAMRI TADDESE Law Times C hanges to Canada's Per- sonal Information Pro- tection and Electronic Documents Act came into effect last summer and, with it, a requirement for companies to notify users when there's been a data breach where the breach poses "a real risk of significant harm." But what exactly constitutes that risk? Molly Reynolds, a law- yer at Torys LLP, says the answer is unclear. The amendments de- fine "significant harm" broadly to include anything from bodily harm to embarrassment and loss of opportunities. Whether there's a "real risk" of such harm as a re- sult of a breach is to be assessed on the basis of the sensitivity of the information lost, the prob- ability of misuse, and other fac- tors that are yet to be set out in the regulations. Reynolds says she's hoping the regulations will set out a high threshold for what constitutes a real risk of significant harm and offer guidance on how to quantify that risk. Without such guidance, the threshold could range from a possibility of risk of harm to probability and certainty, she says. "What we want to see in the regulations is a confirmation that the assessment is to be done on the probability end of the spectrum or, at least, no factors that would lead the [Office of the Privacy Commissioner] to apply a lesser standard closer to a pos- sibility of misuse when consid- ering the threshold in practice," says Reynolds. A possibility of real risk of significant harm may be present where personal information was lost in the mail but a company doesn't know what happened to it, Reynolds says, whereas a probability of harm could exist in situations where a company's employee sent out information about individuals for unknown reasons but there's some suspi- cion of malicious intent. And then there's certainty, where per- sonal information, and especially financial information, was stolen in a hacking attack. To measure the risk in each case of a breach, and to evalu- ate on a case-by-case basis, can be difficult, Reynolds says, but there has to be consistency in the way companies assess privacy breaches and that they're report- ing the same kind of incidents as other industry participants. Real risk of significant harm has to mean more than a mere possibility of harm, says Reynolds. "Beyond the need for a clear standard that can be consistently applied by businesses and the OPC, a threshold on the higher probability end of the risk of harm spectrum would benefit individuals, businesses, and the regulator," she says. "Individuals could experience notification fatigue or not be ad- equately equipped to determine which breaches pose a signifi- cant risk," she continues, adding consumers' attention should be sought only when breaches pose a probability of significant harm. A standard that's too low would also be cumbersome to the OPC, which would be tasked with reviewing large volumes of reports where the risk of harm is not significant and delay the speedy review of significant breaches, Reynolds also notes. Reynolds adds that a low threshold will also come at a great cost to Canadian business- es. In addition to significant time and money spent on reporting, notification, and remedial offers, they could also suffer reputation- al damage that could be "vastly disproportionate to the risk ac- tually posed to the individuals affected by the breach," she says. But lawyer Ken Englehart, former vice president of regulato- ry affairs at Rogers, says how one defines "real risk of significant harm" may not ultimately matter. "No matter how you define it, when there's a $100,000 fine [for non-compliance], most compa- nies are going to err on the side of notifying because they are not going to want to run the risk of not notifying," he says. Englehart says he doesn't expect a huge impact on indus- tries as a result of the changes to PIPEDA as "responsible" compa- nies already report data breaches. "I don't expect a whole lot of clarity [in the regulations]. I think the mandatory breach notification isn't even going to change that much because most companies who are responsible already notify their customers and the Office of the Privacy Commissioner when there is a significant breach," he says. "I re- ally think the legislation is codi- fying what responsible compa- nies do anyway. "So I guess the change that the bill will make is that with a bor- derline case where people weren't sure they had to notify or not, they now will [because they don't want to take a chance]," Engle- hart adds. Reynolds says the need for clarification in the regulations stems from experience with reg- ulators that enforce provincial privacy laws. In those cases, the threshold for notification applied in practice appears lower than what the words of the legislation alone would support, she says. Alberta's privacy laws have similar language around data breach reporting requirements and the trend so far is a low threshold for what constitutes a real risk of significant harm, Reynolds adds. That province has a two-pronged approach to reporting — companies would report a breach to the privacy commissioner, who then decides if the breach is significant enough to notify users, she explains. "Almost universally," the commissioner has found breach- es were severe enough to notify users, Reynolds says. "Looking at the recent decisions almost indicates a threshold that is just a possibility." The amendments to PIPEDA also require organizations to re- tain a record of every breach of security safeguards, whether or not they are obligated to report, and provide the record to the OPC on request. LT FOCUS ON Privacy Law 'Beyond the need for a clear standard that can be consistently applied by businesses and the OPC, a threshold on the higher probability end of the risk of harm spectrum would benefit individuals, businesses, and the regulator,' says Molly Reynolds. REACH ONE OF THE LARGEST LEGAL AND BUSINESS MARKETS IN CANADA! AVAILABLE ONLINE AND IN PRINT With more than 300,500 page views and 100,000 unique visitors monthly canadianlawlist.com captures your market. FOR MORE INFORMATION CONTACT Colleen Austin T: 416.649.9327 | E: colleen.austin@thomsonreuters.com www.canadianlawlist.com Get noticed by the lawyers, judges, corporate counsel, finance professionals and other blue chip cilents and prospects who find the contacts they need for Canadian legal expertise at canadianlawlist.com with an annual Gold or Silver Enhanced listing package. ENCHANCE YOUR LISTING TODAY!

• Cover